Vault ssh shouldn't overwrite the users own configuration #4672

Crazybus · 2018-06-01T05:18:11Z

Describe the bug
When using vault ssh certain command line flags such as -o UserKnownHostsFile are always appended to the ssh command and are not optional.

"-o UserKnownHostsFile=" + userKnownHostsFile,

The problem with this is that it takes precedence over the value that has been set per host in the users ssh config.

Host *
  UserKnownHostsFile .known_hosts

For this particular command line flag it is possible to specify it with the vault flag -user-known-hosts-file=.known_hosts. However this needs to be hardcoded in the vault ssh command and won't work for user cases where you have separate known_hosts files per host/group. Our usecase is that we are using vault ssh with ansible and maintain a .known_hosts file that is checked into git.

To Reproduce
Steps to reproduce the behavior:

Create an ssh_config that specifies a non-default known_hosts location

Hostname 192.168.0.2
  UserKnownHostsFile .known_hosts

SSH to the host and accept the known hosts entry

❯ ssh 192.168.0.2 -F ssh_config
The authenticity of host '192.168.0.2 (192.168.0.2)' can't be established.
ECDSA key fingerprint is SHA256:iD5xzH5D6huBYIUpXKaEGPoaPem1yWu0mXAl5lTOXIA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.2' (ECDSA) to the list of known hosts.

Make sure the known hosts entry for this host doesn't exist in ~/.ssh/known_hosts. Running normal ssh 192.168.0.2 should prompt to accept the host key

❯ ssh 192.168.0.2
The authenticity of host '192.168.0.2 (192.168.0.2)' can't be established.
ECDSA key fingerprint is SHA256:iD5xzH5D6huBYIUpXKaEGPoaPem1yWu0mXAl5lTOXIA.
Are you sure you want to continue connecting (yes/no)?

Use vault ssh to connect to the host

❯ vault ssh -role bastion -mode otp 192.168.0.2 -F ssh_config -vvvv
debug3: hostkeys_foreach: reading file "/Users/mick/.ssh/known_hosts"
failed to run ssh command: exit status 6

Expected behavior
Vault ssh should respect the users ssh_config and not append default values which should be handled by the ssh client. The -o UserKnownHostsFile= flag should only be appended to the ssh command if -user-known-hosts-file has been set. From a technical point of view this would mean removing the default value for -user-known-hosts-file and only appending it when flagUserKnownHostsFile != ""

Environment:

Vault Server Version 0.9.5
Vault CLI Version Vault v0.10.1 ('756fdc4587350daf1c65b93647b2cc31a6f119cd')

Additional context
I would be more than happy to work on the code part of improving this but I first want to discuss what the behaviour should be like. I'm trying to keep an open mind since maybe there is a very good reason to hardcode this that I might be missing.

The text was updated successfully, but these errors were encountered:

Don't set a default value for the UserKnownHostsFile flag. Only append `-o UserKnownHostsFile` to the ssh command if it has been specified by the user or vault ssh has set it based on another flag (such as flagHostKeyMountPoint) Fixes hashicorp#4672

Don't set a default value for the UserKnownHostsFile flag. Only append `-o UserKnownHostsFile` to the ssh command if it has been specified by the user or vault ssh has set it based on another flag (such as flagHostKeyMountPoint) Fixes #4672

Crazybus mentioned this issue Jun 1, 2018

Only append the UserKnownHostsFile ssh flag when required #4674

Merged

jefferai closed this as completed in #4674 Jun 1, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vault ssh shouldn't overwrite the users own configuration #4672

Vault ssh shouldn't overwrite the users own configuration #4672

Crazybus commented Jun 1, 2018

Vault ssh shouldn't overwrite the users own configuration #4672

Vault ssh shouldn't overwrite the users own configuration #4672

Comments

Crazybus commented Jun 1, 2018