oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request: Ansible not caching SSH host keys

From: Michael Samuel <mik () miknet net>
Date: Mon, 1 Jul 2013 14:45:43 +1000
http://www.ansibleworks.com/

Problem:
Default configuration does not cache SSH host keys, effectively disabling
host key checking

Note - do not credit me for finding this, I'm just the only person
indignant enough to request a CVE

A colleague found this bug, only to notice that it was logged by somebody
else (antong on github), and rejected:
https://github.com/ansible/ansible/issues/857

This can be fixed by calling ssh.load_system_host_keys() after line 78 of
https://github.com/ansible/ansible/blob/496f06c3c90cfd89802622c640480328436746c6/lib/ansible/runner/connection_plugins/paramiko_ssh.py

While it is possible to call the SSH command instead of using paramiko,
this isn't the default and the ramifications of not checking host keys
aren't advertised to users.  A more reasonable approach would be to
document how to un-cache a host key should it change.

Regards,
  Michael
Previous By Date Next
Previous By Thread Next

Current thread: