Host key validation doesn't work when not using port 22

[afbjorklund]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

The retrieval of the HostKey doesn't account for ports, and fails to find the proper host key.

Unfortunately the fallback for FixedHostKey is InsecureIgnoreHostKey, so no error is shown.

Steps to reproduce the issue:

1. # run "minikube podman-env" to set up the podman environment for connecting to podman

2. export CONTAINER_HOST="ssh://docker@127.0.0.1:32811/run/podman/podman.sock?secure=True"

3. podman-remote version

Describe the results you received:

Happily connects, even when the host key has been changed (or not properly updated)

So the "secure" parameter doesn't have any effect, behaves the same as without "secure"

Describe the results you expected:

Error: Failed to create sshClient: Connection to bastion host (ssh://docker@127.0.0.1:32811/run/podman/podman.sock?secure=True) failed.: ssh: handshake failed: ssh: host key mismatch

Using a regular ssh connection rightfully complains about the connection not being secure:

$ ssh -p 32811 docker@127.0.0.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:Mk7G0Bq+dUQ72wgtkb+gG4brTiI0+diQIR6Y0aFlhRs.
Please contact your system administrator.

Additional information you deem important (e.g. issue happens only occasionally):

Only happens when using a ssh port other than 22.

Output of podman version:

Client:
Version:      2.1.1
API Version:  2.0.0
Go Version:   go1.15.2
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Server:
Version:      2.1.1
API Version:  2.0.0
Go Version:   go1.15.2
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Output of podman info --debug:

(paste your output here)

Package info (e.g. output of rpm -q podman or apt list podman):

(paste your output here)

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

Ubuntu 20.04

[afbjorklund]

Will default to ignoring host keys for now, so that it works with 2.1.1.

Also using $CONTAINER_SSHKEY, so avoid the ssh infrastructure.

[mheon]

@jwhonce PTAL

[afbjorklund]

There is a related issue, when user (or system) is using hashed entries (|) in known_hosts:

ssh-keyscan(1)

     -H      Hash all hostnames and addresses in the output.  Hashed names may
             be used normally by ssh(1) and sshd(8), but they do not reveal
             identifying information should the file's contents be disclosed.

sshd(8)

     Hostnames is a comma-separated list of patterns (‘*’ and ‘?’ act as wild‐
     cards); each pattern in turn is matched against the host name.  When sshd
     is authenticating a client, such as when using HostbasedAuthentication,
     this will be the canonical client host name.  When ssh(1) is authenticat‐
     ing a server, this will be the host name given by the user, the value of
     the ssh(1) HostkeyAlias if it was specified, or the canonical server
     hostname if the ssh(1) CanonicalizeHostname option was used.

     A pattern may also be preceded by ‘!’ to indicate negation: if the host
     name matches a negated pattern, it is not accepted (by that line) even if
     it matched another pattern on the line.  A hostname or address may op‐
     tionally be enclosed within ‘[’ and ‘]’ brackets then followed by ‘:’ and
     a non-standard port number.

     Alternately, hostnames may be stored in a hashed form which hides host
     names and addresses should the file's contents be disclosed.  Hashed
     hostnames start with a ‘|’ character.  Only one hashed hostname may ap‐
     pear on a single line and none of the above negation or wildcard opera‐
     tors may be applied.

But I can open separate issue for that, there doesn't seem to be any code to do the hashing ?

EDIT: My bad, there is:

package knownhosts // import "golang.org/x/crypto/ssh/knownhosts"

func HashHostname(hostname string) string
    HashHostname hashes the given hostname. The hostname is not normalized
    before hashing.

Not sure if anyone actually uses the commas or wildcards or negation, so can ignore those...