[Openstack-security] [Bug 1320056] Re: Cinder utils SSHPool should allow customized ssh host keys and missing policy

Matthew Edmonds edmondsw at us.ibm.com
Tue Jun 24 13:34:45 UTC 2014


@duncan-thomas: The decision in IRC was that it would be ok to default
to a special policy where we auto-add on first connect only and then
reject thereafter. But that assumes it's possible to distinguish a first
connect, and I'm not sure that's possible. Lacking that, the default
needs to be a normal reject policy.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1320056

Title:
  Cinder utils SSHPool should allow customized ssh host keys and missing
  policy

Status in Cinder:
  Fix Released
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  In Progress

Bug description:
  In cinder/utils.py, SSHPool is using paramiko.AutoAddPolicy() as
  default. This may lead security issue without being notified. The
  utility should allow customized usage when create the pool or session.
  Also the host_keys file should be allowed to be customized so that any
  driver utilizing the SSHPool should have their customized security
  setting or delegate to customer's scenario & configuration to
  determine the policy and key files.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1320056/+subscriptions




More information about the Openstack-security mailing list