Bug 1090462

Summary: There is no SSH fingerprint key warning, while installing agent on remote box via GUI
Product: [Other] RHQ Project Reporter: Jeeva Kandasamy <jkandasa>
Component: Core UIAssignee: John Mazzitelli <mazz>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Foley <mfoley>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.11CC: hrupp
Target Milestone: GA   
Target Release: RHQ 4.11   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-21 10:14:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1070242    

Description Jeeva Kandasamy 2014-04-23 11:37:46 UTC 
Description of problem:
There is no SSH fingerprint key warning, while installing agent on remote box via GUI.
If we connect first time the remote box via SSH, it should display warning message something similar as mentioned below, But there is no warning message. simply it connects.

Sample Warning Message,
The authenticity of host 'xx.xx.xx.xx (xx.xx.xx.xx)' can't be established.
RSA key fingerprint is e3:75:ad:fa:93:b8:23:8c:c2:6a:b1:5d:aa:e3:bb:e6.
Are you sure you want to continue connecting (yes/no)?

Version-Release number of selected component (if applicable):
Version : 4.11.0-SNAPSHOT
Build Number : 1bc9904
GWT Version : 2.5.0
SmartGWT Version : 3.0

How reproducible:
always

Steps to Reproduce:
1. Navigate to "Administration-->Agents-->New"
2. Give remote box authentication details and do install or Agent status


Actual results:
There is no warning for finger print, Even though the entry is not there under known_host list

Expected results:
Should display warning message.
Comment 1 John Mazzitelli 2014-04-23 15:56:02 UTC 
We turn off StrictHostKeyChecking - so it doesn't perform the additional check that you are referring to. Is this a requirement in the PRD? I didn't see this explicitly spelled out, so did not think this was a hard requirement to implement.

If this isn't a hard requirement, we can close this as working-as-expected.
Comment 2 John Mazzitelli 2014-05-01 23:55:17 UTC 
git commit to master: b041f7751a0d6858dfad65553a9899710c65d6c5

StrictHostKeyChecking is back on. We now popup a dialog warning the user if we've never see this host before OR we have but its fingerprint is now different (which could mean a man-in-the-middle attack or just that the key was changed). The user is given the option to authenticate the host fingerprint and continue, or to abort.

The known host keys are stored in the RHQ Server's data/ directory in the file rhq_known_hosts (that is, jbossas/standalone/data/rhq_known_hosts).

To test and verify this BZ is fixed, you'll want to look in that file as hosts are authenticated. You can also delete and put in wrong keys to see the behavior when keys are missing or changed.
Comment 3 Jeeva Kandasamy 2014-05-21 09:37:34 UTC 
Verified SSH fingerprint key. I this build giving warning dialog as well as key changed warning message.


Version Information:

Browser: Firefox 29.0
OS: Linux 64 Bit


RHQ Server:
-------------------------
Version : 4.11.0-SNAPSHOT
Build Number : b041f77
GWT Version : 2.5.0
SmartGWT Version : 3.0
Comment 4 Heiko W. Rupp 2014-07-21 10:14:01 UTC 
Bulk closing of RHQ 4.11 issues, now that RHQ 4.12 is out.

If you find an issue with those, please open a new BZ, linking to the old one.