X2Go Bug report logs - #241
Changed host key cannot be updated

Toggle useless messages

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Heinrich Schuchardt <xypron.glpk@gmx.de>

To: submit@bugs.x2go.org

Subject: Changed host key cannot be updated

Date: Sun, 16 Jun 2013 14:36:32 +0200

Package: x2goclient
Version: 4.0.0.3
Severity: normal

Dear maintainer,

from time to time the SSH key used for identification by a X2GO server 
may change.

When trying to connect the server a pop up is shown:

"Anmeldung fehlgeschlagen"
"Host-Key des Servers hat sich geändert Er lautet jetzt:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
Aus Sicherheitsgründen wird die Verbindung abgebrochen"

The user is left puzzled with what he should do next.

There is no indication in which file there is a problem, e.g.
~/.ssh/known_hosts
or
%APPDATA%\ssh\known_hosts

There is no indication which entry in this file is corrupted.

Deleting file known_hosts is a bad idea because it may contain the keys 
for dozens of validated servers.

There are examples of more informative output, e.g. from command line 
program ssh:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this 
message.
Offending RSA key in /home/user/.ssh/known_hosts:1
RSA host key for 10.0.0.5 has changed and you have requested strict 
checking.
Host key verification failed.

Here I can identify the filename: /home/user/.ssh/known_hosts
and the line of the the entry: 1

Manual editing of known_hosts is now possible but not too good an idea 
because it is error prone.

A good solution is what you see in PuTTY. A warning pop up is shown and 
you get the choice to update file known_hosts.

Best regards

Heinrich Schuchardt

Message #10 received at 241@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Heinrich Schuchardt <xypron.glpk@gmx.de>, 241@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#241: Changed host key cannot be updated

Date: Fri, 21 Jun 2013 10:20:49 +0200

[Message part 1 (text/plain, inline)]

Hi Heinrich,

On So 16 Jun 2013 14:36:32 CEST Heinrich Schuchardt wrote:

> Dear maintainer,
>
> from time to time the SSH key used for identification by a X2GO  
> server may change.
>
> When trying to connect the server a pop up is shown:
>
> "Anmeldung fehlgeschlagen"
> "Host-Key des Servers hat sich geändert Er lautet jetzt:
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
> Aus Sicherheitsgründen wird die Verbindung abgebrochen"
>
> The user is left puzzled with what he should do next.
>
> There is no indication in which file there is a problem, e.g.
> ~/.ssh/known_hosts
> or
> %APPDATA%\ssh\known_hosts
>
> There is no indication which entry in this file is corrupted.
>
> Deleting file known_hosts is a bad idea because it may contain the  
> keys for dozens of validated servers.
>
> There are examples of more informative output, e.g. from command  
> line program ssh:
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that a host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00.
> Please contact your system administrator.
> Add correct host key in /home/user/.ssh/known_hosts to get rid of  
> this message.
> Offending RSA key in /home/user/.ssh/known_hosts:1
> RSA host key for 10.0.0.5 has changed and you have requested strict checking.
> Host key verification failed.
>
> Here I can identify the filename: /home/user/.ssh/known_hosts
> and the line of the the entry: 1
>
> Manual editing of known_hosts is now possible but not too good an  
> idea because it is error prone.
>
> A good solution is what you see in PuTTY. A warning pop up is shown  
> and you get the choice to update file known_hosts.
>
> Best regards

The above surely is a good point to discuss first before implementing.

Obviously, such a replace-host-key button would improve usability in  
case host key changes occur.

However, if someone captured DNS and replaced my X2Go server by an  
agressive X2Go server, I (as developer) surely want to protect the  
user from simply klicking ,,Yeah, ok man... replace that host key...  
and can we go on then please...''.

The SSH-unexperienced user (i.e. probably nearly everyone in the  
windows world) will then just simply click ,,replace host key''.

So, for me this kind of replace-host-key dialog should at least have a  
double confirmation check dialog: Are you sure to replace... -> Are  
you really sure???. That kind of thing.

Heinrich: if you could come up with a patch for this issue, it would  
surely speed up an inclusion of your requested feature.

@all: comments, opinions on such a new feature?

