GNU bug report logs - #18967
Tramp disables important SSH security features

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 18967 in the body.
You can then email your comments to 18967 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Daniel Colascione <dancol <at> dancol.org>
To: bug-emacs <bug-gnu-emacs <at> gnu.org>
Subject: Tramp disables important SSH security features
Date: Thu, 06 Nov 2014 00:47:40 +0000

[Message part 1 (text/plain, inline)]

Tramp disables SSH host key checks by setting
GlobalKnownHostsFile=/dev/null, UserKnownHostsFile=/dev/null, and
StrictHostKeyChecking=no in its default method configuration. These
settings allow attackers to intercept connections to remote hosts, sniff
passwords, and cause other mischief. I don't think we should ship an
insecure configuration.

[signature.asc (application/pgp-signature, attachment)]

Message #10 received at 18967 <at> debbugs.gnu.org (full text, mbox):

From: Ted Zlatanov <tzz <at> lifelogs.com>
To: Daniel Colascione <dancol <at> dancol.org>
Cc: 18967 <at> debbugs.gnu.org
Subject: Re: bug#18967: Tramp disables important SSH security features
Date: Thu, 06 Nov 2014 07:05:40 -0500

On Thu, 06 Nov 2014 00:47:40 +0000 Daniel Colascione <dancol <at> dancol.org> wrote: 

DC> Tramp disables SSH host key checks by setting
DC> GlobalKnownHostsFile=/dev/null, UserKnownHostsFile=/dev/null, and
DC> StrictHostKeyChecking=no in its default method configuration. These
DC> settings allow attackers to intercept connections to remote hosts, sniff
DC> passwords, and cause other mischief. I don't think we should ship an
DC> insecure configuration.

I think the alternatives are something like what Ansible does:
http://www.ansible.com/blog/2014/01/15/ssh-connection-upgrades-coming-in-ansible-1-5
or a SSH client library as a FFI. SSH, when called externally, has many
failure modes without those options.

Ted

Message #13 received at 18967 <at> debbugs.gnu.org (full text, mbox):

From: Daniel Colascione <dancol <at> dancol.org>
To: Ted Zlatanov <tzz <at> lifelogs.com>
Cc: 18967 <at> debbugs.gnu.org
Subject: Re: bug#18967: Tramp disables important SSH security features
Date: Thu, 06 Nov 2014 16:58:24 +0000

[Message part 1 (text/plain, inline)]

On 11/06/2014 12:05 PM, Ted Zlatanov wrote:
> On Thu, 06 Nov 2014 00:47:40 +0000 Daniel Colascione <dancol <at> dancol.org> wrote: 
> 
> DC> Tramp disables SSH host key checks by setting
> DC> GlobalKnownHostsFile=/dev/null, UserKnownHostsFile=/dev/null, and
> DC> StrictHostKeyChecking=no in its default method configuration. These
> DC> settings allow attackers to intercept connections to remote hosts, sniff
> DC> passwords, and cause other mischief. I don't think we should ship an
> DC> insecure configuration.
> 
> I think the alternatives are something like what Ansible does:
> http://www.ansible.com/blog/2014/01/15/ssh-connection-upgrades-coming-in-ansible-1-5
> or a SSH client library as a FFI. 

> SSH, when called externally, has many
> failure modes without those options.

So let it fail. Since when is it okay to trade diminished security for
improved reliability?

[signature.asc (application/pgp-signature, attachment)]

Message #16 received at 18967 <at> debbugs.gnu.org (full text, mbox):

From: Ted Zlatanov <tzz <at> lifelogs.com>
To: Daniel Colascione <dancol <at> dancol.org>
Cc: 18967 <at> debbugs.gnu.org
Subject: Re: bug#18967: Tramp disables important SSH security features
Date: Thu, 06 Nov 2014 15:59:18 -0500

On Thu, 06 Nov 2014 16:58:24 +0000 Daniel Colascione <dancol <at> dancol.org> wrote: 

DC> On 11/06/2014 12:05 PM, Ted Zlatanov wrote:
>> On Thu, 06 Nov 2014 00:47:40 +0000 Daniel Colascione <dancol <at> dancol.org> wrote: 
>> 
DC> Tramp disables SSH host key checks by setting
DC> GlobalKnownHostsFile=/dev/null, UserKnownHostsFile=/dev/null, and
DC> StrictHostKeyChecking=no in its default method configuration. These
DC> settings allow attackers to intercept connections to remote hosts, sniff
DC> passwords, and cause other mischief. I don't think we should ship an
DC> insecure configuration.
>> 
>> I think the alternatives are something like what Ansible does:
>> http://www.ansible.com/blog/2014/01/15/ssh-connection-upgrades-coming-in-ansible-1-5
>> or a SSH client library as a FFI. 

