[rancid] clogin + ssh: stuck at fingerprint verification

[heasley]

Fri, May 19, 2017 at 10:05:38AM +0200, Patrik Lundin:
> On Thu, May 18, 2017 at 05:05:49PM +0200, Jean Benoit wrote:
> > On Thu, May 18, 2017 at 04:43:57PM +0200, Patrik Lundin wrote:
> > > [...] Has anyone struggled with something like this before?
> > 
> > If the risk of man in the middle attacks is acceptable, you could remove
> > fingerprinting :
> > 
> >   add method     * {ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no}
> > 
> 
> Thank you for the input, I prefer to utilize fingerprint verification whenever
> I can however.
> 
> On Thu, May 18, 2017 at 03:26:25PM +0000, Charles T. Brooks wrote:
> > Whenever you change a host key, put the new key in the known_hosts file on
> > the rancid server.  Don't use rancid to defeat a reasonable security measure.
> > Silently deactivating the SSH warning is bad policy.
> > 
> 
> Right, I agree with this position in general, but managing the host key
> separately only hides what I percieve as the bigger issue.
> 
> Actually my question is not so much "how do I avoid/fix this specific problem"
> as it is "is it possible assumptions made in the clogin code no longer hold
> true" which potentially could undermine it's operation in general.

I think there was another change that caused this to surface.  Anyway, i
believe I have already fixed this and it is included in rancid-3.6:

        *login: change handling of ssh key-related prompts to one line at a time
        to eliminate timing-related problem.


> It is obvious the pattern matching in the code is based on the fact that all
> text end up in the buffer. I have seen that on the affected systems this is not
> always true.
> 
> Maby someone more well versed in expect internals could chime in :).
> 
> -- 
> Patrik Lundin
> 
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss