From patchwork Thu Nov 18 14:35:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= X-Patchwork-Id: 12627183 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55807C433F5 for ; Thu, 18 Nov 2021 14:37:47 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 00CFA611BF for ; Thu, 18 Nov 2021 14:37:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 00CFA611BF Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:35798 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mniXq-0007Hh-3y for qemu-devel@archiver.kernel.org; Thu, 18 Nov 2021 09:37:46 -0500 Received: from eggs.gnu.org ([209.51.188.92]:46870) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mniWG-0004QP-Jv for qemu-devel@nongnu.org; Thu, 18 Nov 2021 09:36:08 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:39818) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mniWE-0004lh-Ok for qemu-devel@nongnu.org; Thu, 18 Nov 2021 09:36:08 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1637246166; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MA0LVkMeRHzVAfEhKxJy2B+pN86F3hGZ7cj8oUxC/cg=; b=QYDTQl28TiF9QAB7AFppgp99/reA608eFDln3iDf/tCM6ez9lXK/2HhqCkBYlZFdnEfWWz vAHUaenuI6yIVBZp+haPwyY97dQlv5kQAs7IOVSRZvUiBfqXrtmbU3yCfiDAQh47GhF3wp mj04a51KcoUNhLxGD1G1x2HUpG967yQ= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-275-YWBMBj6zOauNyWrugZE1-Q-1; Thu, 18 Nov 2021 09:36:03 -0500 X-MC-Unique: YWBMBj6zOauNyWrugZE1-Q-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C3E56875112; Thu, 18 Nov 2021 14:36:01 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.247]) by smtp.corp.redhat.com (Postfix) with ESMTP id 341FB60657; Thu, 18 Nov 2021 14:35:58 +0000 (UTC) From: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 1/3] block: better document SSH host key fingerprint checking Date: Thu, 18 Nov 2021 14:35:45 +0000 Message-Id: <20211118143547.2045554-2-berrange@redhat.com> In-Reply-To: <20211118143547.2045554-1-berrange@redhat.com> References: <20211118143547.2045554-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= , "Richard W.M. Jones" , qemu-block@nongnu.org Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" The docs still illustrate host key fingerprint checking using the old md5 hashes which are considered insecure and obsolete. Change it to illustrate using a sha256 hash. Also show how to extract the hash value from the known_hosts file. Signed-off-by: Daniel P. Berrangé Reviewed-by: Hanna Reitz --- docs/system/qemu-block-drivers.rst.inc | 30 ++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/docs/system/qemu-block-drivers.rst.inc b/docs/system/qemu-block-drivers.rst.inc index 16225710eb..2aeeaf6361 100644 --- a/docs/system/qemu-block-drivers.rst.inc +++ b/docs/system/qemu-block-drivers.rst.inc @@ -778,10 +778,32 @@ The optional *HOST_KEY_CHECK* parameter controls how the remote host's key is checked. The default is ``yes`` which means to use the local ``.ssh/known_hosts`` file. Setting this to ``no`` turns off known-hosts checking. Or you can check that the host key -matches a specific fingerprint: -``host_key_check=md5:78:45:8e:14:57:4f:d5:45:83:0a:0e:f3:49:82:c9:c8`` -(``sha1:`` can also be used as a prefix, but note that OpenSSH -tools only use MD5 to print fingerprints). +matches a specific fingerprint. The fingerprint can be provided in +``md5``, ``sha1``, or ``sha256`` format, however, it is strongly +recommended to only use ``sha256``, since the other options are +considered insecure by modern standards. The fingerprint value +must be given as a hex encoded string:: + + host_key_check=sha256:04ce2ae89ff4295a6b9c4111640bdcb3297858ee55cb434d9dd88796e93aa795`` + +The key string may optionally contain ":" separators between +each pair of hex digits. + +The ``$HOME/.ssh/known_hosts`` file contains the base64 encoded +host keys. These can be converted into the format needed for +QEMU using a command such as:: + + $ for key in `grep 10.33.8.112 known_hosts | awk '{print $3}'` + do + echo $key | base64 -d | sha256sum + done + 6c3aa525beda9dc83eadfbd7e5ba7d976ecb59575d1633c87cd06ed2ed6e366f - + 12214fd9ea5b408086f98ecccd9958609bd9ac7c0ea316734006bc7818b45dc8 - + d36420137bcbd101209ef70c3b15dc07362fbe0fa53c5b135eba6e6afa82f0ce - + +Note that there can be multiple keys present per host, each with +different key ciphers. Care is needed to pick the key fingerprint +that matches the cipher QEMU will negotiate with the