[Openstack-security] [Bug 1236125] Re: PowerVM driver ignores host keys
Matt Riedemann
mriedem at us.ibm.com
Thu Nov 21 23:35:46 UTC 2013
So unless you want to do something to fix this in havana, I think it can
be marked as 'won't fix' due to this:
https://review.openstack.org/#/c/57774/
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1236125
Title:
PowerVM driver ignores host keys
Status in OpenStack Compute (Nova):
Triaged
Bug description:
Nova's PowerVM driver is currently set to AutoAdd any host key over
SSH. As per the SSH protocol, host key fingerprints should be
verified either by comparing with known hosts (like through a
known_hosts file) or having a person verify its the host they wish to
connect with.
In particular,
https://github.com/openstack/nova/blob/master/nova/virt/powervm/common.py
uses paramiko.AutoAddPolicy() which will automatically accept any host key. Doing so allows Nova to be susceptible to a man-in-the-middle.
There should instead be an option in nova.conf to specify a
known_hosts file and the paramiko policy to use. That way someone
could set the policy to Reject and specify a file with known_hosts
which are acceptable. Communication therefore would never occur to
unknown hosts and allow a potential release of a user/pwd.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1236125/+subscriptions
More information about the Openstack-security
mailing list