Mike



-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 241@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 241@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#241: Bug#241: Changed host key cannot be updated

Date: Fri, 21 Jun 2013 10:53:24 +0200

[Message part 1 (text/plain, inline)]

Hi Stefan, hi Heinrich,

On Fr 21 Jun 2013 10:42:12 CEST Stefan Baur wrote:

> Am 21.06.2013 10:20, schrieb Mike Gabriel:
>
>> @all: comments, opinions on such a new feature?
>
> This has been discussed previously on the list - I believe it was  
> before the introduction of X2Go-BTS, which is why there's no  
> bug/ticket regarding it.
> Subject was: "Feature Request: update ssh public key fingerprint  
> from within x2goclient"
> Date: 2012-02-17 14:41
> Message-ID: <4F3E58FE.1050502@stefanbaur.de>
>
> We need to find a middle ground between the current "No soup for  
> you!" and the way-too-easy "Update host key [Y]/n" prompt.
>
> My suggestion back then was:
> "I would like to suggest adding an option to remove/update the key  
> from within the X2Go-Client. However, to avoid "user click-through",  
> it should be somewhere in the menu, and the popup message should be  
> amended with a note pointing to that menu."

This sounds like a nice solution. Heinrich, are you willing to work on  
this new feature? As you have also worked on the https proxy support  
code, I guess you are capable to perform this task ;-).

Otherwise, we will keep this wishlist request on the list, but do not  
expect a prompt solution for this.

Thanks+Greets,
Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 241@bugs.x2go.org (full text, mbox, reply):

From: Stefan Baur <newsgroups.mail2@stefanbaur.de>

To: x2go-dev@lists.berlios.de, 241@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#241: Bug#241: Changed host key cannot be updated

Date: Fri, 21 Jun 2013 10:42:12 +0200

Am 21.06.2013 10:20, schrieb Mike Gabriel:

> @all: comments, opinions on such a new feature?

This has been discussed previously on the list - I believe it was before 
the introduction of X2Go-BTS, which is why there's no bug/ticket 
regarding it.
Subject was: "Feature Request: update ssh public key fingerprint from 
within x2goclient"
Date: 2012-02-17 14:41
Message-ID: <4F3E58FE.1050502@stefanbaur.de>

We need to find a middle ground between the current "No soup for you!" 
and the way-too-easy "Update host key [Y]/n" prompt.

My suggestion back then was:
"I would like to suggest adding an option to remove/update the key from 
within the X2Go-Client. However, to avoid "user click-through", it 
should be somewhere in the menu, and the popup message should be amended 
with a note pointing to that menu."

-Stefan

Message #25 received at 241@bugs.x2go.org (full text, mbox, reply):

From: xypron.glpk@gmx.de

To: mike.gabriel@das-netzwerkteam.de

Cc: 241@bugs.x2go.org, Heinrich Schuchardt <xypron.glpk@gmx.de>

Subject: [PATCH 22/22] Re: [X2Go-Dev] Bug#241: Changed host key cannot be updated

Date: Sat, 22 Jun 2013 16:34:46 +0200

From: Heinrich Schuchardt <xypron.glpk@gmx.de>

The appended patch allows to updated changed host keys.

It does not include the necessary changes for the translations.

Best regards

Heinrich Schuchardt

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
 onmainwindow.cpp |   67 +++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 46 insertions(+), 21 deletions(-)

