Bug 2115246
| Summary: | ssh connect gives strange error in update_known_hosts | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Dr. Stephan Wonczak <wonczak> |
| Component: | openssh | Assignee: | Dmitry Belyavskiy <dbelyavs> |
| Status: | CLOSED ERRATA | QA Contact: | Marek Havrila <mhavrila> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | CentOS Stream | CC: | bstinson, jjelen, jwboyer, lilu, mhavrila |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-15 11:21:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Dr. Stephan Wonczak
2022-08-04 08:29:01 UTC
Hi everyone, A bit of playing around made this bug even weirder: started with an empty known_hosts-file. "remote-A" and "remote-B" refer to two different remote hosts. Same user/credentials are used for both hosts logins work in all cases, even if the "memory error" pops up login to remote-A New key is written to local known_hosts, no error login to remote-A (gives memory-allocation error, as described above) login to remote-B New key is written to known_hosts, no error login to remote-A (mem-alloc-error) login to remote-A.domain (i.e. with FQDN) New key is written to known_hosts, no error login to remote-A (short name) (NO ERROR!) login to remote-B (mem-alloc error) login to remote-B.domain New key is written to known_hosts, no error login to remote-B (NO ERROR) After this experiment, known_hosts looks like this: remote-A <key> remote-B <key> remote-A.domain <key> remote-B.domain <key> If I try the same with remote-C, it gives this memory-allocation error as long as it is contained only -once- inside known hosts. As soon as there are -two- (or more) lines, eveything looks fine. What are the RHEL (if any) and OpenSSH versions on RemoteA and RemoteB? Could you also check if switching the crypto policy to DEFAULT:SHA1 or LEGACY resolves the issue? Both remote servers are RHEL-7 systems, running openssh-server-7.4p1-22.el7_9.x86_64. Switching the crypto policy makes no difference - first tests were during "DEFAULT" (with SHA1 disabled). I then switched to "LEGACY" since I needed connectivity to older systems (RHEL-6). The error is independent of the remote server, since it tries to update the local user's .ssh/known_hosts-file. Update: A new OpenSSH-Version arrived today - openssh-8.7p1-21.el9.x86_64 The issue is -NOT- resolved, however, and still easily reproducible. Are the remote keys RSA only? Yes - but this should not really matter since I am -not- using the keys for login. The problem is strictly local when ssh attempts to update the local known_hosts. To me, the symptoms look like an off-by-one, and I am somehow able to trigger this in my machine. I strongly suspect we try to allocate memory for 0 keys and it causes this error, but I didn't check it yet. Just for kicks I did a bit of experinemting: I booted a Fedora-36-Live image and tested there. No errors! However, the local known_hosts had -three- entries after the single login, as opposed to the single one on my current Centos-9-Stream. I also tested a Rocky-Linux-9 Live image. This throws yet another error. I will summarize how the outcome of a single login (which always gives me a working connection, by the way) in all cases looks like: CentOS 9 Stream (completely updated) Error during login to remote: update_known_hosts: hostfile_replace_entries failed for /home/sws/.ssh/known_hosts: memory allocation failed [user@local ~]$ ssh -V OpenSSH_8.7p1, OpenSSL 3.0.1 14 Dec 2021 [user@local ~]$ cat .ssh/known_hosts remote ssh-ed25519 AAA(...) Fedora 36 Live image Error during login to remote: NONE [liveuser@localhost-live ~]$ ssh -V OpenSSH_8.8p1, OpenSSL 3.0.2 15 Mar 2022 [liveuser@localhost-live ~]$ cat .ssh/known_hosts remote ssh-ed25519 AAA(...) remote ssh-rsa AAA(...) remote ecdsa-sha2-nistp256 AAA(...) Rocky 9 live Error during login to remote: client_global_hostkeys_private_confirm: server gave bad signature for RSA key 0: error in libcrypto [liveuser@localhost-live ~]$ ssh -V OpenSSH_8.7p1, OpenSSL 3.0.1 14 Dec 2021 [liveuser@localhost-live ~]$ cat .ssh/known_hosts remote ssh-ed25519 AAA(...) The error itself is completely misleading. It happens when we try to add ssh-rsa hostkey to known_hosts. There was an upstream commit to fix this issue: https://github.com/openssh/openssh-portable/commit/8832402bd500d1661ccc80a476fd563335ef6cdc I'm going to make a fresh build including this commit, so could you please try it when it lands to Fedora? Sure, if you have an RPM for me to try out, I am game. Just send a link :-) Note, however, I am on CentOS 9 Stream, not Fedora. Just built -22 with this fix. I think it will be available via CentOS stream relatively soon. To report back: openssh-8.7p1-22.el9.x86_64 landed today. Bug is fixed in this build. Login to the remote host no longer gives an error, and .ssh/known-hosts is updated with the second key. No more memory allocation failures. This Bug can be marked as resolved. Many thanks for confirmation! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openssh bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8375 |