[Openstack-security] [Bug 1320056] Re: Cinder utils SSHPool should allow customized ssh host keys and missing policy

Duncan Thomas duncan.thomas at gmail.com
Tue Jun 24 14:03:17 UTC 2014 

First connect means 'we haven't cached the key yet'.... that's the
only sane definition it the ssh world.

On 24 June 2014 14:34, Matthew Edmonds <edmondsw at us.ibm.com> wrote:
> @duncan-thomas: The decision in IRC was that it would be ok to default
> to a special policy where we auto-add on first connect only and then
> reject thereafter. But that assumes it's possible to distinguish a first
> connect, and I'm not sure that's possible. Lacking that, the default
> needs to be a normal reject policy.
>
> --
> You received this bug notification because you are a member of Cinder
> Bug Team, which is subscribed to Cinder.
> https://bugs.launchpad.net/bugs/1320056
>
> Title:
>   Cinder utils SSHPool should allow customized ssh host keys and missing
>   policy
>
> Status in Cinder:
>   Fix Released
> Status in OpenStack Security Advisories:
>   Won't Fix
> Status in OpenStack Security Notes:
>   In Progress
>
> Bug description:
>   In cinder/utils.py, SSHPool is using paramiko.AutoAddPolicy() as
>   default. This may lead security issue without being notified. The
>   utility should allow customized usage when create the pool or session.
>   Also the host_keys file should be allowed to be customized so that any
>   driver utilizing the SSHPool should have their customized security
>   setting or delegate to customer's scenario & configuration to
>   determine the policy and key files.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cinder/+bug/1320056/+subscriptions


-- 
Duncan Thomas

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1320056

Title:
  Cinder utils SSHPool should allow customized ssh host keys and missing
  policy

Status in Cinder:
  Fix Released
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  In Progress

Bug description:
  In cinder/utils.py, SSHPool is using paramiko.AutoAddPolicy() as
  default. This may lead security issue without being notified. The
  utility should allow customized usage when create the pool or session.
  Also the host_keys file should be allowed to be customized so that any
  driver utilizing the SSHPool should have their customized security
  setting or delegate to customer's scenario & configuration to
  determine the policy and key files.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1320056/+subscriptions

More information about the Openstack-security mailing list