WIP: slaprunner: publish a ssh:// url
(This is some old unfinished patches)
Publish a ssh:// url, ssh://slapuser0;fingerprint=ssh-rsa-38-8d-1f-3c-97-d6-c2-99-8a-66-1f-b1-42-4a-fa-3d@[2001:67c:1254:e:5e:242:ac11:5]:22222 ( note that gitlab escapes
%5B and as a result this link does not work on gitlab )
At the same time, update ssh and vim
I share the current state of this, but I kind of gave up in making it work because I could not find a ssh client supporting such URLs.
Fingerprint is ignored in chrome's secure shell app: https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md#ssh_links / https://bugs.chromium.org/p/chromium/issues/detail?id=706536
openssh client also had a problem, if I remember correctly it could not parse ipv6 url
If no ssh client supports it, I'm not sure to understand the usefulness of this. Is it for making sure that user can trust the ssh server when they connect to their webrunner.
I have another idea (I don't say it's better, it's just to have your point of view on it) : what about generating a "known_host" line, so user could copy/paste it in their known_host file ?
A more precise definition of what's supported or not: (modern) ssh clients support
ssh://URLs, but even though the spec supports a fingerprint, clients don't seem to use it. I'm not sure there is consensus on what client should do with this fingerprint. ssh security model is based on "trust on first use" and then complain when key is different.
On the first use, ssh displays something like:
The authenticity of host 'host (ip)' can't be established. ECDSA key fingerprint is SHA256:5NuPPsfM1WdCHK9aQKiHrtnRUB5p8EogJ8eY9xKMMfQ. Are you sure you want to continue connecting (yes/no)?
The idea was just to publish this
SHA256:5NuPPsfM1WdCHK9aQKiHrtnRUB5p8EogJ8eY9xKMMfQso that user can see it looks OK first time they connect, without changing the "trust of first use" paradigms.
A line to put in known hosts, I feel people would not manually add this line and it also feels a bit different, not "the first time you connect you should see $fingerprint and then it should not change", it can be mis-interpreted as "you can trust this key". Which after all is also a similar by publishing the fingerprint... I don't know if it's really a problem, I guess ssh users know that when their client say key has changed they have to worry.
I' m using OpenSSH_7.5p1-hpn14v12, OpenSSL 1.0.2p 14 Aug 2018
I can't find a way to write a ssh URI containing both an ipv6 and a port. Iow,
[2001:67c:1254:e:5e:242:ac11:55]:22222is not well interpreted (It returns ssh: Could not resolve hostname [2001:67c:1254:e:5e:242:ac11:55]:22222: Name or service not known), and I cannot just remove
otherwise I can't declare a port. Do you know a way to do it ?
closedToggle commit list