[pve-devel] [RFC cluster] pvecmn: add sshkeyscan

Dietmar Maurer dietmar at proxmox.com
Sun Nov 27 11:17:16 CET 2016 

The problem is that ssh always uses the hostname/IP from
the command line. I found a pending patch for ssh that
would solve the problem here:

https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-February/033443.html

But it seems it does not get applied (pending for more than one year).

So what if we always use the same name on the command line, but change
the DNS resolver instead?

Here is a small LD_PRELOAD hack:

---fakehost.c---------------------------------
#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>

int getaddrinfo(const char *node, const char *service,
		const struct addrinfo *hints,
		struct addrinfo **res)
{
	int (*orig_getaddrinfo)(const char *node, const char *service,
				const struct addrinfo *hints,
				struct addrinfo **res);

	orig_getaddrinfo = dlsym(RTLD_NEXT, "getaddrinfo");

	const char *fakehost_env = getenv("FAKEHOST");

	if (!fakehost_env)
		goto org;

	char *fakehost = strdupa(fakehost_env);

	char *name = strtok(fakehost, ":");
	if (!name || (strcmp(name, node) != 0))
		goto org;

	char *new_node = strtok(NULL, ":");
	if (!new_node)
		goto org;

	return (*orig_getaddrinfo)(new_node, service, hints, res);

org:
	return (*orig_getaddrinfo)(node, service, hints, res);
}
------------------------------------

You can compile and test that using:

# gcc -Wall -fPIC -shared -o fakehost.so fakehost.c -ldl
# LD_PRELOAD=./fakehost.so FAKEHOST="testname:1.2.3.4" ssh testname

Do you think that would solve the problem?


> On November 19, 2016 at 11:40 AM Thomas Lamprecht <t.lamprecht at proxmox.com>
> wrote:
> 
> 
> On 19.11.2016 09:53, Dietmar Maurer wrote:
> > this looks extremely clumsy to me. Are there any alternatives?
> >
> 
> If we want to automate it I did not found any better way yet. Using
> ssh-keyscan is nice as its fast and does accepts multiple hosts at once.
> Using the unique sort is just a security measurement against spamming the
> known_host files with multiple duplicate entries.
> And gathering the IPs I miss-used the new pvecm mtunnel --get_migration_ip
> command, this is not ideal from a nameing perspective, but seamed to practical
> to me to not use it as a hack :)
> 
> We could just document how to use ssh-keyscan manually to simplify this
> process for the user and omit this entirely.
> But the process would be almost the same, apart of the automatic IP gathering,
> the user knows already the IPs of his hosts.

More information about the pve-devel mailing list