Bug#991797: the distributed ssh_config

Mon, 02 Aug 2021 03:33:16 -0700 

On Mon, Aug 02, 2021 at 11:40:02AM +0200, Frank-Michael Fischer wrote:
> *#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k*

That's not actually the default though; upstream seems to have added
that *comment* to the distributed ssh_config merely as an example.  The
actual code that sets the default behaviour looks like this:

        if (options->num_user_hostfiles == 0) {
                options->user_hostfiles[options->num_user_hostfiles++] =
                    xstrdup(_PATH_SSH_USER_HOSTFILE);
                options->user_hostfiles[options->num_user_hostfiles++] =
                    xstrdup(_PATH_SSH_USER_HOSTFILE2);
        }

And the corresponding macro definitions for that are:

/*
 * Per-user file containing host keys of known hosts.  This file need not be
 * readable by anyone except the user him/herself, though this does not
 * contain anything particularly secret.
 */
#define _PATH_SSH_USER_HOSTFILE         "~/" _PATH_SSH_USER_DIR "/known_hosts"
/* backward compat for protocol 2 */
#define _PATH_SSH_USER_HOSTFILE2        "~/" _PATH_SSH_USER_DIR "/known_hosts2"

I also tested this in a clean Debian unstable container image, and
strace proves that ssh is looking at ~/.ssh/known_hosts by default:

212   openat(AT_FDCWD, "/home/cjwatson/.ssh/known_hosts", O_RDONLY) = -1 ENOENT 
(No such file or directory)
212   openat(AT_FDCWD, "/home/cjwatson/.ssh/known_hosts2", O_RDONLY) = -1 
ENOENT (No such file or directory)
212   openat(AT_FDCWD, "/etc/ssh/ssh_known_hosts", O_RDONLY) = -1 ENOENT (No 
such file or directory)
212   openat(AT_FDCWD, "/etc/ssh/ssh_known_hosts2", O_RDONLY) = -1 ENOENT (No 
such file or directory)

> There is another bug in the default settings:
> 
> Without adding "hmac-sha2-256" this way "MACs
> hmac-md5,hmac-sha1,hmac-sha2-256,umac...@openssh.com" ssh does not connect
> to any of my own sshd servers on Debian 10, Ubuntu 18.04 and 20.04 and
> Oracle Linux 8.

Again, the commented-out values in ssh_config are merely comments and
are not actually the defaults.  (You would have to ask upstream for why
the commented-out values aren't in sync there, but that would at most be
a documentation error, not incorrect defaults.)  "man ssh_config"
describes the actual default for MACs, which is:

  
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

-- 
Colin Watson (he/him)                              [cjwat...@debian.org]

Reply via email to