diff --git a/onmainwindow.cpp b/onmainwindow.cpp
index b707d84..d0993f2 100644
--- a/onmainwindow.cpp
+++ b/onmainwindow.cpp
@@ -2953,33 +2953,58 @@ void ONMainWindow::slotSshServerAuthError ( int error, QString sshMessage, SshMa
     {
     case SSH_SERVER_KNOWN_CHANGED:
         errMsg=tr ( "Host key for server changed.\nIt is now: " ) +sshMessage+"\n"+
-               tr ( "For security reasons, connection will be stopped" );
-        connection->writeKnownHosts(false);
-        connection->wait();
-        if(sshConnection && sshConnection !=connection)
+               tr ( "This can be an indication of a man-in-the-middle attack.\n"
+                    "Somebody might be eavesdropping on you.\n"
+                    "For security reasons, it is recommended to stop the connection.\n"
+                    "Do you want to terminate the connection?\n" );
+        if ( !QMessageBox::warning( 0, tr( "Host key verification failed" ),
+                errMsg, tr( "Yes" ), tr( "No" ) ) != 0)
+            {
+            connection->writeKnownHosts(false);
+            connection->wait();
+            if(sshConnection && sshConnection !=connection)
+            {
+                sshConnection->wait();
+                delete sshConnection;
+            }
+            slotSshUserAuthError ( tr ( "Host key verification failed" ) );
+            sshConnection=0;
+            return;
+        }
+        else
         {
-            sshConnection->wait();
-            delete sshConnection;
+            errMsg = tr( "If you accept the new host key the security of your "
+                         "connection may be compromised.\n"
+                         "Do you want to update the host key?" );
         }
-        sshConnection=0;
-        slotSshUserAuthError ( errMsg );
-        return;
-
+        break;
     case SSH_SERVER_FOUND_OTHER:
         errMsg=tr ( "The host key for this server was not found but an other"
-                    "type of key exists.An attacker might change the default server key to"
-                    "confuse your client into thinking the key does not exist" );
-        connection->writeKnownHosts(false);
-        connection->wait();
-        if(sshConnection && sshConnection !=connection)
+                    "type of key exists. An attacker might change the default server key to "
+                    "confuse your client into thinking the key does not exist. \n"
+                    "For security reasons, it is recommended to stop the connection.\n"
+                    "Do you want to terminate the connection?\n");
+        if ( !QMessageBox::warning( 0, tr( "Host key verification failed" ),
+                errMsg, tr( "Yes" ), tr( "No" ) ) != 0)
+            {
+            connection->writeKnownHosts(false);
+            connection->wait();
+            if(sshConnection && sshConnection !=connection)
+            {
+                sshConnection->wait();
+                delete sshConnection;
+            }
+            slotSshUserAuthError ( tr ( "Host key verification failed" ) );
+            sshConnection=0;
+            return;
+        }
+        else
         {
-            sshConnection->wait();
-            delete sshConnection;
+            errMsg = tr( "If you accept the new host key the security of your "
+                         "connection may be compromised.\n"
+                         "Do you want to update the host key?" );
         }
-        sshConnection=0;
-        slotSshUserAuthError ( errMsg );
-        return ;
-
+        break;
     case SSH_SERVER_ERROR:
         connection->writeKnownHosts(false);
         connection->wait();
-- 
1.7.10.4

Message #30 received at 241@bugs.x2go.org (full text, mbox, reply):

From: Nable 80 <nable.maininbox@googlemail.com>

To: xypron.glpk@gmx.de, 241@bugs.x2go.org, x2go-dev@lists.berlios.de

Subject: Re: [X2Go-Dev] Bug#241: [PATCH 22/22] Re: Bug#241: Changed host key cannot be updated

Date: Sat, 22 Jun 2013 21:09:11 +0400

> +        if ( !QMessageBox::warning( 0, tr( "Host key verification failed" ),
> +                errMsg, tr( "Yes" ), tr( "No" ) ) != 0)
I think that using `!' in the beginning and `!=' in the end is a great
idea to confuse everybody, including those who have written this piece
of code.
Or did I understood these lines in a wrong way (here is some irony) ?

Message #37 received at 241@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: xypron.glpk@gmx.de

Cc: 241@bugs.x2go.org

Subject: Re: [PATCH 22/22] Re: [X2Go-Dev] Bug#241: Changed host key cannot be updated

Date: Fri, 19 Jul 2013 18:31:24 +0200

[Message part 1 (text/plain, inline)]

Hi Heinrich,

On Sa 22 Jun 2013 16:34:46 CEST  wrote:

> From: Heinrich Schuchardt <xypron.glpk@gmx.de>
>
> The appended patch allows to updated changed host keys.
>
> It does not include the necessary changes for the translations.
>
> Best regards
>
> Heinrich Schuchardt
>
> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
> ---
>  onmainwindow.cpp |   67  
> +++++++++++++++++++++++++++++++++++++-----------------
>  1 file changed, 46 insertions(+), 21 deletions(-)
>
> diff --git a/onmainwindow.cpp b/onmainwindow.cpp
> index b707d84..d0993f2 100644
> --- a/onmainwindow.cpp
> +++ b/onmainwindow.cpp
> [...]

