Date: Mon, 1 Jul 2013 14:45:43 +1000 From: Michael Samuel <mik@...net.net> To: oss-security@...ts.openwall.com Subject: CVE Request: Ansible not caching SSH host keys http://www.ansibleworks.com/ Problem: Default configuration does not cache SSH host keys, effectively disabling host key checking Note - do not credit me for finding this, I'm just the only person indignant enough to request a CVE A colleague found this bug, only to notice that it was logged by somebody else (antong on github), and rejected: https://github.com/ansible/ansible/issues/857 This can be fixed by calling ssh.load_system_host_keys() after line 78 of https://github.com/ansible/ansible/blob/496f06c3c90cfd89802622c640480328436746c6/lib/ansible/runner/connection_plugins/paramiko_ssh.py While it is possible to call the SSH command instead of using paramiko, this isn't the default and the ramifications of not checking host keys aren't advertised to users. A more reasonable approach would be to document how to un-cache a host key should it change. Regards, Michael
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.