Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ipv6: missing port in address #1

Closed
lonnywong opened this issue Jul 6, 2023 · 5 comments · Fixed by #2
Closed

ipv6: missing port in address #1

lonnywong opened this issue Jul 6, 2023 · 5 comments · Fixed by #2

Comments

@lonnywong
Copy link
Contributor

Using WriteKnownHost will get an entry with ipv6:

mbp.local,[fe80::abc:abcd:abcd:abcd%en0] ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyN...

The next login fails:

knownhosts: /Users/lonny/.ssh/known_hosts:26: address [fe80::abc:abcd:abcd:abcd%en0]: missing port in address
@evanelias
Copy link
Contributor

Thank you for the issue report! After looking into this a bit, I suspect the root cause is actually golang/go#53463: in golang.org/x/crypto/ssh/knownhosts, the Normalize function doesn't correctly handle ipv6 addresses that use the standard port 22.

The WriteKnownHost function here in https://github.com/skeema/knownhosts currently relies on the value returned by that golang.org/x/crypto/ssh/knownhosts Normalize function as-is, but we could adjust this to work around golang/go#53463. I think it would just require a few lines of code to check for leading + trailing brackets, and stripping them if both are found, meaning it's an ipv6 address without a port specified.

I can try that on my end in a few days, or happy to accept a PR as long as it includes test coverage for that situation. Either way is fine. Thanks again for spotting this and reporting it!

@lonnywong
Copy link
Contributor Author

@evanelias Thanks for providing the detailed information. I will try to submit a PR tomorrow.

@evanelias
Copy link
Contributor

Thanks, sounds great!

I just realized that WriteKnownHost doesn't have its own unit test yet, so that might make test coverage for the change tricky. For now, one possible path could be to just create a new exported Normalize function, which wraps golang.org/x/crypto/ssh/knownhosts's Normalize but fixes its handling of ipv6. Then you could just add a unit test which covers Normalize, rather than having to write a unit test for all of WriteKnownHost.

Separate from the write path, there's also the question of how to handle existing ~/.ssh/known_hosts files which already have ipv6 entries with brackets but no port. We probably just need to require users to edit them by hand :(

In theory we could do something in New to handle this "missing port in address" error automatically (rewrite the file to a temp location with the problem fixed, and re-parse?) but that feels messy...

lonnywong added a commit to trzsz/knownhosts that referenced this issue Jul 7, 2023
@lonnywong
Copy link
Contributor Author

In theory we could do something in New to handle this "missing port in address" error automatically (rewrite the file to a temp location with the problem fixed, and re-parse?) but that feels messy...

If there is an invalid entry in the known hosts, everyone removes them on error.

It is probably not a good idea to modify the known hosts automatically without explicit authorization from the user.

I think adding a Fix function would be better than modifying the New function if you want to do it one day.

evanelias added a commit that referenced this issue Jul 7, 2023
Implement workaround in WriteKnownHost for IPv6 addresses. Closes #1
@evanelias
Copy link
Contributor

Yeah definitely agree that New shouldn't modify the known_hosts file automatically in-place. To clarify what I meant -- upon getting a "missing port in address" error, in theory New could read the full known_hosts file, attempt to write a "fixed" version of it to a temporary file (obtained from os.CreateTemp), pass that temporary file path to x/crypto/ssh/knownhosts, and then delete the temporary file afterwards.

This feels messy though, and also means any KeyError.Want.Filename values will be wrong (referring to the temp file instead of the real file). So I agree your suggestion of a separate Fix function may be a cleaner approach, if someone wants to automate this in the future.

lbedford pushed a commit to daedaleanai/knownhosts that referenced this issue Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants