Bug 1631970

Summary: openssh host identification changed - without actually changing
Product: [Fedora] Fedora Reporter: Yanko Kaneti <yaneti>
Component: crypto-policiesAssignee: Red Hat Crypto Team <crypto-team>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: code, crypto-team, jjelen, kevin, lef, leftmostcat, mailinglists35, nmavrogi, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: crypto-policies-20180925-1.git71ca85f.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-27 18:01:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yanko Kaneti 2018-09-22 16:37:03 UTC 
Description of problem:
Updating to the new crypto-policies leads to host misidentification and misleading ssh warnings

debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to kofa1:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-gcm MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:kwGqH9flGj3Na8peLf7Emhe5UNR7RBBUlIDy5lOJTLI
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
.....

The remote host is present in known hosts as 
kofa1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP9xPHvKnYNvoUQOEbnpEE6jdFeVnpI2MLvymXk7HdLcbBfG2Z/BpK5jdjSZIj0i9UoL01F3WIR2TCf5hK/OOSs=



Version-Release number of selected component (if applicable):
crypto-policies-20180921-2.git391ed9f.fc30

The system policy is LEGACY
Comment 1 Yanko Kaneti 2018-09-22 16:45:21 UTC 
Forgot to mention that I have two different hosts with ecdsa-sha2-nistp256 keys  exhibiting the same problem , one Fedora , the other Junos. So I'd assume its not a server misconfiguration problem.
Comment 2 Yanko Kaneti 2018-09-22 17:32:51 UTC 
Please consider that even if the policy change would require changing the previously used keys the user experience of warnings about host identity changing is not at all optimal.  You might want to throw this to openssh.
Comment 3 Jakub Jelen 2018-09-24 07:53:40 UTC 
This is related to the

https://gitlab.com/redhat-crypto/fedora-crypto-policies/merge_requests/28/

Without the explicit specification of the algorithm list, OpenSSH client will prefer the host key algorithms that it has the known hosts for.

The new explicit ordering prefers RSA keys and ECDSA and ED25519 are after that. I am not sure about other protocols (TLS), but I assume that elliptic curves should come before RSA, if there is no good reason for the opposite ordering.
Comment 4 Mai Ling 2018-09-24 08:08:26 UTC 
this change is disruptive. please revert. do your defaults for *NEW* connections but please *DO*NOT* BREAK existing saved keys, because I wasted time searching for potential wifi hijackers until I found this issue.

please don't go with this state in fedora release
Comment 5 Mai Ling 2018-09-24 08:09:49 UTC 
using fc29 here
Comment 6 Mai Ling 2018-09-24 08:14:56 UTC 
if you put this in release you will get torrents of floods of thousands angry innocent users. and that's bad for your karma.
Comment 7 Mai Ling 2018-09-24 19:31:18 UTC 
meanwhile workaround:

1. grep your saved host in ~/.ssh/known_hosts

2. extract the second field

3. ssh -o HostKeyAlgorithms=$(value from step 2) user@host
Comment 8 Fedora Update System 2018-09-25 11:40:36 UTC 
crypto-policies-20180925-1.git71ca85f.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-95580e520c
Comment 9 Daniel 2018-09-25 12:19:15 UTC 
This change is incredibly disruptive and should be reverted.
Comment 10 Tomas Mraz 2018-09-25 12:31:51 UTC 
It is reverted in the update in comment 8.
Comment 11 Fedora Update System 2018-09-27 02:10:39 UTC 
crypto-policies-20180925-1.git71ca85f.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-95580e520c
Comment 12 Fedora Update System 2018-09-27 18:01:28 UTC 
crypto-policies-20180925-1.git71ca85f.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.