Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 02 Jul 2013 14:52:48 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Michael Samuel <mik@...net.net>
Subject: Re: CVE Request: Ansible not caching SSH host keys

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/30/2013 10:45 PM, Michael Samuel wrote:
> http://www.ansibleworks.com/
> 
> Problem: Default configuration does not cache SSH host keys,
> effectively disabling host key checking
> 
> Note - do not credit me for finding this, I'm just the only person 
> indignant enough to request a CVE
> 
> A colleague found this bug, only to notice that it was logged by
> somebody else (antong on github), and rejected: 
> https://github.com/ansible/ansible/issues/857
> 
> This can be fixed by calling ssh.load_system_host_keys() after line
> 78 of 
> https://github.com/ansible/ansible/blob/496f06c3c90cfd89802622c640480328436746c6/lib/ansible/runner/connection_plugins/paramiko_ssh.py
>
>  While it is possible to call the SSH command instead of using
> paramiko, this isn't the default and the ramifications of not
> checking host keys aren't advertised to users.  A more reasonable
> approach would be to document how to un-cache a host key should it
> change.
> 
> Regards, Michael

Please use CVE-2013-2233 for this issue. After some thought I think it
qualifies, host key caching is def. a security feature designed to
prevent mitm (if you constantly hammer the user to check/accept keys
at some point they'll just go "sure whatever, they must have changed
something on the remote end).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR0z2gAAoJEBYNRVNeJnmTGvoP/0sanyVTjjjwTo/Jhf+aXDUX
YTZvJgjQ7Eg4mrPg+voxAP0boYke4WaEps0J9H5CvMLAnq/o/LSdg6M5mZnCukcf
fX8hdqdo5WZjhBO8y1lF7ozEc+CuWOKKtY221C4uI4Q8IZ9+2Ad70YwkauBTVzlN
BIIRncBLfLmccDoQbGjWLwbKOqq1RXXsUR58a8rNj8TxmsYtNNNmUBUr5do69ytX
mIDYtu/mtQLWZVAsKk+7oQu/4lWtoYNK4zTIzQTO04i7plPjLkSivTCAjvPhn9+W
qXjTps+aEb6h/jEZC9fi6mtb6rBGIvRSZNxMaILso9x1N0Aqr6zdKzLOTWOVnaG5
tcMXmArZePPeM6TGh+o3lLAH7NmmDDMkzoiHUow3ExhD5fnqM/KjTO1JM1u+W6J3
r6XGqkjvlzHUQEIuVKcHGlSrAfgQ4Kz3lL9wNcrZnd/yYxxeJEAbjnJhfDyXKUHe
BuxZWHKlWDebtZoFEtg1QICPKzW4VWwMISSdzu0iI9rZQoKivyTILvG8kB+oG/p/
r8Y7cVfelATL4VvZeO7oXTDpuJlsrpkRr8qKvZL96d1GkCZrPIVznYy2qHAZSKr4
V8psXCYzad3uwBM37Do3e21ysSkwypY7irFotBPIpccQChjAtAQOc339s66EXhW4
9gea7LiuYO+VK5k4fKW8
=hVHG
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.