unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
* bug#18967: Tramp disables important SSH security features
@ 2014-11-06  0:47 Daniel Colascione
  2014-11-06 12:05 ` Ted Zlatanov
  0 siblings, 1 reply; 13+ messages in thread
From: Daniel Colascione @ 2014-11-06  0:47 UTC (permalink / raw)
  To: 18967

[-- Attachment #1: Type: text/plain, Size: 354 bytes --]

Tramp disables SSH host key checks by setting
GlobalKnownHostsFile=/dev/null, UserKnownHostsFile=/dev/null, and
StrictHostKeyChecking=no in its default method configuration. These
settings allow attackers to intercept connections to remote hosts, sniff
passwords, and cause other mischief. I don't think we should ship an
insecure configuration.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#18967: Tramp disables important SSH security features
  2014-11-06  0:47 bug#18967: Tramp disables important SSH security features Daniel Colascione
@ 2014-11-06 12:05 ` Ted Zlatanov
  2014-11-06 16:58   ` Daniel Colascione
  0 siblings, 1 reply; 13+ messages in thread
From: Ted Zlatanov @ 2014-11-06 12:05 UTC (permalink / raw)
  To: Daniel Colascione; +Cc: 18967

On Thu, 06 Nov 2014 00:47:40 +0000 Daniel Colascione <dancol@dancol.org> wrote: 

DC> Tramp disables SSH host key checks by setting
DC> GlobalKnownHostsFile=/dev/null, UserKnownHostsFile=/dev/null, and
DC> StrictHostKeyChecking=no in its default method configuration. These
DC> settings allow attackers to intercept connections to remote hosts, sniff
DC> passwords, and cause other mischief. I don't think we should ship an
DC> insecure configuration.

I think the alternatives are something like what Ansible does:
http://www.ansible.com/blog/2014/01/15/ssh-connection-upgrades-coming-in-ansible-1-5
or a SSH client library as a FFI. SSH, when called externally, has many
failure modes without those options.

Ted





^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#18967: Tramp disables important SSH security features
  2014-11-06 12:05 ` Ted Zlatanov
@ 2014-11-06 16:58   ` Daniel Colascione
  2014-11-06 20:59     ` Ted Zlatanov
  2014-11-06 23:39     ` Stefan Monnier
  0 siblings, 2 replies; 13+ messages in thread
From: Daniel Colascione @ 2014-11-06 16:58 UTC (permalink / raw)
  To: Ted Zlatanov; +Cc: 18967

[-- Attachment #1: Type: text/plain, Size: 899 bytes --]

On 11/06/2014 12:05 PM, Ted Zlatanov wrote:
> On Thu, 06 Nov 2014 00:47:40 +0000 Daniel Colascione <dancol@dancol.org> wrote: 
> 
> DC> Tramp disables SSH host key checks by setting
> DC> GlobalKnownHostsFile=/dev/null, UserKnownHostsFile=/dev/null, and
> DC> StrictHostKeyChecking=no in its default method configuration. These
> DC> settings allow attackers to intercept connections to remote hosts, sniff
> DC> passwords, and cause other mischief. I don't think we should ship an
> DC> insecure configuration.
> 
> I think the alternatives are something like what Ansible does:
> http://www.ansible.com/blog/2014/01/15/ssh-connection-upgrades-coming-in-ansible-1-5
> or a SSH client library as a FFI. 

> SSH, when called externally, has many
> failure modes without those options.

So let it fail. Since when is it okay to trade diminished security for
improved reliability?


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#18967: Tramp disables important SSH security features
  2014-11-06 16:58   ` Daniel Colascione
@ 2014-11-06 20:59     ` Ted Zlatanov
  2014-11-06 23:39     ` Stefan Monnier
  1 sibling, 0 replies; 13+ messages in thread
From: Ted Zlatanov @ 2014-11-06 20:59 UTC (permalink / raw)
  To: Daniel Colascione; +Cc: 18967

On Thu, 06 Nov 2014 16:58:24 +0000 Daniel Colascione <dancol@dancol.org> wrote: 

DC> On 11/06/2014 12:05 PM, Ted Zlatanov wrote:
>> On Thu, 06 Nov 2014 00:47:40 +0000 Daniel Colascione <dancol@dancol.org> wrote: 
>> 
DC> Tramp disables SSH host key checks by setting
DC> GlobalKnownHostsFile=/dev/null, UserKnownHostsFile=/dev/null, and
DC> StrictHostKeyChecking=no in its default method configuration. These
DC> settings allow attackers to intercept connections to remote hosts, sniff
DC> passwords, and cause other mischief. I don't think we should ship an
DC> insecure configuration.
>> 
>> I think the alternatives are something like what Ansible does:
>> http://www.ansible.com/blog/2014/01/15/ssh-connection-upgrades-coming-in-ansible-1-5
>> or a SSH client library as a FFI. 

