I think that it does not need this changes. What's your opinion?
Jun Wang, Dave and
other reviewer?
Having UserKnownHostsFile in global ssh_config point to the kdump-server hostkey file or
adding those hostkeys to global known_hosts file would technically take care of the kdump
server authentication problem.
There, however, are some drawbacks with it. There are usually obstacles for any
stand-alone feature/function, such as kdump, to make feature-specific changes to the
global ssh_config or known_hosts file, unless the ssh configuration management software is
modular enough to take inputs from various features/functions -- very unlikely in
reality.
Effectively it makes the kdump feature/package less self-contained. When kdump fails upon
the initial installation, only some users would be able to troubleshoot the problem. Even
among those users, many could be frustrated with dealing with other teams on putting
feature-specific stuff in global central ssh_config management system. It would at least
slow down the deployment/integration. In some cases, the users would just simply give up.
On the contrary, a solution with an ssh command-line option of "-o
UserKnownHostsFile=$SSH_HOSTS_FILE " is much self-contained in kdump.
Overall, it seems that having a solution self-contained in kdump package and
configuration, be it my original proposed changes or not, would be very beneficial.
Thanks,
Jun
> 在 2019年08月06日 13:16, Dave Young 写道:
>
> The 95ssh-client module will install the ssh_config and known_hosts to the kdump
> initramfs, please refer to it:
> ...
> # Copy over ssh key and knowhosts if needed
> [[ $sshkey ]] && {
> inst_simple $sshkey
> [[ -f /root/.ssh/known_hosts ]] && inst_simple
/root/.ssh/known_hosts
> [[ -f /etc/ssh/ssh_known_hosts ]] && inst_simple
/etc/ssh/ssh_known_hosts
> }
>
> # Copy over root and system-wide ssh configs.
> [[ -f /root/.ssh/config ]] && inst_simple /root/.ssh/config
> if [[ -f /etc/ssh/ssh_config ]]; then
> inst_simple /etc/ssh/ssh_config
> sed -i -e 's/\(^[[:space:]]*\)ProxyCommand/\1# ProxyCommand/'
> ${initdir}/etc/ssh/ssh_config
> while read key val || [ -n "$key" ]; do
> if [[ $key == "GlobalKnownHostsFile" ]]; then
> inst_simple "$val"
> # Copy customized UserKnowHostsFile
> elif [[ $key == "UserKnownHostsFile" ]]; then
> # Make sure that ~/foo will be copied as /root/foo in kdump's
> initramfs
> if str_starts "$val" "~/"; then
> val="/root/${val#"~/"}"
> fi
> inst_simple "$val"
> fi
> done < /etc/ssh/ssh_config
> fi
> ...
>
>
> I just checked it. That's true.
>
> # man 5 ssh_config
> ......
> CheckHostIP
> If set to yes (the default), ssh(1) will additionally check the host IP
> address in the known_hosts file. This allows
> it to detect if a host key changed due to DNS spoofing and will add
addresses
> of destination hosts to
> ~/.ssh/known_hosts in the process, regardless of the setting of
> StrictHostKeyChecking. If the option is set to no, the
> check will not be executed.
> ......
>
> [root@ibm-p8-garrison-04 jlb]# grep "CheckHostIP" /etc/ssh/ssh_config
> # CheckHostIP yes
> # CheckHostIP no
>
> It seems that the CheckHostIP is set by default, so it should automatically check
the
> known_hosts based on the above description.
>
I think that it does not need this changes. What's your opinion?
Jun Wang, Dave and
other reviewer?
>
> Probably i should close this bug.
>
> Thanks.
>
> > I would expect it can be solved in 99ssh-client without touching kdump
> > code..
> >>
> >>>>
> >>>> Thanks.
