Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(scanner): detect host key change #1406

Merged
merged 2 commits into from
Jul 4, 2022
Merged

feat(scanner): detect host key change #1406

merged 2 commits into from
Jul 4, 2022

Conversation

MaineK00n
Copy link
Collaborator

@MaineK00n MaineK00n commented Mar 3, 2022
edited
Loading

What did you implement:

Detects cases where SSH fails due to a mismatch between the host key in known_host and the host key provided by the server.

Type of change

  • New feature (non-breaking change which adds functionality)

How Has This Been Tested?

$ docker run --rm -itd -p 2222:22 --name vuls-target vuls-target:ubuntu22.04
$ ssh vuls-target
$ docker stop vuls-target
$ docker run --rm -itd -p 2222:22 --name vuls-target vuls-target:debian11
$ ssh vuls-target
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:WDxHsOA25p9nSRr3PrBSG3FiKecAUTqsg59DgL5LcXU.
Please contact your system administrator.
Add correct host key in /home/mainek00n/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/mainek00n/.ssh/known_hosts:6
  remove with:
  ssh-keygen -f "/home/mainek00n/.ssh/known_hosts" -R "vuls"
ECDSA host key for vuls has changed and you have requested strict checking.
Host key verification failed.

$ vuls configtest
[Mar  3 09:07:51]  INFO [localhost] vuls-`make build` or `make install` will show the version-
[Mar  3 09:07:51]  INFO [localhost] Validating config...
[Mar  3 09:07:51]  INFO [localhost] Detecting Server/Container OS... 
[Mar  3 09:07:51]  INFO [localhost] Detecting OS of servers... 
[Mar  3 09:07:52] ERROR [localhost] (1/1) Failed: vuls-target, err: [Failed to find the server key that matches the key registered in the client. The server key may have been changed. Please exec `$ /usr/bin/ssh-keygen -R "[127.0.0.1]:2222" -f ~/.ssh/known_hosts` and `$ /usr/bin/ssh -F /home/mainek00n/.ssh/config -p 2222 -l root vuls-target` or `$ /usr/bin/ssh-keyscan -p 2222 127.0.0.1 >> ~/.ssh/known_hosts`:
    github.com/future-architect/vuls/scanner.validateSSHConfig
        /home/mainek00n/github/github.com/MaineK00n/vuls/scanner/scanner.go:418]
[Mar  3 09:07:52] ERROR [localhost] Failed to configtest: Failed to init servers. err:
    github.com/future-architect/vuls/scanner.Scanner.Configtest
        /home/mainek00n/github/github.com/MaineK00n/vuls/scanner/scanner.go:115
  - No scannable host OS:
    github.com/future-architect/vuls/scanner.Scanner.initServers
        /home/mainek00n/github/github.com/MaineK00n/vuls/scanner/scanner.go:251
exit status 1

Checklist:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

Reference

@MaineK00n MaineK00n self-assigned this Mar 3, 2022
@MaineK00n MaineK00n marked this pull request as ready for review March 3, 2022 02:19
@MaineK00n MaineK00n force-pushed the MaineK00n/update-check-known_hosts branch from dd69c46 to 3279a44 Compare March 3, 2022 02:22
@MaineK00n MaineK00n force-pushed the MaineK00n/update-check-known_hosts branch from 3279a44 to 2f49dbf Compare June 9, 2022 02:08
@kotakanbe kotakanbe self-requested a review July 4, 2022 00:53
@kotakanbe kotakanbe merged commit 999529a into master Jul 4, 2022
@kotakanbe kotakanbe deleted the MaineK00n/update-check-known_hosts branch July 4, 2022 01:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kotakanbe kotakanbe Awaiting requested review from kotakanbe

Assignees

@MaineK00n MaineK00n

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MaineK00n @kotakanbe