>> SSH, when called externally, has many failure modes without those
>> options.

DC> So let it fail.

You can discuss that with the users and the maintainers and Michael
Albinus.  I was certainly not recommending a course of action.

DC> Since when is it okay to trade diminished security for improved
DC> reliability?

Happiness comes from within?

Ted





^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#18967: Tramp disables important SSH security features
  2014-11-06 16:58   ` Daniel Colascione
  2014-11-06 20:59     ` Ted Zlatanov
@ 2014-11-06 23:39     ` Stefan Monnier
  2014-11-07  7:56       ` Michael Albinus
  1 sibling, 1 reply; 13+ messages in thread
From: Stefan Monnier @ 2014-11-06 23:39 UTC (permalink / raw)
  To: Daniel Colascione; +Cc: Ted Zlatanov, 18967

> So let it fail.

Agreed.  But I think the difficulty is in making Tramp fail cleanly
(as opposed to hang, for example).


        Stefan "who has similar issues with the connection-sharing defaults"





^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#18967: Tramp disables important SSH security features
  2014-11-06 23:39     ` Stefan Monnier
@ 2014-11-07  7:56       ` Michael Albinus
  2016-12-13  1:12         ` Glenn Morris
  0 siblings, 1 reply; 13+ messages in thread
From: Michael Albinus @ 2014-11-07  7:56 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: Ted Zlatanov, 18967

Stefan Monnier <monnier@IRO.UMontreal.CA> writes:

>> So let it fail.
>
> Agreed.  But I think the difficulty is in making Tramp fail cleanly
> (as opposed to hang, for example).

Indeed, and this was the reason for the current settings. I will recheck
whether we could do it differently; but do not expect results in a day
or two. There are several bug reports about Tramp I'm faced with, and
due to local restrictions my progress is slow.

>         Stefan "who has similar issues with the connection-sharing defaults"

Yes, that might be revisited as well.

Best regards, Michael.





^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#18967: Tramp disables important SSH security features
  2014-11-07  7:56       ` Michael Albinus
@ 2016-12-13  1:12         ` Glenn Morris
  2016-12-13  8:36           ` Michael Albinus
  0 siblings, 1 reply; 13+ messages in thread
From: Glenn Morris @ 2016-12-13  1:12 UTC (permalink / raw)
  To: Michael Albinus; +Cc: Ted Zlatanov, 18967, Stefan Monnier


Hi Michael - is there any update on this issue?





^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#18967: Tramp disables important SSH security features
  2016-12-13  1:12         ` Glenn Morris
@ 2016-12-13  8:36           ` Michael Albinus
  2016-12-13 20:04             ` Glenn Morris
  0 siblings, 1 reply; 13+ messages in thread
From: Michael Albinus @ 2016-12-13  8:36 UTC (permalink / raw)
  To: Glenn Morris; +Cc: 18967, Ted Zlatanov, Stefan Monnier

Glenn Morris <rgm@gnu.org> writes:

> Hi Michael - is there any update on this issue?

Hi Glenn,

no update, I've stalled this issue. And I'm still undecided how to
change it w/o damaging Tramp functionality.

Best regards, Michael.





^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#18967: Tramp disables important SSH security features
  2016-12-13  8:36           ` Michael Albinus
@ 2016-12-13 20:04             ` Glenn Morris
  2016-12-18  8:51               ` Michael Albinus
  0 siblings, 1 reply; 13+ messages in thread
From: Glenn Morris @ 2016-12-13 20:04 UTC (permalink / raw)
  To: Michael Albinus; +Cc: 18967, Ted Zlatanov, Stefan Monnier


How about

ssh -o BatchMode=yes 

?

IIUC, this causes ssh to fail with an error, instead of eg asking "Are
you sure you want to continue connecting" and waiting forever.

(But it also seems to me that it is not Tramp's job to work around
difficulties a user might be having with SSH, and that eg an occasional
hang is preferable to changing things to be less secure that SSH's
default).





^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#18967: Tramp disables important SSH security features
  2016-12-13 20:04             ` Glenn Morris
@ 2016-12-18  8:51               ` Michael Albinus
  2016-12-19 17:02                 ` Glenn Morris
  0 siblings, 1 reply; 13+ messages in thread
From: Michael Albinus @ 2016-12-18  8:51 UTC (permalink / raw)
  To: Glenn Morris; +Cc: 18967, Ted Zlatanov, Stefan Monnier

Glenn Morris <rgm@gnu.org> writes:

> How about
>
> ssh -o BatchMode=yes 

No, Batchmode suppresses the password dialogue. Not applicable.

