[rancid] clogin + ssh: stuck at fingerprint verification

Patrik Lundin patrik at sigterm.se
Fri May 19 08:05:38 UTC 2017

On Thu, May 18, 2017 at 05:05:49PM +0200, Jean Benoit wrote:
> On Thu, May 18, 2017 at 04:43:57PM +0200, Patrik Lundin wrote:
> > [...] Has anyone struggled with something like this before?
> If the risk of man in the middle attacks is acceptable, you could remove
> fingerprinting :
>   add method     * {ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no}

Thank you for the input, I prefer to utilize fingerprint verification whenever
I can however.

On Thu, May 18, 2017 at 03:26:25PM +0000, Charles T. Brooks wrote:
> Whenever you change a host key, put the new key in the known_hosts file on
> the rancid server.  Don't use rancid to defeat a reasonable security measure.
> Silently deactivating the SSH warning is bad policy.

Right, I agree with this position in general, but managing the host key
separately only hides what I percieve as the bigger issue.

Actually my question is not so much "how do I avoid/fix this specific problem"
as it is "is it possible assumptions made in the clogin code no longer hold
true" which potentially could undermine it's operation in general.

It is obvious the pattern matching in the code is based on the fact that all
text end up in the buffer. I have seen that on the affected systems this is not
always true.

Maby someone more well versed in expect internals could chime in :).

Patrik Lundin

More information about the Rancid-discuss mailing list