I just realized that I have not reacted to this one yet.

As the patch introduces changes on translatable strings, this patch  
will only be applied after release 4.0.1.1.

Thanks for this piece of work.

Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Message #42 received at 241@bugs.x2go.org (full text, mbox, reply):

From: mallwase moloi <mallwase@vut.ac.za>

To: Undisclosed recipients:;

Subject: My last wish

Date: Tue, 23 Jul 2013 09:02:00 +0000

[Message part 1 (text/plain, inline)]

Although, I am not comfortable discussing the content of my mail on the Internet owing to lots of

unsolicited/Spam mails on the net nowadays. Anyway my message is that I have made up my mind to will my

late Husband's funds  to you so that you can use it for charity  duties and good work to humanity in

your country. The amount is 4 million Dollars. Please get back to me on my personal and secured email

address for further information. My secured email address is: mallwasemoloi101@live.co.uk<mailto:mallwasemoloi101@live.co.uk>
God bless you.
Mrs. Mallwase Moloi.

[Message part 2 (text/html, inline)]

Message #47 received at 241@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 241-submitter@bugs.x2go.org

Cc: control@bugs.x2go.org, 241@bugs.x2go.org

Subject: X2Go issue (in src:x2goclient) has been marked as pending for release

Date: Mon, 30 Sep 2013 21:07:45 +0200 (CEST)

tag #241 pending
fixed #241 4.0.1.2
thanks

Hello,

X2Go issue #241 (src:x2goclient) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=f376e1c

The issue will most likely be fixed in src:x2goclient (4.0.1.2).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit f376e1c9e9e1b145b4ed1f2cb8a32b64ffe5f4bf
Author: Heinrich Schuchardt <xypron.glpk@gmx.de>
Date:   Mon Sep 30 21:07:25 2013 +0200

    Handle SSH host key changes more elegantly and allow user interaction if such a host key change occurs. (Fixes: #241).

diff --git a/debian/changelog b/debian/changelog
index 0b6aa9e..6360efe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,11 @@ x2goclient (4.0.1.2-0~x2go2) UNRELEASED; urgency=low
       config file. This allows choosing the default display for shadow
       sessions.
 
+  [ Heinrich Schuchardt ]
+  * New upstream version (4.0.1.2):
+    - Handle SSH host key changes more elegantly and allow user interaction
+      if such a host key change occurs. (Fixes: #241).
+
  -- Mike Gabriel <mike.gabriel@das-netzwerkteam.de>  Wed, 11 Sep 2013 12:17:43 +0200
 
 x2goclient (4.0.1.1-0~x2go1) unstable; urgency=low

Message #59 received at 241@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 241-submitter@bugs.x2go.org

Cc: control@bugs.x2go.org, 241@bugs.x2go.org

Subject: X2Go issue (in src:x2goclient) has been marked as closed

Date: Tue, 17 Dec 2013 15:55:20 +0100 (CET)

close #241
thanks

Hello,

we are very hopeful that X2Go issue #241 reported by you
has been resolved in the new release (4.0.1.2) of the
X2Go source project »src:x2goclient«.

You can view the complete changelog entry of src:x2goclient (4.0.1.2)
below, and you can use the following link to view all the code changes
between this and the last release of src:x2goclient.

    http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=34591fd62844b2b955e6a4bf3cf44d4759c5e44c;hp=d5ff7886ae22a1e36541570e7095fac9860af6e8

