Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] salt-ssh hanging due to non-exposed host key acceptance prompt #62782

Open
4 of 5 tasks
johnnybubonic opened this issue Sep 30, 2022 · 2 comments · May be fixed by #66326
Open
4 of 5 tasks

[BUG] salt-ssh hanging due to non-exposed host key acceptance prompt #62782

johnnybubonic opened this issue Sep 30, 2022 · 2 comments · May be fixed by #66326
Labels
Bug broken, incorrect, or confusing behavior needs-triage Regression The issue is a bug that breaks functionality known to work in previous releases. Salt-SSH

Comments

@johnnybubonic
Copy link

Description
When performing salt-ssh, the command seems to hang indefinitely.
This is due to the ssh prompt to accept the (ssh-)minion's host key not being floated to an interactive prompt on the shell; it seems to never even escape from TRACE log level.

Setup
N/A

  • on-prem machine
  • VM (KVM)
  • classic packaging (master)
  • onedir packaging
  • used bootstrap to install

Steps to Reproduce the behavior
(See attached)
salt-ssh.trace.log

Expected behavior
The "The authenticity of host ... can't be established. ..." prompt is displayed during salt-ssh call and can be answered in an interactive shell.

(This does not happen. No output is displayed, and even explicitly entering 'yes\n' in the console after the prompt is passed to the trace, it has no effect.)

Screenshots
N/A

Versions Report

salt --versions-report 
Salt Version:
          Salt: 3005
 
Dependency Versions:
          cffi: 1.11.5
      cherrypy: unknown
      dateutil: 2.6.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 2.10.1
       libgit2: 0.26.8
      M2Crypto: 0.35.2
          Mako: Not Installed
       msgpack: 0.6.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: 2.14
      pycrypto: Not Installed
  pycryptodome: Not Installed
        pygit2: 0.26.4
        Python: 3.6.8 (default, Sep 13 2022, 07:19:15)
  python-gnupg: Not Installed
        PyYAML: 3.12
         PyZMQ: 20.0.0
         smmap: Not Installed
       timelib: Not Installed
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: almalinux 8.6 Sky Tiger
        locale: UTF-8
       machine: x86_64
       release: 4.18.0-372.26.1.el8_6.x86_64
        system: Linux
       version: AlmaLinux 8.6 Sky Tiger

Additional context
The target "ssh minion" is running the same OS and release, though I doubt it matters since SSH never fully establishes.
@johnnybubonic johnnybubonic added Bug broken, incorrect, or confusing behavior needs-triage labels Sep 30, 2022
@OrangeDog
Copy link
Contributor

You should be able to workaround this in the roster config.
Like this for example, or with external management of known_hosts.

ssh_options:
  - StrictHostKeyChecking=accept-new

If the host key has changed, you'll either need to manually update it, or (NOT RECOMMENDED) disable checking completely.

@johnnybubonic
Copy link
Author

Right; I know how to work around it, but this is unexpected behavior and a regression; see e.g. the description for --no-host-keys here:

Fully ignores ssh host keys which by default are honored and connections would ask for approval. Useful if the host key of a remote server has changed and would still error with --ignore-host-keys.

(Emphasis added)

@OrangeDog OrangeDog added the Regression The issue is a bug that breaks functionality known to work in previous releases. label Sep 30, 2022
bendikro added a commit to bendikro/salt that referenced this issue Apr 8, 2024
@bendikro
Fix shell.KEY_VALID_RE to match host authenticity message. Fixes salt…
d7e5619 
…stack#62782

The shell.KEY_VALID_RE regex only matches messages containing '(yes/no)',
and not messages containing '(yes/no/[fingerprint])'
This leads to the salt-ssh command hanging, (Shell._run_cmd waits for data on stdout)
while the ssh command is waiting on input.

Fix by updating the KEY_VALID_RE regex to match both prompts
@bendikro bendikro linked a pull request Apr 8, 2024 that will close this issue
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug broken, incorrect, or confusing behavior needs-triage Regression The issue is a bug that breaks functionality known to work in previous releases. Salt-SSH
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[master] Fix shell.KEY_VALID_RE to match host authenticity message. Fixes #62782 bendikro/salt
2 participants
@OrangeDog @johnnybubonic