On Fri, Jun 08, 2018 at 11:29:35AM -0400, Laine Stump wrote: > On 06/08/2018 10:55 AM, Daniel P. Berrangé wrote: > > Despite having StrictHostKeyChecking=no, SSH still complains about the > > host key mismatch and disables password auth as a result. Using > > /dev/null as the known_hosts file ensures the keys are never saved to > > the user's profile. > > Interesting. I had thought that I had run on a machine that didn't have > anything in its known_hosts file. Maybe I've done something to my cached > test image that causes it to succeed? I'm really confused because what's there ought to work according to my reading of it, but it seems even with the StrictHostKeyChecking=no, if you specifically have password auth, ssh will complain to avoid MITM stealing the password. So the known_hosts /dev/null big hammer just stops that. > > > > > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> > > Reviewed-by: Laine Stump <laine@xxxxxxxxx> > > > (really what we should be doing for these tests is to connect to the > guest's serial console, especially for no-ip-spoofing and > no-mac-spoofing, since they actually make the guest unreachable for a > short time. But what we have now works, so there's lots more important > things to worry about...) > > > --- > > scripts/nwfilter/210-no-mac-spoofing.t | 3 ++- > > scripts/nwfilter/220-no-ip-spoofing.t | 3 ++- > > scripts/nwfilter/230-no-mac-broadcast.t | 3 ++- > > scripts/nwfilter/240-no-arp-spoofing.t | 3 ++- > > 4 files changed, 8 insertions(+), 4 deletions(-) > > > > diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-no-mac-spoofing.t > > index 99c5058..95b1499 100644 > > --- a/scripts/nwfilter/210-no-mac-spoofing.t > > +++ b/scripts/nwfilter/210-no-mac-spoofing.t > > @@ -97,7 +97,8 @@ diag "ssh'ing into $guestip"; > > my $ssh = Net::OpenSSH->new($guestip, > > user => "root", > > password => $tck->root_password(), > > - master_opts => [-o => "StrictHostKeyChecking=no"]); > > + master_opts => [-o => "UserKnownHostsFile=/dev/null", > > + -o => "StrictHostKeyChecking=off"]); > > > > # now bring eth0 down, change MAC and bring it up again > > diag "fiddling with mac"; > > diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-no-ip-spoofing.t > > index 85c4807..a1da6eb 100644 > > --- a/scripts/nwfilter/220-no-ip-spoofing.t > > +++ b/scripts/nwfilter/220-no-ip-spoofing.t > > @@ -91,7 +91,8 @@ diag "ssh'ing into $guestip"; > > my $ssh = Net::OpenSSH->new($guestip, > > user => "root", > > password => $tck->root_password(), > > - master_opts => [-o => "StrictHostKeyChecking=no"]); > > + master_opts => [-o => "UserKnownHostsFile=/dev/null", > > + -o => "StrictHostKeyChecking=no"]); > > > > # now bring eth0 down, change IP and bring it up again > > diag "preparing ip spoof"; > > diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230-no-mac-broadcast.t > > index b65b3fc..4254e7c 100644 > > --- a/scripts/nwfilter/230-no-mac-broadcast.t > > +++ b/scripts/nwfilter/230-no-mac-broadcast.t > > @@ -119,7 +119,8 @@ diag "ssh'ing into $guestip"; > > my $ssh = Net::OpenSSH->new($guestip, > > user => "root", > > password => $tck->root_password(), > > - master_opts => [-o => "StrictHostKeyChecking=no"]); > > + master_opts => [-o => "UserKnownHostsFile=/dev/null", > > + -o => "StrictHostKeyChecking=no"]); > > > > # now generate a mac broadcast paket > > diag "generate mac broadcast"; > > diff --git a/scripts/nwfilter/240-no-arp-spoofing.t b/scripts/nwfilter/240-no-arp-spoofing.t > > index 69851b6..882a385 100644 > > --- a/scripts/nwfilter/240-no-arp-spoofing.t > > +++ b/scripts/nwfilter/240-no-arp-spoofing.t > > @@ -100,7 +100,8 @@ diag "ssh'ing into $guestip"; > > my $ssh = Net::OpenSSH->new($guestip, > > user => "root", > > password => $tck->root_password(), > > - master_opts => [-o => "StrictHostKeyChecking=no"]); > > + master_opts => [-o => "UserKnownHostsFile=/dev/null", > > + -o => "StrictHostKeyChecking=no"]); > > > > # now generate a arp spoofing packets > > diag "generate arpspoof script"; > > Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