And looking at the code I really don't see what can be done.

Note, that GlobalKnownHostsFile, UserKnownHostsFile and
StrictHostKeyChecking are not disabled by default. They are disabled
only in case a so-called gateway is used, like
"/tunnel:proxyhost#3128|ssh:remotehost:/path/to/file". Tramp will
created a temporary httpd tunnel then, with a random port number on the
localhost, like localhost#12345.

If you connect to remotehost as above, there will be a an internal ssh
connection to localhost#12345, which is the tunnel through proxyhost. If
you connect to another.remotehost afterwards, the same internal ssh
target will be used. But remotehost and another.remotehost are
different, and so are their host keys. That's why Tramp must be
instructed to ignore the host keys in this very special case.

See also (info "(tramp) Gateway methods")

Best regards, Michael.





^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#18967: Tramp disables important SSH security features
  2016-12-18  8:51               ` Michael Albinus
@ 2016-12-19 17:02                 ` Glenn Morris
  2016-12-19 18:37                   ` Michael Albinus
  0 siblings, 1 reply; 13+ messages in thread
From: Glenn Morris @ 2016-12-19 17:02 UTC (permalink / raw)
  To: Michael Albinus; +Cc: 18967, Ted Zlatanov, Stefan Monnier


Thanks for explaining the issue. It sounds to me like closing this as
wontfix would be appropriate.





^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#18967: Tramp disables important SSH security features
  2016-12-19 17:02                 ` Glenn Morris
@ 2016-12-19 18:37                   ` Michael Albinus
  2016-12-21 11:44                     ` Michael Albinus
  0 siblings, 1 reply; 13+ messages in thread
From: Michael Albinus @ 2016-12-19 18:37 UTC (permalink / raw)
  To: Glenn Morris; +Cc: 18967, Ted Zlatanov, Stefan Monnier

Glenn Morris <rgm@gnu.org> writes:

Hi Glenn,

> Thanks for explaining the issue. It sounds to me like closing this as
> wontfix would be appropriate.

Perhaps.

I have some plans for a while to obsolete tramp-gw.el. When I wrote it
back in 2007, it was the only possibility to have an own implementation
of HTTP CONNECT tunneling.

Meanwhile, putty supports HTTP CONNECT natively. And with ssh, one could
use a ProxyCommand based on "nc -X connect ...". No need for Tramp to
implement it itself anymore.

This would perform much better than my implementation in
tramp-gw.el. And this bug would disappear automatically.

So let's keep this bug as reminder. And I will see, whether I could
document these settings in the Tramp manual. There are some free days
next two weeks, isn't it the Xmas break?

Best regards, Michael.





^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#18967: Tramp disables important SSH security features
  2016-12-19 18:37                   ` Michael Albinus
@ 2016-12-21 11:44                     ` Michael Albinus
  0 siblings, 0 replies; 13+ messages in thread
From: Michael Albinus @ 2016-12-21 11:44 UTC (permalink / raw)
  To: Glenn Morris; +Cc: 18967-done, Ted Zlatanov, Stefan Monnier

Version: 26.1

> I have some plans for a while to obsolete tramp-gw.el. When I wrote it
> back in 2007, it was the only possibility to have an own implementation
> of HTTP CONNECT tunneling.
>
> Meanwhile, putty supports HTTP CONNECT natively. And with ssh, one could
> use a ProxyCommand based on "nc -X connect ...". No need for Tramp to
> implement it itself anymore.
>
> This would perform much better than my implementation in
> tramp-gw.el. And this bug would disappear automatically.
>
> So let's keep this bug as reminder. And I will see, whether I could
> document these settings in the Tramp manual. There are some free days
> next two weeks, isn't it the Xmas break?

Done, closing the bug.

Best regards, Michael.





^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2016-12-21 11:44 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-06  0:47 bug#18967: Tramp disables important SSH security features Daniel Colascione
2014-11-06 12:05 ` Ted Zlatanov
2014-11-06 16:58   ` Daniel Colascione
2014-11-06 20:59     ` Ted Zlatanov
2014-11-06 23:39     ` Stefan Monnier
2014-11-07  7:56       ` Michael Albinus
2016-12-13  1:12         ` Glenn Morris
2016-12-13  8:36           ` Michael Albinus
2016-12-13 20:04             ` Glenn Morris
2016-12-18  8:51               ` Michael Albinus
2016-12-19 17:02                 ` Glenn Morris
2016-12-19 18:37                   ` Michael Albinus
2016-12-21 11:44                     ` Michael Albinus

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).