Discussion:
Problem with ssh-keyscan: no hostkey alg
Patrick Maigron
2002-02-12 17:37:11 UTC
Permalink
Hi,

I am using ssh-keyscan with a list of hosts, such as:
ssh-keyscan -t rsa -f hosts_for_keyscan

Some of the hosts in the list have dsa, but no rsa keys. For such
hosts, the command displays:
no hostkey alg

When this is the case for 2 hosts, this message appears twice AND
SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are
returned for the following hosts.

Here is the part of the trace corresponding to the problem. In this
example hosts 157.159.100.120 and 157.159.100.122 have dsa but no rsa
keys.

(The problem is even more annoying if I use ssh-keyscan -t rsa1,rsa,dsa,
because after the 2 hosts the whole command stops and NO RSA1 KEYS AT
ALL ARE RETRIEVED.)

It seems that a function cleanup is called for the first host, and
not the second one ?

Patrick.

-----
ssh-keyscan -v -t rsa -f hosts_for_keyscan > known_hosts_from_keyscan
...
# 157.159.100.120 SSH-1.99-OpenSSH_2.3.0p1
Enabling compatibility mode for protocol 2.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
no hostkey alg
debug1: Calling cleanup 0x21ba0(0x0)
debug1: Calling cleanup 0x21ba0(0x0)
debug1: Calling cleanup 0x21ba0(0x0)
debug1: Calling cleanup 0x21ba0(0x0)
debug1: Calling cleanup 0x21ba0(0x0)
debug1: Calling cleanup 0x21ba0(0x0)
debug1: Calling cleanup 0x21ba0(0x0)
debug1: Calling cleanup 0x21ba0(0x0)
debug1: Calling cleanup 0x21ba0(0x0)
debug1: Calling cleanup 0x21ba0(0x0)
debug1: Calling cleanup 0x1c324(0x0)
debug1: match: OpenSSH_2.3.0p1 pat ^OpenSSH_2\.3\.0
# 157.159.100.122 SSH-1.99-OpenSSH_2.3.0p1
Enabling compatibility mode for protocol 2.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
no hostkey alg
debug1: writing PRNG seed to file /Users/teleinf4/patrick/.ssh/prng_seed
Markus Friedl
2002-02-12 23:25:34 UTC
Permalink
Post by Patrick Maigron
When this is the case for 2 hosts, this message appears twice AND
SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are
returned for the following hosts.
does this happen with a recent snapshot, too?
Patrick Maigron
2002-02-13 11:58:30 UTC
Permalink
Post by Markus Friedl
Post by Patrick Maigron
When this is the case for 2 hosts, this message appears twice AND
SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are
returned for the following hosts.
does this happen with a recent snapshot, too?
Sorry, I forget the version numbers...

The client is OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL
0x0090600f
SunOS orion 5.5.1 Generic_103640-24 sun4u sparc SUNW,Ultra-5_10

The servers are SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090600f).
Linux A20401 2.2.18 #1 Wed Jan 24 12:28:55 GMT 2001 i686 unknown
Configured with RSA1 and DSA keys, no RSA keys.

Only the 2 first hosts in the command are queried:

orion> ssh-keyscan -t rsa A20401 A20403 A20404
# A20401 SSH-1.99-OpenSSH_2.3.0p1
no hostkey alg
# A20403 SSH-1.99-OpenSSH_2.3.0p1
no hostkey alg
orion>

I don't have permissions on the Linux servers, but I configured an
OpenSSH_3.0.2p1 server on my Solaris host with no RSA keys, and I
queried myself. The result is the same:

orion> ssh-keyscan -t rsa orion orion orion
# orion SSH-1.99-OpenSSH_3.0.2p1
no hostkey alg
# orion SSH-1.99-OpenSSH_3.0.2p1
no hostkey alg
orion>

I avoided the problem by querying rsa1 rsa and dsa separately, but it
is annoying not to be able to use "-t rsa1,rsa,dsa"...

Patrick.
Markus Friedl
2002-02-13 12:07:56 UTC
Permalink
Post by Patrick Maigron
Post by Markus Friedl
Post by Patrick Maigron
When this is the case for 2 hosts, this message appears twice AND
SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are
returned for the following hosts.
does this happen with a recent snapshot, too?
Sorry, I forget the version numbers...
ok, i can reproduce this problem...
Markus Friedl
2002-02-13 12:47:49 UTC
Permalink
Post by Patrick Maigron
When this is the case for 2 hosts, this message appears twice AND
SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are
returned for the following hosts.
this ugly hack should help.

fatal() cannot be called twice.

Index: log.c
===================================================================
RCS file: /cvs/openssh_cvs/log.c,v
retrieving revision 1.19
diff -u -r1.19 log.c
--- log.c 4 Jul 2001 04:46:58 -0000 1.19
+++ log.c 13 Feb 2002 12:48:35 -0000
@@ -228,16 +228,17 @@
(u_long) proc, (u_long) context);
}

+int ssh_fatal_cleanup_running = 0;
+
/* Cleanup and exit */
void
fatal_cleanup(void)
{
struct fatal_cleanup *cu, *next_cu;
- static int called = 0;

- if (called)
+ if (ssh_fatal_cleanup_running)
exit(255);
- called = 1;
+ ssh_fatal_cleanup_running = 1;
/* Call cleanup functions. */
for (cu = fatal_cleanups; cu; cu = next_cu) {
next_cu = cu->next;
Index: ssh-keyscan.c
===================================================================
RCS file: /cvs/openssh_cvs/ssh-keyscan.c,v
retrieving revision 1.37
diff -u -r1.37 ssh-keyscan.c
--- ssh-keyscan.c 14 Nov 2001 21:40:45 -0000 1.37
+++ ssh-keyscan.c 13 Feb 2002 12:48:35 -0000
@@ -659,8 +659,12 @@
static void
fatal_callback(void *arg)
{
- if (nonfatal_fatal)
+ extern int ssh_fatal_cleanup_running;
+
+ if (nonfatal_fatal) {
+ ssh_fatal_cleanup_running = 0;
longjmp(kexjmp, -1);
+ }
}

static void
Patrick Maigron
2002-02-13 13:42:38 UTC
Permalink
Post by Markus Friedl
Post by Patrick Maigron
When this is the case for 2 hosts, this message appears twice AND
SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are
returned for the following hosts.
this ugly hack should help.
fatal() cannot be called twice.
Great, it works out fine.

Thanks for the (ugly but) rapid patch.

Loading...