Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CACYkhxj735VaX6m0ff-tp9XPNxgEc=s-S3yAX+3EtPSTY7DWuw@mail.gmail.com>
Date: Mon, 1 Jul 2013 14:45:43 +1000
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Ansible not caching SSH host keys

http://www.ansibleworks.com/

Problem:
Default configuration does not cache SSH host keys, effectively disabling
host key checking

Note - do not credit me for finding this, I'm just the only person
indignant enough to request a CVE

A colleague found this bug, only to notice that it was logged by somebody
else (antong on github), and rejected:
https://github.com/ansible/ansible/issues/857

This can be fixed by calling ssh.load_system_host_keys() after line 78 of
https://github.com/ansible/ansible/blob/496f06c3c90cfd89802622c640480328436746c6/lib/ansible/runner/connection_plugins/paramiko_ssh.py

While it is possible to call the SSH command instead of using paramiko,
this isn't the default and the ramifications of not checking host keys
aren't advertised to users.  A more reasonable approach would be to
document how to un-cache a host key should it change.

Regards,
  Michael

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.