CESNET
Problem with SSH Call Home
Hi, I have devel builds for netopeer2, sysrepo, etc.
I have established server/client connection and this all seems to be working as expected so far. I am now trying to configure the "ssh call home" feature.
When I import the ssh_callhome.xml" I get the following error...
$ sysrepocfg -v2 --import=ssh_callhome.xml
[ERR]: Invalid leafref value "genkey" - no existing target instance "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key/ks:name".
[ERR]: Validation failed.
sysrepocfg error: Replace config failed (Validation failed)
As far as I can tell I have the ietf-keystore installed, enabled and configured...
$ sysrepocfg -v3 --export --xpath "/keystore"
[INF]: Scheduled changes not applied because of other existing connections.
[INF]: Connection 75 created.
[INF]: Session 187 (user "stevend", CID 75) created.
<keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore">
<asymmetric-keys>
<asymmetric-key>
<name>genkey</name>
<algorithm>rsa2048</algorithm>
<public-key>XXX</public-key>
<private-key>XXX</private-key>
</asymmetric-key>
</asymmetric-keys>
</keystore>
The key "genkey" exists and this appears to be the one the "call home" is specifying, but complains about in the error.
Any ideas?
I cleared the sysrepo repository and re-started everything, and now "ssh call home" seems to be work - not sure what the problem was. However, now I have another question relating to this.
On the netopeer2-cli, when I do the listen, it always prompts me to add the host to the knownhosts file. For example...
> listen
Waiting 60s for an SSH Call Home connection on port 4334...
[2021/08/16 17:25:04.015591, 1] socket_callback_connected: Socket connection callback: 1 (0)
[2021/08/16 17:25:04.019004, 1] ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory
The authenticity of the host '::ffff:127.0.0.1' cannot be established.
ssh-rsa key fingerprint is 2b:56:d1:5d:c2:cd:a1:fb:11:c8:af:37:26:f1:39:92:ee:d7:15:a6.
Are you sure you want to continue connecting (yes/no)?
I can enter "yes" and it will connect. But I have to do this each time, I do a listen. Is this normal? (I can see in the "knownhosts" file that it adds a new entry because each connection seems to originate with a different port number).
You should be able to adjust this by standard SSH configuration (.ssh/ssh_config file in your user home directory). I think it is StrictHostKeyChecking parameter, look into ssh_config(5).
You should be able to adjust this by standard SSH configuration (
.ssh/ssh_configfile in your user home directory). I think it isStrictHostKeyCheckingparameter, look intossh_config(5).
Hi @michalvasko , I have the same problem as sjd-xlnx. I'm using confd_cmd -c "netconf_ssh_call_home 127.0.0.1 4334" command to connect netconf client. It asked me to enter my password and "Are you sure you want to continue connecting (yes/no)? " but I solved the password problem so ignore this.
I tried this function "nc_client_ssh_ch_set_auth_hostkey_check_clb" just pass return 0 in the callback function and it doesn't ask anymore but it is secure if any host server can connect to client ? Have you suggest any other way to write this callback function for more security.
Is there any other way than set StrictHostKeyChecking parameter to "no" ?
Hope you to reply soon. Thank you very much
I do not really have anything new to tell you. You either want to check the key or not, there are no other options. The default behavior is the host key check the same way ssh(1) does it. If that does not suit you, you are free to change it by implementing your own callback as you have found out. How secure it will be depends strictly on your callback implementation. For security details search the web for SSH host key checking, for example.