Bug 1180209
| Summary: | lftp: saves unknown host's fingerprint in known_hosts without any prompt | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | carnil, fedora, jaskalnik, jrusnack, pertusus, thozza |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:37:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1180214 | ||
| Bug Blocks: | 1180211 | ||
Created lftp tracking bugs for this issue: Affects: fedora-all [bug 1180214] Steps to reproduce: $ lftp sftp://user@localhost lftp user@localhost:~> debug lftp user@localhost:~> ls (see comment 1) lftp-4.5.4-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. lftp-4.5.4-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. lftp-4.6.1-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. This issue affects the versions of lftp as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. |
It was reported [1] that lftp saves unknown host's fingerprint in known_hosts without any prompt: Original report: From the src/SSH_Access.cc file: 47: const char *y="(yes/no)?"; 73: if(s>=y_len && !strncasecmp(b+s-y_len,y,y_len)) 74: { 75: pty_recv_buf->Put("yes\n"); 76: pty_send_buf->Put("yes\n"); 77: return m; 78: } Not only does it make a particular SFTP file transfer insecure, but also any future connection via any SSH client. After enabling debug (the "yes" answer generated automatically): #v+ $ lftp sftp://mszewczyk@localhost:22203 Password: lftp mszewczyk@localhost:~> debug lftp mszewczyk@localhost:~> ls ---- Running connect program (ssh -a -x -s -l mszewczyk -p 22203 localhost sftp) ---> sending a packet, length=5, type=1(INIT), id=0 <--- The authenticity of host '[localhost]:22203 ([::1]:22203)' can't be established. <--- RSA key fingerprint is 84:a2:ec:3d:98:1e:95:e6:e4:68:d9:a4:31:92:f7:8d. <--- Are you sure you want to continue connecting (yes/no)? yes <--- <--- Warning: Permanently added '[localhost]:22203' (RSA) to the list of known hosts. #v- This was reported to upstream as well: https://github.com/lavv17/lftp/issues/116 [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774769