[libvirt] [tck PATCH v2 11/15] scripts: disable known hosts file

Daniel P. Berrangé berrange at redhat.com
Fri Jun 8 15:48:42 UTC 2018 

On Fri, Jun 08, 2018 at 11:29:35AM -0400, Laine Stump wrote:
> On 06/08/2018 10:55 AM, Daniel P. Berrangé wrote:
> > Despite having StrictHostKeyChecking=no, SSH still complains about the
> > host key mismatch and disables password auth as a result. Using
> > /dev/null as the known_hosts file ensures the keys are never saved to
> > the user's profile.
> 
> Interesting. I had thought that I had run on a machine that didn't have
> anything in its known_hosts file. Maybe I've done something to my cached
> test image that causes it to succeed?

I'm really confused because what's there ought to work according to my
reading of it, but it seems even with the StrictHostKeyChecking=no,
if you specifically have password auth, ssh will complain to avoid MITM
stealing the password. So the known_hosts /dev/null big hammer just
stops that.

> 
> >
> > Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> 
> Reviewed-by: Laine Stump <laine at laine.org>
> 
> 
> (really what we should be doing for these tests is to connect to the
> guest's serial console, especially for no-ip-spoofing and
> no-mac-spoofing, since they actually make the guest unreachable for a
> short time. But what we have now works, so there's lots more important
> things to worry about...)
> 
> > ---
> >  scripts/nwfilter/210-no-mac-spoofing.t  | 3 ++-
> >  scripts/nwfilter/220-no-ip-spoofing.t   | 3 ++-
> >  scripts/nwfilter/230-no-mac-broadcast.t | 3 ++-
> >  scripts/nwfilter/240-no-arp-spoofing.t  | 3 ++-
> >  4 files changed, 8 insertions(+), 4 deletions(-)
> >
> > diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-no-mac-spoofing.t
> > index 99c5058..95b1499 100644
> > --- a/scripts/nwfilter/210-no-mac-spoofing.t
> > +++ b/scripts/nwfilter/210-no-mac-spoofing.t
> > @@ -97,7 +97,8 @@ diag "ssh'ing into $guestip";
> >  my $ssh = Net::OpenSSH->new($guestip,
> >                              user => "root",
> >                              password => $tck->root_password(),
> > -                            master_opts => [-o => "StrictHostKeyChecking=no"]);
> > +                            master_opts => [-o => "UserKnownHostsFile=/dev/null",
> > +                                            -o => "StrictHostKeyChecking=off"]);
> >  
> >  # now bring eth0 down, change MAC and bring it up again
> >  diag "fiddling with mac";
> > diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-no-ip-spoofing.t
> > index 85c4807..a1da6eb 100644
> > --- a/scripts/nwfilter/220-no-ip-spoofing.t
> > +++ b/scripts/nwfilter/220-no-ip-spoofing.t
> > @@ -91,7 +91,8 @@ diag "ssh'ing into $guestip";
> >  my $ssh = Net::OpenSSH->new($guestip,
> >                              user => "root",
> >                              password => $tck->root_password(),
> > -                            master_opts => [-o => "StrictHostKeyChecking=no"]);
> > +                            master_opts => [-o => "UserKnownHostsFile=/dev/null",
> > +                                            -o => "StrictHostKeyChecking=no"]);
> >  
> >  # now bring eth0 down, change IP and bring it up again
> >  diag "preparing ip spoof";
> > diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230-no-mac-broadcast.t
> > index b65b3fc..4254e7c 100644
> > --- a/scripts/nwfilter/230-no-mac-broadcast.t
> > +++ b/scripts/nwfilter/230-no-mac-broadcast.t
> > @@ -119,7 +119,8 @@ diag "ssh'ing into $guestip";
> >  my $ssh = Net::OpenSSH->new($guestip,
> >                              user => "root",
> >                              password => $tck->root_password(),
> > -                            master_opts =>  [-o => "StrictHostKeyChecking=no"]);
> > +                            master_opts =>  [-o => "UserKnownHostsFile=/dev/null",
> > +                                             -o => "StrictHostKeyChecking=no"]);
> >  
> >  # now generate a mac broadcast paket 
> >  diag "generate mac broadcast";
> > diff --git a/scripts/nwfilter/240-no-arp-spoofing.t b/scripts/nwfilter/240-no-arp-spoofing.t
> > index 69851b6..882a385 100644
> > --- a/scripts/nwfilter/240-no-arp-spoofing.t
> > +++ b/scripts/nwfilter/240-no-arp-spoofing.t
> > @@ -100,7 +100,8 @@ diag "ssh'ing into $guestip";
> >  my $ssh = Net::OpenSSH->new($guestip,
> >                              user => "root",
> >                              password => $tck->root_password(),
> > -                            master_opts => [-o => "StrictHostKeyChecking=no"]);
> > +                            master_opts => [-o => "UserKnownHostsFile=/dev/null",
> > +                                            -o => "StrictHostKeyChecking=no"]);
> >  
> >  # now generate a arp spoofing packets 
> >  diag "generate arpspoof script";
> 
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list