oss-sec mailing list archives
CVE Request: Ansible not caching SSH host keys
From: Michael Samuel <mik () miknet net>
Date: Mon, 1 Jul 2013 14:45:43 +1000
http://www.ansibleworks.com/ Problem: Default configuration does not cache SSH host keys, effectively disabling host key checking Note - do not credit me for finding this, I'm just the only person indignant enough to request a CVE A colleague found this bug, only to notice that it was logged by somebody else (antong on github), and rejected: https://github.com/ansible/ansible/issues/857 This can be fixed by calling ssh.load_system_host_keys() after line 78 of https://github.com/ansible/ansible/blob/496f06c3c90cfd89802622c640480328436746c6/lib/ansible/runner/connection_plugins/paramiko_ssh.py While it is possible to call the SSH command instead of using paramiko, this isn't the default and the ramifications of not checking host keys aren't advertised to users. A more reasonable approach would be to document how to un-cache a host key should it change. Regards, Michael
Current thread:
- CVE Request: Ansible not caching SSH host keys Michael Samuel (Jun 30)
- Re: CVE Request: Ansible not caching SSH host keys Kurt Seifried (Jul 02)