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:x2goclient.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:x2goclient
Version: 4.0.1.2-0x2go2
Status: RELEASE
Date: Tue, 17 Dec 2013 15:21:38 +0100
Fixes: 139 230 241 311 315 316 328 333
Changes: 
 x2goclient (4.0.1.2-0x2go2) RELEASED; urgency=low
 .
   [ Mike Gabriel ]
   * New upstream version (4.0.1.2):
     - Provide Keywords: key in .desktop file.
     - Add NSIS packaging files for win32 builds to source tree.
       (Files provided by Oleksandr Shneyder, thanks!!!).
     - Rename win32 desktop and startmenu icon from "X2goClient" to "X2Go
       Client".
     - Store broker HTTPS certificate exceptions in
       $HOME/.x2go/ssl/exceptions (before: $HOME/ssl/exceptions).
       (Fixes: #328).
     - Perform sanity checks on data that comes in from X2Go Servers.
       Prohibit the execution of arbitrary code via the ~/.bashrc file.
       (Fixes: #333).
     - Add option --broker-cacertfile. Allow usage of non-system-wide
       installed (self-signed) SSL certificate chains for https (SSL)
       session broker connections. (Fixes: #311).
     - Update man page for new --tray-icon cmdline option.
     - Update man page for --broker-url. Explain the syntax of <URL>.
     - Properly handle (=expand) the "~" character in key filenames. (Brought to
       attention by Eldamir on IRC. Thanks!).
     - Expand tilde operator for all other file paths handed over to X2Go Client
       via sessions file or cmdline parameter.
     - Syntax fix of x2goclient.desktop file.
     - Test for various file locations of the pulseaudio cookie file.
     - Allow patching of qmake-qt4 executable path in Makefile.
     - Make qmake-qt4 and lrelease path in Makefile easily replacable (as
       RHEL-5 does not have those tools in $PATH).
     - Make sure that build_client and build_plugin are not build with parallel
       make.
     - Make x2goplugin-provider installable via Makefile.
   * Pull-in packaging changes from Debian.
   * debian/source/format:
     + Switch to format 1.0.
   * x2goclient.spec:
     + Ship x2goclient.spec (RPM package definitions) in upstream project.
       (Thanks to the Fedora package maintainers).
     + Clear (Fedora package) changelog.
     + Make package build on Fedora/EPEL versions that do not have the
       qtbrowserplugin package.
     + For EPEL-5 builds: replace full path to qmake-qt4 and lrelease.
     + Split up package into bin:packages: x2goclient, x2goplugin,
       x2goplugin-provider.
     + Make sure lrelease-qt4 is executed (not just lrelease).
 .
   [ Ricardo Díaz Martín ]
   * New upstream versino (4.0.1.2):
     - Strip whitespaces off of user name, host name and other
       strings when loading / saving session profiles.(Fixes: #315).
     - New option --tray-icon. Force showing the tray icon, even for
       hidden sessions. Also allow creation of .desktop files with
       --tray-icon optionally being enabled. (Fixes: #316).
     - Update Spanish translation.
 .
   [ Oleksandr Shneyder ]
   * New upstream version (4.0.1.2):
     - Support for keys "shadowuser" "shadowdisplay" and "shadowmode" in
       config file. This allows choosing the default display for shadow
       sessions.
     - Support for GSSApi(Kerberos 5) authentication. Using ssh/scp commands
       on Linux and Mac and plink/pscp on Windows.
     - Support for ChallengeResponseAuthentication (Google Authenticator)
     - Setting main window focus on mac (Fixes: #139).
     - Additional check if authentication with GSSApi successfull
     - c121b7e2d3d83abdc2d7a29637bc3294e38b2ec3 broke checking if remote
       command produce only stderr and not stdout. It made x2goclient crash
       if x2gostartagent send LIMIT error. Current commit fixes this issue.
     - SshMasterConnection should use current user name if no user name is
       specified in session settings
     - GSSApi(Kerberos 5) authentication for sshproxy and sshbroker
     - fixed GSSApi(Kerberos 5) authentication for sshproxy and sshbroker
       on windows
 .
   [ Heinrich Schuchardt ]
   * New upstream version (4.0.1.2):
     - Handle SSH host key changes more elegantly and allow user interaction
       if such a host key change occurs. (Fixes: #241).
 .
   [ Michael DePaulo ]
   * New upstream version (4.0.1.2):
     - win32: Add uninstall information to Add/Remove Programs. (Fixes: #230).

Send a report that this bug log contains spam.