remote server. Currently authentication must be done using ssh-agent. Other authentication methods may be supported in future. From patchwork Thu Nov 18 14:35:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= X-Patchwork-Id: 12627189 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 525C5C433FE for ; Thu, 18 Nov 2021 14:38:57 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0735261155 for ; Thu, 18 Nov 2021 14:38:57 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 0735261155 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:39018 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mniYy-00011L-2k for qemu-devel@archiver.kernel.org; Thu, 18 Nov 2021 09:38:56 -0500 Received: from eggs.gnu.org ([209.51.188.92]:46934) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mniWO-0004kz-37 for qemu-devel@nongnu.org; Thu, 18 Nov 2021 09:36:16 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:46475) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mniWK-0004mR-VJ for qemu-devel@nongnu.org; Thu, 18 Nov 2021 09:36:15 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1637246172; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TqVcZztcI/sVqqYp7S4eoNXMMYvntX6jtEZp9tYZMsg=; b=Xqko0TlbalRqWbKqQoQhYyCGVeyBPL/XW5Gbdve7/1T6sHzguGJE/HCZDlq3TbUs4Ou1CD vRH24tCXqUYOgy6WwOrN9NxYfB9AwiG3lLooYFNtGw3LVWbwgbA4RG8pXUeqF9RZ9QV54a 3IDd/5OwKUKPvKDiuiVpIbCOtGGmWLU= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-176-Dmp2MQIWM2yFQXaVPq2g5w-1; Thu, 18 Nov 2021 09:36:11 -0500 X-MC-Unique: Dmp2MQIWM2yFQXaVPq2g5w-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E4253804142; Thu, 18 Nov 2021 14:36:09 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.247]) by smtp.corp.redhat.com (Postfix) with ESMTP id 783D5604CC; Thu, 18 Nov 2021 14:36:02 +0000 (UTC) From: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 2/3] block: support sha256 fingerprint with pre-blockdev options Date: Thu, 18 Nov 2021 14:35:46 +0000 Message-Id: <20211118143547.2045554-3-berrange@redhat.com> In-Reply-To: <20211118143547.2045554-1-berrange@redhat.com> References: <20211118143547.2045554-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= , "Richard W.M. Jones" , qemu-block@nongnu.org Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" When support for sha256 fingerprint checking was aded in commit bf783261f0aee6e81af3916bff7606d71ccdc153 Author: Daniel P. Berrangé Date: Tue Jun 22 12:51:56 2021 +0100 block/ssh: add support for sha256 host key fingerprints it was only made to work with -blockdev. Getting it working with -drive requires some extra custom parsing. Signed-off-by: Daniel P. Berrangé Reviewed-by: Hanna Reitz --- block/ssh.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/block/ssh.c b/block/ssh.c index e0fbb4934b..fcc0ab765a 100644 --- a/block/ssh.c +++ b/block/ssh.c @@ -556,6 +556,11 @@ static bool ssh_process_legacy_options(QDict *output_opts, qdict_put_str(output_opts, "host-key-check.type", "sha1"); qdict_put_str(output_opts, "host-key-check.hash", &host_key_check[5]); + } else if (strncmp(host_key_check, "sha256:", 7) == 0) { + qdict_put_str(output_opts, "host-key-check.mode", "hash"); + qdict_put_str(output_opts, "host-key-check.type", "sha256"); + qdict_put_str(output_opts, "host-key-check.hash", + &host_key_check[7]); } else if (strcmp(host_key_check, "yes") == 0) { qdict_put_str(output_opts, "host-key-check.mode", "known_hosts"); } else { From patchwork Thu Nov 18 14:35:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= X-Patchwork-Id: 12627191 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C070C433EF for ; Thu, 18 Nov 2021 14:39:35 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B009461406 for ; Thu, 18 Nov 2021 14:39:34 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org B009461406 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:41292 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mniZZ-0002VW-UR for qemu-devel@archiver.kernel.org; Thu, 18 Nov 2021 09:39:33 -0500 Received: from eggs.gnu.org ([209.51.188.92]:46960) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mniWP-0004qc-IM for qemu-devel@nongnu.org; Thu, 18 Nov 2021 09:36:17 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:30078) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mniWN-0004mq-T2 for qemu-devel@nongnu.org; Thu, 18 Nov 2021 