X2Go Bug report logs - #241
Changed host key cannot be updated

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Heinrich Schuchardt <xypron.glpk@gmx.de>

Date: Sun, 16 Jun 2013 12:48:01 UTC

Severity: normal

Tags: patch, pending

Found in version 4.0.0.3

Fixed in version 4.0.1.2

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#241: [X2Go-Dev] Bug#241: Changed host key cannot be updated
Reply-To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 241@bugs.x2go.org
Resent-From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Fri, 21 Jun 2013 08:33:01 +0000
Resent-Message-ID: <handler.241.B241.137180285112643@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 241
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: 
Received: via spool by 241-submit@bugs.x2go.org id=B241.137180285112643
          (code B ref 241); Fri, 21 Jun 2013 08:33:01 +0000
Received: (at 241) by bugs.x2go.org; 21 Jun 2013 08:20:51 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=ham
	version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir (Postfix) with ESMTPS id C1A5C5DB2C
	for <241@bugs.x2go.org>; Fri, 21 Jun 2013 10:20:50 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 4D09B9B8
	for <241@bugs.x2go.org>; Fri, 21 Jun 2013 10:20:50 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 237B83BB30
	for <241@bugs.x2go.org>; Fri, 21 Jun 2013 10:20:50 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 8DXdNrw1nH+H for <241@bugs.x2go.org>;
	Fri, 21 Jun 2013 10:20:50 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id EB3B83BC1A
	for <241@bugs.x2go.org>; Fri, 21 Jun 2013 10:20:49 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id D3DAD3BB30
	for <241@bugs.x2go.org>; Fri, 21 Jun 2013 10:20:49 +0200 (CEST)
Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33)
	id 649693BBF5; Fri, 21 Jun 2013 10:20:49 +0200 (CEST)
Received: from nocatv2.tng.de (nocatv2.tng.de [213.178.75.58]) by
 mail.das-netzwerkteam.de (Horde Framework) with HTTP; Fri, 21 Jun 2013
 10:20:49 +0200
Message-ID: <20130621102049.28992mah70gw8xr5@mail.das-netzwerkteam.de>
X-Priority: 3 (Normal)
Date: Fri, 21 Jun 2013 10:20:49 +0200
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Heinrich Schuchardt <xypron.glpk@gmx.de>, 241@bugs.x2go.org
References: <51BDB150.4040306@gmx.de>
In-Reply-To: <51BDB150.4040306@gmx.de>
MIME-Version: 1.0
Content-Type: multipart/signed;
 boundary="=_2hzrefx5vw0x";
 protocol="application/pgp-signature";
 micalg="pgp-sha1"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.4)
[Message part 1 (text/plain, inline)]
Hi Heinrich,

On So 16 Jun 2013 14:36:32 CEST Heinrich Schuchardt wrote:

> Dear maintainer,
>
> from time to time the SSH key used for identification by a X2GO  
> server may change.
>
> When trying to connect the server a pop up is shown:
>
> "Anmeldung fehlgeschlagen"
> "Host-Key des Servers hat sich geändert Er lautet jetzt:
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
> Aus Sicherheitsgründen wird die Verbindung abgebrochen"
>
> The user is left puzzled with what he should do next.
>
> There is no indication in which file there is a problem, e.g.
> ~/.ssh/known_hosts
> or
> %APPDATA%\ssh\known_hosts
>
> There is no indication which entry in this file is corrupted.
>
> Deleting file known_hosts is a bad idea because it may contain the  
> keys for dozens of validated servers.
>
> There are examples of more informative output, e.g. from command  
> line program ssh:
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that a host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00.
> Please contact your system administrator.
> Add correct host key in /home/user/.ssh/known_hosts to get rid of  
> this message.
> Offending RSA key in /home/user/.ssh/known_hosts:1
> RSA host key for 10.0.0.5 has changed and you have requested strict checking.
> Host key verification failed.
>
> Here I can identify the filename: /home/user/.ssh/known_hosts
> and the line of the the entry: 1
>
> Manual editing of known_hosts is now possible but not too good an  
> idea because it is error prone.
>
> A good solution is what you see in PuTTY. A warning pop up is shown  
> and you get the choice to update file known_hosts.
>
> Best regards

The above surely is a good point to discuss first before implementing.

Obviously, such a replace-host-key button would improve usability in  
case host key changes occur.

However, if someone captured DNS and replaced my X2Go server by an  
agressive X2Go server, I (as developer) surely want to protect the  
user from simply klicking ,,Yeah, ok man... replace that host key...  
and can we go on then please...''.

The SSH-unexperienced user (i.e. probably nearly everyone in the  
windows world) will then just simply click ,,replace host key''.

So, for me this kind of replace-host-key dialog should at least have a  
double confirmation check dialog: Are you sure to replace... -> Are  
you really sure???. That kind of thing.

Heinrich: if you could come up with a patch for this issue, it would  
surely speed up an inclusion of your requested feature.

@all: comments, opinions on such a new feature?

Mike



-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Mon May 27 11:16:52 2019; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.