>> SSH, when called externally, has many failure modes without those
>> options.

DC> So let it fail.

You can discuss that with the users and the maintainers and Michael
Albinus.  I was certainly not recommending a course of action.

DC> Since when is it okay to trade diminished security for improved
DC> reliability?

Happiness comes from within?

Ted

Message #19 received at 18967 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Monnier <monnier <at> IRO.UMontreal.CA>
To: Daniel Colascione <dancol <at> dancol.org>
Cc: Ted Zlatanov <tzz <at> lifelogs.com>, 18967 <at> debbugs.gnu.org
Subject: Re: bug#18967: Tramp disables important SSH security features
Date: Thu, 06 Nov 2014 18:39:49 -0500

> So let it fail.

Agreed.  But I think the difficulty is in making Tramp fail cleanly
(as opposed to hang, for example).


        Stefan "who has similar issues with the connection-sharing defaults"

Message #22 received at 18967 <at> debbugs.gnu.org (full text, mbox):

From: Michael Albinus <michael.albinus <at> gmx.de>
To: Stefan Monnier <monnier <at> IRO.UMontreal.CA>
Cc: Ted Zlatanov <tzz <at> lifelogs.com>, Daniel Colascione <dancol <at> dancol.org>,
 18967 <at> debbugs.gnu.org
Subject: Re: bug#18967: Tramp disables important SSH security features
Date: Fri, 07 Nov 2014 08:56:00 +0100

Stefan Monnier <monnier <at> IRO.UMontreal.CA> writes:

>> So let it fail.
>
> Agreed.  But I think the difficulty is in making Tramp fail cleanly
> (as opposed to hang, for example).

Indeed, and this was the reason for the current settings. I will recheck
whether we could do it differently; but do not expect results in a day
or two. There are several bug reports about Tramp I'm faced with, and
due to local restrictions my progress is slow.

>         Stefan "who has similar issues with the connection-sharing defaults"

Yes, that might be revisited as well.

Best regards, Michael.

Message #25 received at 18967 <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: Michael Albinus <michael.albinus <at> gmx.de>
Cc: Ted Zlatanov <tzz <at> lifelogs.com>, 18967 <at> debbugs.gnu.org,
 Daniel Colascione <dancol <at> dancol.org>,
 Stefan Monnier <monnier <at> IRO.UMontreal.CA>
Subject: Re: bug#18967: Tramp disables important SSH security features
Date: Mon, 12 Dec 2016 20:12:39 -0500

Hi Michael - is there any update on this issue?

Message #28 received at 18967 <at> debbugs.gnu.org (full text, mbox):

From: Michael Albinus <michael.albinus <at> gmx.de>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 18967 <at> debbugs.gnu.org, Daniel Colascione <dancol <at> dancol.org>,
 Ted Zlatanov <tzz <at> lifelogs.com>, Stefan Monnier <monnier <at> IRO.UMontreal.CA>
Subject: Re: bug#18967: Tramp disables important SSH security features
Date: Tue, 13 Dec 2016 09:36:06 +0100

Glenn Morris <rgm <at> gnu.org> writes:

> Hi Michael - is there any update on this issue?

Hi Glenn,

no update, I've stalled this issue. And I'm still undecided how to
change it w/o damaging Tramp functionality.

Best regards, Michael.

Message #31 received at 18967 <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: Michael Albinus <michael.albinus <at> gmx.de>
Cc: 18967 <at> debbugs.gnu.org, Daniel Colascione <dancol <at> dancol.org>,
 Ted Zlatanov <tzz <at> lifelogs.com>, Stefan Monnier <monnier <at> IRO.UMontreal.CA>
Subject: Re: bug#18967: Tramp disables important SSH security features
Date: Tue, 13 Dec 2016 15:04:45 -0500

How about

ssh -o BatchMode=yes 

?

IIUC, this causes ssh to fail with an error, instead of eg asking "Are
you sure you want to continue connecting" and waiting forever.

(But it also seems to me that it is not Tramp's job to work around
difficulties a user might be having with SSH, and that eg an occasional
hang is preferable to changing things to be less secure that SSH's
default).

