[Pkg-ltsp-devel] Bug#783606: Bug#783606: Host not saved into known_hosts

[Petter Reinholdtsen]

[Petr Šťastný]
> I just dug more deeply into this problem.
>
> First problem: I found that pam_sshauth reads
> /etc/ssh/ssh_known_hosts, which is not mentioned in manual page and I
> was not able to figure auth which known_hosts file is used. I had to
> have a look into source code.

Good to hear that it is reading the global file.

> Second problem: pam_sshauth seems not to write anything into
> /etc/ssh/ssh_known_hosts although manual page states that "If
> contacting a host for which we don't have an entry in known_hosts,
> ask, via the pam prompts, if you'd like to trust this host, and add it
> to your known_hosts file.  The default will be to fail the
> authentication." I interpret this information as it should add the
> host into ssh_known_hosts when I say "yes". But there is nothing about
> saving the host key in pam_sshauth's source code.

Good to see that it is not writing in the global file.  I suspect it
should be made clear in the documentation.  That global file should be
updated "out of band" like you describe here:

> Third and main problem: pam_sshauth does not work with hashed
> known_hosts entries, which is default behavior in Debian Jessie (at
> least, I don't know the situation in previous releases).
>
> If I create /etc/ssh/ssh_known_hosts manually using the following
> command, it works:
>
> ssh-keyscan X.X.X.X > /etc/ssh/ssh_known_hosts
>
> But this (which is Debian Jessie default) does not work (host
> name/address output is hashed) - pam_sshauth ignore these entries:
>
> ssh-keyscan -H X.X.X.X > /etc/ssh/ssh_known_hosts

I guess this is the real missing feature here.  The pam module should
understand the same global known_hosts file as the ssh client.

I would also suggest to change the documentation to document that the
ssh host to use MUST be listed in /etc/ssh/ssh_known_hosts, and remove
the prompt about adding the host key to a file.

-- 
Happy hacking
Petter Reinholdtsen