> >>>>
> >>>>>>
> >>>>>> Suggested-by: Jun Wang <junw99(a)yahoo.com>
> >>>>>> Signed-off-by: Lianbo Jiang
<lijiang(a)redhat.com>
> >>>>>> ---
> >>>>>> dracut-kdump.sh | 4 ++--
> >>>>>> kdump-lib-initramfs.sh | 6 ++++++
> >>>>>> kdump.conf | 4 ++++
> >>>>>> kdumpctl | 12 ++++++++++--
> >>>>>> mkdumprd | 11 +++++++++--
> >>>>>> 5 files changed, 31 insertions(+), 6 deletions(-)
> >>>>>>
> >>>>>> diff --git a/dracut-kdump.sh b/dracut-kdump.sh
> >>>>>> index ce56459ed088..0eafe6458530 100755
> >>>>>> --- a/dracut-kdump.sh
> >>>>>> +++ b/dracut-kdump.sh
> >>>>>> @@ -71,7 +71,7 @@ dump_raw()
> >>>>>>
> >>>>>> dump_ssh()
> >>>>>> {
> >>>>>> - local _opt="-i $1 -o BatchMode=yes -o
> StrictHostKeyChecking=yes"
> >>>>>> + local _opt="-i $1 -o BatchMode=yes -o
> StrictHostKeyChecking=yes -i $3 -o UserKnownHostsFile"
> >>>>>> local _dir="$KDUMP_PATH/$HOST_IP-$DATEDIR"
> >>>>>> local _host=$2
> >>>>>>
> >>>>>> @@ -156,7 +156,7 @@ read_kdump_conf()
> >>>>>> add_dump_code "dump_raw $config_val"
> >>>>>> ;;
> >>>>>> ssh)
> >>>>>> - add_dump_code "dump_ssh $SSH_KEY_LOCATION
> $config_val"
> >>>>>> + add_dump_code "dump_ssh $SSH_KEY_LOCATION
> $config_val $SSH_KNOWN_HOSTS"
> >>>>>> ;;
> >>>>>> esac
> >>>>>> done <<< "$(read_strip_comments
> $KDUMP_CONF)"
> >>>>>> diff --git a/kdump-lib-initramfs.sh
b/kdump-lib-initramfs.sh
> >>>>>> index 608dc6efc07e..7d595d5b7d06 100755
> >>>>>> --- a/kdump-lib-initramfs.sh
> >>>>>> +++ b/kdump-lib-initramfs.sh
> >>>>>> @@ -11,6 +11,7 @@ DATEDIR=`date +%Y-%m-%d-%T`
> >>>>>> HOST_IP='127.0.0.1'
> >>>>>> DUMP_INSTRUCTION=""
> >>>>>> SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
> >>>>>> +SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
> >>>>>> KDUMP_SCRIPT_DIR="/kdumpscripts"
> >>>>>> DD_BLKSIZE=512
> >>>>>> FINAL_ACTION="systemctl reboot -f"
> >>>>>> @@ -38,6 +39,11 @@ get_kdump_confs()
> >>>>>> SSH_KEY_LOCATION=$config_val
> >>>>>> fi
> >>>>>> ;;
> >>>>>> + known_hosts)
> >>>>>> + if [ -f "$config_val" ];then
> >>>>>> +
SSH_KNOWN_HOSTS="$config_val"
> >>>>>> + fi
> >>>>>> + ;;
> >>>>>> kdump_pre)
> >>>>>> KDUMP_PRE="$config_val"
> >>>>>> ;;
> >>>>>> diff --git a/kdump.conf b/kdump.conf
> >>>>>> index 1f0fc2ddc40b..2b10d57ac561 100644
> >>>>>> --- a/kdump.conf
> >>>>>> +++ b/kdump.conf
> >>>>>> @@ -152,6 +152,9 @@
> >>>>>> # to send fence_kdump notifications to.
> >>>>>> # (this option is mandatory to enable
fence_kdump).
> >>>>>> #
> >>>>>> +# known_hosts <path>
> >>>>>> +# - The "path" represents the path of
> know_hosts, the default value
> >>>>>> +# is /root/.ssh/known_hosts.
> >>>>>>
> >>>>>> #raw /dev/vg/lv_kdump
> >>>>>> #ext4 /dev/vg/lv_kdump
> >>>>>> @@ -173,3 +176,4 @@ core_collector makedumpfile -l
> --message-level 1 -d 31
> >>>>>> #dracut_args --omit-drivers "cfg80211 snd"
> --add-drivers "ext2 ext3"
> >>>>>> #fence_kdump_args -p 7410 -f auto -c 0 -i 10
> >>>>>> #fence_kdump_nodes node1 node2
> >>>>>> +#known_hosts /root/.ssh/known_hosts
> >>>>>> diff --git a/kdumpctl b/kdumpctl
> >>>>>> index a1a6ee24b768..7ba7e8cf2685 100755
> >>>>>> --- a/kdumpctl
> >>>>>> +++ b/kdumpctl
> >>>>>> @@ -9,6 +9,7 @@ MKDUMPRD="/sbin/mkdumprd -f"
> >>>>>>
DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt"
> >>>>>> SAVE_PATH=/var/crash
> >>>>>> SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
> >>>>>> +SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
> >>>>>>
> INITRD_CHECKSUM_LOCATION="/boot/.fadump_initrd_checksum"
> >>>>>> DUMP_TARGET=""
> >>>>>> DEFAULT_INITRD=""
> >>>>>> @@ -243,7 +244,7 @@ check_config()
> >>>>>> case "$config_opt" in
> >>>>>> \#* | "")
> >>>>>> ;;
> >>>>>>
>
- raw|ext2|ext3|ext4|minix|btrfs|xfs|nfs|ssh|sshkey|path|core_collector|kdump_post|kdump_pre|extra_bins|extra_modules|failure_action|default|final_action|force_rebuild|force_no_rebuild|dracut_args|fence_kdump_args|fence_kdump_nodes)
> >>>>>>
>
+ raw|ext2|ext3|ext4|minix|btrfs|xfs|nfs|ssh|sshkey|known_hosts|path|core_collector|kdump_post|kdump_pre|extra_bins|extra_modules|failure_action|default|final_action|force_rebuild|force_no_rebuild|dracut_args|fence_kdump_args|fence_kdump_nodes)
> >>>>>> # remove inline comments after the end of a directive.