09:36:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1637246175; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RLvn5axLfKncylepktKIonBhDChuf9AdJ2wVIfSEnAM=; b=a1z81l5+CJg8Ovfnf9Pm/D6rEZSt6O1HPtbzL6WXHc6EdEN33okbDGv763zPsewr2XLlJS vswDStlghRXxihYzKy5qxCpnoUNmUxobHFlVCG4zlIGieMkTkCQBBuIsrMNnWEWXiJL6hY o6V+P/xuDa3Jpx5zqyww9x3bTPqGp7c= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-436-7KSAYSxrMKeCjGVMI_ByUg-1; Thu, 18 Nov 2021 09:36:13 -0500 X-MC-Unique: 7KSAYSxrMKeCjGVMI_ByUg-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 000851B2C981; Thu, 18 Nov 2021 14:36:12 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.247]) by smtp.corp.redhat.com (Postfix) with ESMTP id 86D7C179B3; Thu, 18 Nov 2021 14:36:10 +0000 (UTC) From: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 3/3] block: print the server key type and fingerprint on failure Date: Thu, 18 Nov 2021 14:35:47 +0000 Message-Id: <20211118143547.2045554-4-berrange@redhat.com> In-Reply-To: <20211118143547.2045554-1-berrange@redhat.com> References: <20211118143547.2045554-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= , "Richard W.M. Jones" , qemu-block@nongnu.org Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" When validating the server key fingerprint fails, it is difficult for the user to know what they got wrong. The fingerprint accepted by QEMU is received in a different format than openssh displays. There can also be keys for multiple different ciphers in known_hosts. It may not be obvious which cipher QEMU will use and whether it will be the same as openssh. Address this by printing the server key type and its corresponding fingerprint in the format QEMU accepts. Signed-off-by: Daniel P. Berrangé Reviewed-by: Hanna Reitz Reviewed-by: Philippe Mathieu-Daudé --- block/ssh.c | 37 ++++++++++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/block/ssh.c b/block/ssh.c index fcc0ab765a..967a2b971e 100644 --- a/block/ssh.c +++ b/block/ssh.c @@ -386,14 +386,28 @@ static int compare_fingerprint(const unsigned char *fingerprint, size_t len, return *host_key_check - '\0'; } +static char *format_fingerprint(const unsigned char *fingerprint, size_t len) +{ + static const char *hex = "0123456789abcdef"; + char *ret = g_new0(char, (len * 2) + 1); + for (size_t i = 0; i < len; i++) { + ret[i * 2] = hex[((fingerprint[i] >> 4) & 0xf)]; + ret[(i * 2) + 1] = hex[(fingerprint[i] & 0xf)]; + } + ret[len * 2] = '\0'; + return ret; +} + static int check_host_key_hash(BDRVSSHState *s, const char *hash, - enum ssh_publickey_hash_type type, Error **errp) + enum ssh_publickey_hash_type type, const char *typestr, + Error **errp) { int r; ssh_key pubkey; unsigned char *server_hash; size_t server_hash_len; + const char *keytype; r = ssh_get_server_publickey(s->session, &pubkey); if (r != SSH_OK) { @@ -401,6 +415,8 @@ check_host_key_hash(BDRVSSHState *s, const char *hash, return -EINVAL; } + keytype = ssh_key_type_to_char(ssh_key_type(pubkey)); + r = ssh_get_publickey_hash(pubkey, type, &server_hash, &server_hash_len); ssh_key_free(pubkey); if (r != 0) { @@ -410,12 +426,16 @@ check_host_key_hash(BDRVSSHState *s, const char *hash, } r = compare_fingerprint(server_hash, server_hash_len, hash); - ssh_clean_pubkey_hash(&server_hash); if (r != 0) { - error_setg(errp, "remote host key does not match host_key_check '%s'", - hash); + g_autofree char *server_fp = format_fingerprint(server_hash, + server_hash_len); + error_setg(errp, "remote host %s key fingerprint '%s:%s' " + "does not match host_key_check '%s:%s'", + keytype, typestr, server_fp, typestr, hash); + ssh_clean_pubkey_hash(&server_hash); return -EPERM; } + ssh_clean_pubkey_hash(&server_hash); return 0; } @@ -436,13 +456,16 @@ static int check_host_key(BDRVSSHState *s, SshHostKeyCheck *hkc, Error **errp) case SSH_HOST_KEY_CHECK_MODE_HASH: if (hkc->u.hash.type == SSH_HOST_KEY_CHECK_HASH_TYPE_MD5) { return check_host_key_hash(s, hkc->u.hash.hash, - SSH_PUBLICKEY_HASH_MD5, errp); + SSH_PUBLICKEY_HASH_MD5, "md5", + errp); } else if (hkc->u.hash.type == SSH_HOST_KEY_CHECK_HASH_TYPE_SHA1) { return check_host_key_hash(s, hkc->u.hash.hash, - SSH_PUBLICKEY_HASH_SHA1, errp); + SSH_PUBLICKEY_HASH_SHA1, "sha1", + errp); } else if (hkc->u.hash.type == SSH_HOST_KEY_CHECK_HASH_TYPE_SHA256) { return check_host_key_hash(s, hkc->u.hash.hash, - SSH_PUBLICKEY_HASH_SHA256, errp); + SSH_PUBLICKEY_HASH_SHA256, "sha256", + errp); } g_assert_not_reached(); break;