Regression on known_hosts fingerprints management

[tomlaredo]

Description

Probably linked to #40005 and #40878

With Salt server and minion in version 2016.11.5, I experiment many problems with managing known_hosts fingerprints.

The code I provide was working some months ago (sorry for the imprecision, not sure about the version and time).

Error messages

Here are the errors I run into:

[WARNING ] Public Key hashing currently defaults to "md5". This will change to "sha256" in the Nitrogen release.
[ERROR   ] Remote host public key found but its fingerprint does not match one you have provided

Resulting in final message like this:

----------
          ID: known-hosts-server210
    Function: ssh_known_hosts.present
        Name: server210.rodacom.net
      Result: False
     Comment: Remote host public key found but its fingerprint does not match one you have provided
     Started: 17:12:28.007827
    Duration: 376.707 ms
     Changes:   

Setup

{% set allgrains = salt['mine.get']('*', 'grains.items') %}
{% for servname, servconf in pillar.servers|dictsort %}
{% if servconf.domain == grains.domain %}
{% set servfqdn = servname + '.' + servconf.domain %}
{% set fingerprint = allgrains.get(servfqdn, {}).get('ssh_fingerprint', '') %}
{% if fingerprint %}
known-hosts-{{ servname }}:
    ssh_known_hosts.present:
        - name: {{ servfqdn }}
        - user: intercom
        - fingerprint: {{ fingerprint }}
        - fingerprint_hash_type: sha256
        - unless:
            - ssh-keygen -H -f /srv/intercom/.ssh/known_hosts -F {{ servfqdn }}
{% endif %}
{% endif %}
{% endfor %}

[Ch3LL]

okay I think i can replicate this but i'm not certain on a couple areas of the change from md5 to sha256 in openssh. For example when I have installed openssh 6.8 or above when logging into the VM i see the format as such:

The authenticity of host 'test' can't be established.
ECDSA key fingerprint is SHA256:D0dyF7UZFm3wJTwuj2ROIFKLZLWrxz9u8E7+bekikJI.
ECDSA key fingerprint is MD5:f4:17:83:1b:d8:74:c7:33:bu:30:d0:f5:e2:d5:cd:56.

And int he release notes for openssh 6.8 they state the the key format has indeed changed here

Fingerprints now have the hash algorithm prepended. An example of
the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE
Please note that visual host keys will also be different.

But when running the following state:

known-hosts-test:
    ssh_known_hosts.present:
        - name: test
        - user: ch3ll
        - fingerprint: D0dyF7UZFm3wJTwuj2ROIFKLZLWrxz9u8E7+bekikJI
        - fingerprint_hash_type: sha256

Its expecting a format such as: d2:6d:14:8d:15:93:2f:13:4e:f0:07:f5:ef:20:8b:z9:6c:e8:74:91:38:7d:2e:47:85:99:e9:66:5e:e3:a4:27

So I think this is hte issue is that we would need to change the code to expect the new format that openssh 6.8 added for sha256.

[Ch3LL]

i'm not sure whne you would have had this working because i'm still not seeing this working in 2016.11.4 which was the version it was added in, so maybe my analysis is incorrect.

[tomlaredo]

You're right, I tested it again and it appears that this state never worked at all.
Any news on this?

[Ch3LL]

ping @imankulov looks like you have done some work on this module any ideas on a fix to make sure we can use the new format included with openssh 6.8?

[guoxiaod]

it seems that we should convert sha256's base64 format to the xx:xx:xx:xx format:

ssh-keyscan -t <rsa|dsa|ecdsa|ed25519> hostname 2>/dev/null
| ssh-keygen -E sha256 -lf /dev/stdin
| awk '/SHA256/ { split($2, a, ":"); print a[2]}'
| base64 -d 2>/dev/null
| hexdump -e '/1 "%02x:"'
| sed -e 's/:$/\n/'

[Ch3LL]

want to take a go at a PR? seems you have a clear understanding of a possible fix

[xenadmin]

Is there any update to this? I'm currently building a PoC for our company and stumbled upon this error in the latest version of 2018.3.