> >>>>>> [ -z "$config_val" ] && {
> >>>>>> echo "Invalid kdump config value for option
> $config_opt."
> >>>>>> @@ -711,6 +712,13 @@ check_ssh_config()
> >>>>>> echo "WARNING: '$config_val' doesn't
exist,
> using default value '$SSH_KEY_LOCATION'"
> >>>>>> fi
> >>>>>> ;;
> >>>>>> + known_hosts)
> >>>>>> + if [ -f "$config_val" ];then
> >>>>>> + SSH_KNOWN_HOSTS=$(/usr/bin/readlink -m $config_val)
> >>>>>> + else
> >>>>>> + echo "WARNING: '$config_val' doesn't
exist,
> using default value '$SSH_KNOWN_HOSTS'"
> >>>>>> + fi
> >>>>>> + ;;
> >>>>>> path)
> >>>>>> SAVE_PATH=$config_val
> >>>>>> ;;
> >>>>>> @@ -733,7 +741,7 @@ check_ssh_config()
> >>>>>> check_ssh_target()
> >>>>>> {
> >>>>>> local _ret
> >>>>>> - ssh -q -i $SSH_KEY_LOCATION -o BatchMode=yes $DUMP_TARGET
mkdir
> -p $SAVE_PATH
> >>>>>> + ssh -q -i $SSH_KEY_LOCATION -i $SSH_KNOWN_HOSTS -o
> BatchMode=yes $DUMP_TARGET mkdir -p $SAVE_PATH
> >>>>>> _ret=$?
> >>>>>> if [ $_ret -ne 0 ]; then
> >>>>>> echo "Could not create $DUMP_TARGET:$SAVE_PATH, you
> probably need to run \"kdumpctl propagate\"" >&2
> >>>>>> diff --git a/mkdumprd b/mkdumprd
> >>>>>> index cf3533fe2be9..c4e2f8ba4c31 100644
> >>>>>> --- a/mkdumprd
> >>>>>> +++ b/mkdumprd
> >>>>>> @@ -13,6 +13,7 @@ export IN_KDUMP=1
> >>>>>>
> >>>>>> conf_file="/etc/kdump.conf"
> >>>>>> SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
> >>>>>> +SSH_KNOWN_HOSTS="/root/.ssh/known_hosts"
> >>>>>> SAVE_PATH=$(awk '/^path/ {print $2}' $conf_file)
> >>>>>> [ -z "$SAVE_PATH" ] &&
> SAVE_PATH=$DEFAULT_PATH
> >>>>>> # strip the duplicated "/"
> >>>>>> @@ -144,7 +145,7 @@ is_readonly_mount() {
> >>>>>> #called from while loop and shouldn't read from stdin,
so
> we're using "ssh -n"
> >>>>>> get_ssh_size() {
> >>>>>> local _opt _out _size
> >>>>>> - _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o
> StrictHostKeyChecking=yes"
> >>>>>> + _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o
> StrictHostKeyChecking=yes -i $SSH_KNOWN_HOSTS -o UserKnownHostsFile"
> >>>>>> _out=$(ssh -q -n $_opt $1 "df -P
$SAVE_PATH")
> >>>>>> [ $? -ne 0 ] && {
> >>>>>> perror_exit "checking remote ssh server
available
> size failed."
> >>>>>> @@ -162,7 +163,7 @@ get_ssh_size() {
> >>>>>> mkdir_save_path_ssh()
> >>>>>> {
> >>>>>> local _opt _dir
> >>>>>> - _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o
> StrictHostKeyChecking=yes"
> >>>>>> + _opt="-i $SSH_KEY_LOCATION -o BatchMode=yes -o
> StrictHostKeyChecking=yes -i $SSH_KNOWN_HOSTS -o UserKnownHostsFile"
> >>>>>> ssh -qn $_opt $1 mkdir -p $SAVE_PATH 2>&1 >
> /dev/null
> >>>>>> _ret=$?
> >>>>>> if [ $_ret -ne 0 ]; then
> >>>>>> @@ -385,6 +386,12 @@ if [ -f "$keyfile" ]; then
> >>>>>> SSH_KEY_LOCATION=$(/usr/bin/readlink -m $keyfile)
> >>>>>> fi
> >>>>>>
> >>>>>> +# if specified, get the known_hosts
> >>>>>> +known_hosts=$(awk '/^known_hosts/ {print $2}'
> $conf_file)
> >>>>>> +if [ -f "$known_hosts" ];then
> >>>>>> + SSH_KNOWN_HOSTS=$(/usr/bin/readlink -m $known_hosts)
> >>>>>> +fi
> >>>>>> +
> >>>>>> if [ "$(uname -m)" = "s390x" ]; then
> >>>>>> add_dracut_module "znet"
> >>>>>> fi
> >>>>>> --
> >>>>>> 2.17.1
> >>>>>>