Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Libgit2 doesn't support hashed hosts in known_hosts file #1593

Closed
Tracked by #2593
mikesir87 opened this issue Jul 6, 2021 · 2 comments · Fixed by fluxcd/source-controller#720
Closed
Tracked by #2593

Libgit2 doesn't support hashed hosts in known_hosts file #1593

mikesir87 opened this issue Jul 6, 2021 · 2 comments · Fixed by fluxcd/source-controller#720
Assignees
@pjbgf
Labels
area/git Git related issues and pull requests
Milestone
Security

Comments

@mikesir87
Copy link

Describe the bug

While experimenting with ImageUpdateAutomation, I ran into the following issue. IUA uses only libgit2 (since fluxcd/image-automation-controller#177) while the GitRepository defaults to go-git. My repos were able to fetch and sync correctly on the GitRepository -> Kustomization flow, but I repeatedly got errors when IUA was trying to sync. It failed during the git clone with a message simply indicating auth error: EOF.

After doing some digging, I found it was an issue with the configured known_hosts in the SSH credential secret referenced on the GitRepository. It appears that libgit2 only supports one format while go-fit supports both formats.

known_hosts without hashed hosts

> ssh-keyscan -t rsa github.com
# github.com:22 SSH-2.0-babeld-4cec2db4
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

known_hosts with hashed hosts

> # github.com:22 SSH-2.0-babeld-4cec2db4
|1|JjNNIoOyXpYOUxQYCq4iFNKTlSg=|IFUINCl+BFmqhiANWm1qgP/9YA8= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

I had originally created my known_hosts config with the hashed option, but it appears libgit2 doesn't know how to use it. By swapping to the first option, it worked. My GitRepository was still using the default (go-git), so appears to be happy with it too.

To Reproduce

Steps to reproduce the behaviour:

  1. Configure the known_hosts for the SSH credential using ssh-keyscan -H <host>.
  2. Create your GitRepository and ImageUpdateAutomation objects.
  3. Wait for the next sync. You'll see the GitRepository will sync, but the IUA will fail with a message of auth error: EOF.

Expected behavior

Both known_hosts formats should be supported or at least an error message informing the administrator to use the other method of creating the file.
@hiddeco
Copy link
Member

hiddeco commented Jul 6, 2021

This may be another version, or related to: fluxcd/source-controller#397

@hiddeco hiddeco mentioned this issue Jul 15, 2021
Closed
@au2001 au2001 mentioned this issue Dec 15, 2021
Closed
@pjbgf pjbgf mentioned this issue Mar 29, 2022
Closed
35 tasks
@pjbgf pjbgf added the area/git Git related issues and pull requests label May 12, 2022
@pjbgf pjbgf added this to the GA milestone May 12, 2022
@pjbgf pjbgf moved this to In Progress in Maintainers' Focus May 13, 2022
This was referenced May 13, 2022
Merged
Merged
@pjbgf pjbgf self-assigned this May 13, 2022
Repository owner moved this from In Progress to Done in Maintainers' Focus May 16, 2022
@pjbgf
Copy link
Member

pjbgf commented May 16, 2022

@mikesir87 just as an update, this has been recently merged into main and will be contained in the next source-controller release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pjbgf pjbgf

Labels
area/git Git related issues and pull requests
Projects
Maintainers' Focus
Status: Done
Milestone
Security
Development

Successfully merging a pull request may close this issue.

libgit2: Add support for hashed known_hosts pjbgf/source-controller
3 participants
@mikesir87 @pjbgf @hiddeco