1090462 – There is no SSH fingerprint key warning, while installing agent on remote box via GUI

Bug 1090462 - There is no SSH fingerprint key warning, while installing agent on remote box via GUI

Summary: There is no SSH fingerprint key warning, while installing agent on remote box...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RHQ Project
Classification:	Other
Component:	Core UI
Sub Component:
Version:	4.11
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	GA
Target Release:	RHQ 4.11
Assignee:	John Mazzitelli
QA Contact:	Mike Foley
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	JON3-30, PRODMGT-542
TreeView+	depends on / blocked

Reported:	2014-04-23 11:37 UTC by Jeeva Kandasamy
Modified:	2014-07-21 10:14 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-07-21 10:14:01 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1091407	0	unspecified	NEW	Key authentication should be implemented in Remote Agent installation GUI page	2022-03-31 04:28:30 UTC

Internal Links: 1091407

Description Jeeva Kandasamy 2014-04-23 11:37:46 UTC

Description of problem:
There is no SSH fingerprint key warning, while installing agent on remote box via GUI.
If we connect first time the remote box via SSH, it should display warning message something similar as mentioned below, But there is no warning message. simply it connects.

Sample Warning Message,
The authenticity of host 'xx.xx.xx.xx (xx.xx.xx.xx)' can't be established.
RSA key fingerprint is e3:75:ad:fa:93:b8:23:8c:c2:6a:b1:5d:aa:e3:bb:e6.
Are you sure you want to continue connecting (yes/no)?

Version-Release number of selected component (if applicable):
Version : 4.11.0-SNAPSHOT
Build Number : 1bc9904
GWT Version : 2.5.0
SmartGWT Version : 3.0

How reproducible:
always

Steps to Reproduce:
1. Navigate to "Administration-->Agents-->New"
2. Give remote box authentication details and do install or Agent status


Actual results:
There is no warning for finger print, Even though the entry is not there under known_host list

Expected results:
Should display warning message.

Comment 1 John Mazzitelli 2014-04-23 15:56:02 UTC

We turn off StrictHostKeyChecking - so it doesn't perform the additional check that you are referring to. Is this a requirement in the PRD? I didn't see this explicitly spelled out, so did not think this was a hard requirement to implement.

If this isn't a hard requirement, we can close this as working-as-expected.

Comment 2 John Mazzitelli 2014-05-01 23:55:17 UTC

git commit to master: b041f7751a0d6858dfad65553a9899710c65d6c5

StrictHostKeyChecking is back on. We now popup a dialog warning the user if we've never see this host before OR we have but its fingerprint is now different (which could mean a man-in-the-middle attack or just that the key was changed). The user is given the option to authenticate the host fingerprint and continue, or to abort.

The known host keys are stored in the RHQ Server's data/ directory in the file rhq_known_hosts (that is, jbossas/standalone/data/rhq_known_hosts).

To test and verify this BZ is fixed, you'll want to look in that file as hosts are authenticated. You can also delete and put in wrong keys to see the behavior when keys are missing or changed.

Comment 3 Jeeva Kandasamy 2014-05-21 09:37:34 UTC

Verified SSH fingerprint key. I this build giving warning dialog as well as key changed warning message.


Version Information:

Browser: Firefox 29.0
OS: Linux 64 Bit


RHQ Server:
-------------------------
Version : 4.11.0-SNAPSHOT
Build Number : b041f77
GWT Version : 2.5.0
SmartGWT Version : 3.0

Comment 4 Heiko W. Rupp 2014-07-21 10:14:01 UTC

Bulk closing of RHQ 4.11 issues, now that RHQ 4.12 is out.

If you find an issue with those, please open a new BZ, linking to the old one.

Note You need to log in before you can comment on or make changes to this bug.