Posh-SSH
Posh-SSH copied to clipboard
darkoperator
Prompt when key has changed?
Thank you for all of your work on this module - it certainly makes my teams job much easier and is much appreciated!
We ran into an issue this week - as we manage a network on 700 routers and switches and we use powershell and this module for our automation. We were having an issue connecting to a handful of devices - getting the error message "key exchange negotiation failed". We have dns entries for all of our routers. The confusing part was, when I connect to the IP, it would error. DNS name would succeed.
After some debugging in this and the rencli ssh project I found that this was due to the key not matching the cached key in the registry. Turns out that our field team had replaced these problem devices.
Would it be possible (or even a good idea) to prompt that the key does not match and ask to accept??
Sadly that code will go away and the logic will change so as to make the module also work with .Net Core. There is no registry and they way I prompt the user is not supported either on it.
On May 17, 2018, at 9:26 AM, stephenmbell [email protected] wrote:
Thank you for all of your work on this module - it certainly makes my teams job much easier and is much appreciated!
We ran into an issue this week - as we manage a network on 700 routers and switches and we use powershell and this module for our automation. We were having an issue connecting to a handful of devices - getting the error message "key exchange negotiation failed". We have dns entries for all of our routers. The confusing part was, when I connect to the IP, it would error. DNS name would succeed.
After some debugging in this and the rencli ssh project I found that this was due to the key not matching the cached key in the registry. Turns out that our field team had replaced these problem devices.
Would it be possible (or even a good idea) to prompt that the key does not match and ask to accept??
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/darkoperator/Posh-SSH/issues/211, or mute the thread https://github.com/notifications/unsubscribe-auth/AAf0HneRR7UcpDjYgqPJXqeuAV5M4lYyks5tzXqNgaJpZM4UDEEP.
I was about opening an issue on this topic today as well.
The module actually does not handle the case, when a host-key has changed. The system lacks the ability to manually remove an old key from an openssh-like database .ssh/known_hosts. Instead, known_hosts are stored in windows registry (@darkoperator i would suggest to make a major change to your great module, using a storage-mechanism other than windows registry instead).
The only way to handle ssh-host-key changes is to globally use -Force with New-SSHSession which i would not recommend in general.
As a quick fix, i'd recommend something like the following in NewSessionBase.cs:
if (_sshHostKeys.ContainsKey(computer1))
{
e.CanTrust = _sshHostKeys[computer1] == fingerPrint;
if (e.CanTrust && MyInvocation.BoundParameters.ContainsKey("Verbose"))
Host.UI.WriteVerboseLine("Fingerprint matched trusted fingerprint for host " + computer1);
else if (e.CanTrust == false && e.CanUpdateTrust)
{
Host.UI.WriteVerboseLine("Fingerprint does not match trusted fingerprint for host " + computer1);
var keymng = new TrustedKeyMng();
keymng.SetKey(computer1, fingerPrint);
}
}
If you add an e.CanUpdateTrust attribute, a developer can catch an exception and is able to handle user interaction to call New-SSHSession with, let's say -ForceUpdate, on demand.
Let me know if i shall give you a pull request. If you're not interested, i won't try to integrate my quick patch into your code :)
cheers, ths
you can manage keys right now by hand, but do need to develop a cmdlet that pulls the key from a host to simplify it
you can manage keys right now by hand, I've got this issue now with a host that's changed it's key (1024 - 2048 RSA). How do I update the Host key manually? At present I can use New-SFTPSession [....] -Force but that's not ideal to say the least.
There are 3 functions to manage them:
Get-SSHTrustedHost
Remove-SSHTrustedHost
New-SSHTrustedHost