Message #34 received at 18967 <at> debbugs.gnu.org (full text, mbox):

From: Michael Albinus <michael.albinus <at> gmx.de>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 18967 <at> debbugs.gnu.org, Daniel Colascione <dancol <at> dancol.org>,
 Ted Zlatanov <tzz <at> lifelogs.com>, Stefan Monnier <monnier <at> IRO.UMontreal.CA>
Subject: Re: bug#18967: Tramp disables important SSH security features
Date: Sun, 18 Dec 2016 09:51:18 +0100

Glenn Morris <rgm <at> gnu.org> writes:

> How about
>
> ssh -o BatchMode=yes 

No, Batchmode suppresses the password dialogue. Not applicable.

And looking at the code I really don't see what can be done.

Note, that GlobalKnownHostsFile, UserKnownHostsFile and
StrictHostKeyChecking are not disabled by default. They are disabled
only in case a so-called gateway is used, like
"/tunnel:proxyhost#3128|ssh:remotehost:/path/to/file". Tramp will
created a temporary httpd tunnel then, with a random port number on the
localhost, like localhost#12345.

If you connect to remotehost as above, there will be a an internal ssh
connection to localhost#12345, which is the tunnel through proxyhost. If
you connect to another.remotehost afterwards, the same internal ssh
target will be used. But remotehost and another.remotehost are
different, and so are their host keys. That's why Tramp must be
instructed to ignore the host keys in this very special case.

See also (info "(tramp) Gateway methods")

Best regards, Michael.

Message #37 received at 18967 <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: Michael Albinus <michael.albinus <at> gmx.de>
Cc: 18967 <at> debbugs.gnu.org, Daniel Colascione <dancol <at> dancol.org>,
 Ted Zlatanov <tzz <at> lifelogs.com>, Stefan Monnier <monnier <at> IRO.UMontreal.CA>
Subject: Re: bug#18967: Tramp disables important SSH security features
Date: Mon, 19 Dec 2016 12:02:01 -0500

Thanks for explaining the issue. It sounds to me like closing this as
wontfix would be appropriate.

Message #40 received at 18967 <at> debbugs.gnu.org (full text, mbox):

From: Michael Albinus <michael.albinus <at> gmx.de>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 18967 <at> debbugs.gnu.org, Daniel Colascione <dancol <at> dancol.org>,
 Ted Zlatanov <tzz <at> lifelogs.com>, Stefan Monnier <monnier <at> IRO.UMontreal.CA>
Subject: Re: bug#18967: Tramp disables important SSH security features
Date: Mon, 19 Dec 2016 19:37:50 +0100

Glenn Morris <rgm <at> gnu.org> writes:

Hi Glenn,

> Thanks for explaining the issue. It sounds to me like closing this as
> wontfix would be appropriate.

Perhaps.

I have some plans for a while to obsolete tramp-gw.el. When I wrote it
back in 2007, it was the only possibility to have an own implementation
of HTTP CONNECT tunneling.

Meanwhile, putty supports HTTP CONNECT natively. And with ssh, one could
use a ProxyCommand based on "nc -X connect ...". No need for Tramp to
implement it itself anymore.

This would perform much better than my implementation in
tramp-gw.el. And this bug would disappear automatically.

So let's keep this bug as reminder. And I will see, whether I could
document these settings in the Tramp manual. There are some free days
next two weeks, isn't it the Xmas break?

Best regards, Michael.

Message #45 received at 18967-done <at> debbugs.gnu.org (full text, mbox):

From: Michael Albinus <michael.albinus <at> gmx.de>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 18967-done <at> debbugs.gnu.org, Daniel Colascione <dancol <at> dancol.org>,
 Ted Zlatanov <tzz <at> lifelogs.com>, Stefan Monnier <monnier <at> IRO.UMontreal.CA>
Subject: Re: bug#18967: Tramp disables important SSH security features
Date: Wed, 21 Dec 2016 12:44:23 +0100

Version: 26.1

> I have some plans for a while to obsolete tramp-gw.el. When I wrote it
> back in 2007, it was the only possibility to have an own implementation
> of HTTP CONNECT tunneling.
>
> Meanwhile, putty supports HTTP CONNECT natively. And with ssh, one could
> use a ProxyCommand based on "nc -X connect ...". No need for Tramp to
> implement it itself anymore.
>
> This would perform much better than my implementation in
> tramp-gw.el. And this bug would disappear automatically.
>
> So let's keep this bug as reminder. And I will see, whether I could
> document these settings in the Tramp manual. There are some free days
> next two weeks, isn't it the Xmas break?

Done, closing the bug.

Best regards, Michael.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.