SSH Host Key incorrectly used and checked on Windows

[Simba98]

Describe the bug
Start a server that has two SSHDs, with different ports, with different keys.

To Reproduce
Steps to reproduce the behavior:

1. Server (Fedora 39 in VM) xpra start :XPRA_PORT
2. Then try to connect SSH without ssh port (which means 22)
   &"C:\Program Files\Xpra\Xpra_cmd.exe" attach ssh://username@HOST/XPRA_PORT
   Xpra will write on (Windows Client) ~/.ssh/know_hosts without ssh port
   MY_DOMAIN_NAME ssh-ed25519 AAAAC3NzaC1SSH_Key_On_22_Port
3. Then try to connect to another ssh port &"C:\Program Files\Xpra\Xpra_cmd.exe" attach ssh://username@HOST:SSH_PORT/XPRA_PORT
4. Throws an SSH key changed error (should not because we did not connect to this port); and click yes, then xpra change the know_hosts
   It supposed to be [MY_DOMAIN_NAME]:SSH_PORT ssh-ed25519 AAAAC3NzaC1SSH_Key_On_Second_Port
5. But Xpra overwrites the SSH_Key_On_22_Port to
   MY_DOMAIN_NAME ssh-ed25519 AAAAC3NzaC1SSH_Key_On_Second_Port
6. This will prevent other ssh clients from connecting to 22 port if we use xpra to connect to some other ssh port.

System Information (please complete the following information):

• Server OS: Fedora 39 in VM
• Client OS: Windows 11
• Xpra Server Version xpra v5.0.2-r0 on Fedora 39
• Xpra Client Version xpra v5.0.2-r1 on Windows 11

Additional context
Temp Workaround: use host file to give xpra an individual domain to prevent xpra overwriting ssh key without port.

[totaam]

xpra start :XPRA_PORT

There is no XPRA_PORT, this is a display number.

This is not an xpra bug, the known hosts file is managed using the paramiko API:

xpra/xpra/net/ssh/paramiko_client.py

Line 558 in 0f036f0

host_keys.add(host, host_key.get_name(), host_key)

And this API doesn't have an argument for the port number:
https://docs.paramiko.org/en/latest/api/hostkeys.html#paramiko.hostkeys.HostKeys.add

You may want to switch to putty for this use-case.

[Simba98]

Hi Totamm,

You do not need the API provides port number as an argument, the [IP]:Port and [Host]:Port is hostname.

Hostnames is a comma-separated list of patterns (* and ? act as wildcards). Each pattern is matched against the canonical host name when authenticating a client or against the user-supplied name when authenticating a server. A pattern can also be preceded by ! to indicate negation. If the host name matches a negated pattern, it is not accepted by that line even if it matched another pattern on the line. A hostname or address can optionally be enclosed within '[' and ']' brackets, then followed by ':' and a nonstandard port number.
https://www.ibm.com/docs/en/zos/2.5.0?topic=daemon-ssh-known-hosts-file-format

And I have written a short test code for verifying paramiko support it.

from paramiko.hostkeys import HostKeys
host_keys = HostKeys()
# We use ./.ssh for prevent overwrite system .ssh folder
host_keys.load("./.ssh/known_hosts")

# Host 4 is starting with : host4,1.2.3.4 ecdsa-sha2-nistp256 AAAAE2VjZHNhLSomething
key4 = host_keys.lookup("host4")
key4ip = host_keys.lookup("1.2.3.4")
# You can get host4 via domain name and IP
key4["ecdsa-sha2-nistp256"]
key4ip["ecdsa-sha2-nistp256"]

# Host 5 is a normal one
key5 = host_keys.lookup("host5")

# Host 6 already have a section is [host6]:1023
key6 = host_keys.lookup("[host6]:1023")

# Now we add [host6]:1024
host_keys.add("[host6]:1024", 'ed25519', key5["ssh-ed25519"])

# Save it
host_keys.save("./.ssh/new_known_hosts")

Let me try if I can make a PR.

[totaam]

Bump.

[totaam]

Bump.

[totaam]

Not heard back, closing.