From 405fb7c3c93c4cef1f08a3edc9ea0d31c7a6df57 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 3 Aug 2008 20:32:59 -0400 Subject: adding a new bug about the interaction between HostKeyAlias and monkeysphere-ssh-proxycommand --- .../bugs/hostkeyalias-confuses-monkeysphere.mdwn | 28 ++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 website/bugs/hostkeyalias-confuses-monkeysphere.mdwn (limited to 'website/bugs') diff --git a/website/bugs/hostkeyalias-confuses-monkeysphere.mdwn b/website/bugs/hostkeyalias-confuses-monkeysphere.mdwn new file mode 100644 index 0000000..4f7df66 --- /dev/null +++ b/website/bugs/hostkeyalias-confuses-monkeysphere.mdwn @@ -0,0 +1,28 @@ +Consider the following snippet in `~/.ssh/config`: + + Host foo + HostKeyAlias bar + +for a host which is *not* participating in the monkeysphere. + +For such a host, when using `monkeysphere-ssh-proxy-command`, the +public keyservers will be queried on each attempted ssh connection +(even after a successful connection). + +This appears to be because: + +* `ssh` itself will write a line to `~/.ssh/known_hosts`, but it will + be labeled with `bar` because of the `HostKeyAlias`. + +* `monkeysphere` won't be able to find any mention of it in the + keyring (it's not in the monkeysphere) + +* `monkeysphere-ssh-proxycommand` won't be able to find it in the + `known_hosts` file because it looks for `foo`, which is never + matched. + +excessive keyserver querying is bad behavior, because it causes delays +for the users, and puts excessive load on the public keyserver +infrastructure. + +How can we resolve this? -- cgit v1.2.3 From 2f307758d083304bfddd8a8260dbf5b957a00d39 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 3 Aug 2008 21:05:56 -0400 Subject: added new bug about hashed known hosts. --- ...known_hosts-lines-contrary-to-HashKnownHosts-directive.mdwn | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 website/bugs/monkeysphere-adds-hashed-known_hosts-lines-contrary-to-HashKnownHosts-directive.mdwn (limited to 'website/bugs') diff --git a/website/bugs/monkeysphere-adds-hashed-known_hosts-lines-contrary-to-HashKnownHosts-directive.mdwn b/website/bugs/monkeysphere-adds-hashed-known_hosts-lines-contrary-to-HashKnownHosts-directive.mdwn new file mode 100644 index 0000000..f676937 --- /dev/null +++ b/website/bugs/monkeysphere-adds-hashed-known_hosts-lines-contrary-to-HashKnownHosts-directive.mdwn @@ -0,0 +1,10 @@ +In `~/.ssh/config`, i have: + + HashKnownHosts No + +But when `monkeysphere-ssh-proxycommand` adds new hosts to +`~/.ssh/known_hosts`, they appear to be added in a hashed form, +instead of in the clear. + +fwiw: i'm using OpenSSH 5.1p1 on a debian lenny system (backported +from sid) -- cgit v1.2.3 From 3bcce75f26d00044380904f462d37d7b851cf3b7 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 3 Aug 2008 21:09:37 -0400 Subject: adding new bug about behavior with no pty. --- .../add-identity-certifier-behaves-oddly-without-pty.mdwn | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 website/bugs/add-identity-certifier-behaves-oddly-without-pty.mdwn (limited to 'website/bugs') diff --git a/website/bugs/add-identity-certifier-behaves-oddly-without-pty.mdwn b/website/bugs/add-identity-certifier-behaves-oddly-without-pty.mdwn new file mode 100644 index 0000000..1962fe5 --- /dev/null +++ b/website/bugs/add-identity-certifier-behaves-oddly-without-pty.mdwn @@ -0,0 +1,15 @@ +When executing `monkeysphere-server add-identity-certifier` across a +link without a pseudo-terminal, it behaves oddly (prompts are created +that are only halfway-readable, gpg gives error messages about lacking +access to a `/dev/tty`, etc. + +You can try this directly if you have remote ssh access to the +superuser on a monkeysphere-enabled host, assuming that `$GPGID` is +set to the full fingerprint of a key you want to add as a trusted +identity certifier: + + ssh root@example.org monkeysphere-server add-identity-certifier $GPGID + +Compare this behavior with: + + ssh -t root@example.org monkeysphere-server add-identity-certifier $GPGID -- cgit v1.2.3 From 0d1b53f4f26133fa27f50c418b6b3e7dbe6e8a79 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 3 Aug 2008 21:14:36 -0400 Subject: tidying up bug report about hashed known hosts --- ...known_hosts-lines-contrary-to-HashKnownHosts-directive.mdwn | 10 ---------- .../bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn | 10 ++++++++++ 2 files changed, 10 insertions(+), 10 deletions(-) delete mode 100644 website/bugs/monkeysphere-adds-hashed-known_hosts-lines-contrary-to-HashKnownHosts-directive.mdwn create mode 100644 website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn (limited to 'website/bugs') diff --git a/website/bugs/monkeysphere-adds-hashed-known_hosts-lines-contrary-to-HashKnownHosts-directive.mdwn b/website/bugs/monkeysphere-adds-hashed-known_hosts-lines-contrary-to-HashKnownHosts-directive.mdwn deleted file mode 100644 index f676937..0000000 --- a/website/bugs/monkeysphere-adds-hashed-known_hosts-lines-contrary-to-HashKnownHosts-directive.mdwn +++ /dev/null @@ -1,10 +0,0 @@ -In `~/.ssh/config`, i have: - - HashKnownHosts No - -But when `monkeysphere-ssh-proxycommand` adds new hosts to -`~/.ssh/known_hosts`, they appear to be added in a hashed form, -instead of in the clear. - -fwiw: i'm using OpenSSH 5.1p1 on a debian lenny system (backported -from sid) diff --git a/website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn b/website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn new file mode 100644 index 0000000..6b5b53d --- /dev/null +++ b/website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn @@ -0,0 +1,10 @@ +In `~/.ssh/config`, i have: + + HashKnownHosts No + +But when `monkeysphere-ssh-proxycommand` adds new hosts to +`~/.ssh/known_hosts`, they appear to be added in a hashed form, +instead of in the clear. + +fwiw: i'm using OpenSSH 5.1p1 on a debian lenny system (backported +from sid) -- cgit v1.2.3