Discussion:
1.9.1 scp problem
Marc Leeman
2008-02-14 14:29:05 UTC
Permalink
There seems to be a small problem introduced with 1.9.1: trying to scp
out a file to another machine with 1.9.1 fails:

# scp server.port mleeman at 10.0.0.6:

Host '10.0.0.6' is not in the trusted hosts file.
(fingerprint md5 18:c9:58:ab:3b:77:79:7e:30:70:76:4f:b8:41:12:a3)
Do you want to continue connecting? (y/n) y
<hang indefinately>

When replacing the 1.9.1 with 1.9.0; this is no longer the case. Can
anybody reproduce this?

Transfers that are initiated from the other side (in this case, from
10.0.0.6) are just fine.
--
greetz, marc
It's going to be more real than real. It's going to be super 3-D
smell-o-vision in sensoround
Crichton - A Clockwork Nebari
chiana 2.6.18-4-ixp4xx #1 Tue Mar 27 18:01:56 BST 2007 GNU/Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://busybox.net/lists/busybox/attachments/20080214/9ac553ff/attachment-0001.pgp
Denys Vlasenko
2008-02-15 08:36:57 UTC
Permalink
Post by Marc Leeman
There seems to be a small problem introduced with 1.9.1: trying to scp
Host '10.0.0.6' is not in the trusted hosts file.
(fingerprint md5 18:c9:58:ab:3b:77:79:7e:30:70:76:4f:b8:41:12:a3)
Do you want to continue connecting? (y/n) y
<hang indefinately>
When replacing the 1.9.1 with 1.9.0; this is no longer the case. Can
anybody reproduce this?
I assume you mean:
'with "cp" on local machine being a "cp" from bbox 1.9.1'

Tried with current svn, doesn't happen.

can you do "strace -f -o logfile scp server.port mleeman at 10.0.0.6"
and send the log (bzip2 if it's big)?

The result of "strace -f -o log scp TODO 127.0.0.1:/tmp"
on my machine is attached.

As far as I see, it does not even use any bbox apps, scp
execs ssh, not cp or something else...
--
vda
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log.bz2
Type: application/x-bzip2
Size: 5880 bytes
Desc: not available
Url : http://busybox.net/lists/busybox/attachments/20080215/3bc3d56d/attachment.bin
hinko.kocevar
2008-02-15 08:22:29 UTC
Permalink
Post by Marc Leeman
There seems to be a small problem introduced with 1.9.1: trying to scp
Host '10.0.0.6' is not in the trusted hosts file.
(fingerprint md5 18:c9:58:ab:3b:77:79:7e:30:70:76:4f:b8:41:12:a3)
Do you want to continue connecting? (y/n) y
<hang indefinately>
When replacing the 1.9.1 with 1.9.0; this is no longer the case. Can
anybody reproduce this?
And if you try to scp for the second time - eg. when the fingerprint is
already saved on your host? I've experienced similar problems with
earlier versions of busybox and it helped if fingerprint was already known.

HTH,
Hinko
--
?ETRTA POT, d.o.o., Kranj
Planina 3
4000 Kranj
Slovenia, Europe
Tel. +386 (0) 4 280 66 03
E-mail: hinko.kocevar at cetrtapot.si
Http: www.cetrtapot.si
Marc Leeman
2008-02-20 14:40:44 UTC
Permalink
Post by hinko.kocevar
And if you try to scp for the second time - eg. when the fingerprint is
already saved on your host? I've experienced similar problems with
earlier versions of busybox and it helped if fingerprint was already known.
The fingerprint is never known: the .ssh/known_hosts file is linked to
/dev/null
--
greetz, marc
You honestly believe I could find you appealing? I mean, you're so,
so, blue!
Rygel - DNA Mad Scientist
chiana 2.6.18-4-ixp4xx #1 Tue Mar 27 18:01:56 BST 2007 GNU/Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://busybox.net/lists/busybox/attachments/20080220/1838fb91/attachment-0001.pgp
Cristian Ionescu-Idbohrn
2008-02-20 17:28:37 UTC
Permalink
Post by Marc Leeman
Post by hinko.kocevar
And if you try to scp for the second time - eg. when the fingerprint
is already saved on your host? I've experienced similar problems with
earlier versions of busybox and it helped if fingerprint was already known.
The fingerprint is never known: the .ssh/known_hosts file is linked to
/dev/null
Can't you change that?


Cheers,
--
Cristian
Denys Vlasenko
2008-02-20 19:40:31 UTC
Permalink
Post by Cristian Ionescu-Idbohrn
Post by Marc Leeman
Post by hinko.kocevar
And if you try to scp for the second time - eg. when the fingerprint
is already saved on your host? I've experienced similar problems with
earlier versions of busybox and it helped if fingerprint was already known.
The fingerprint is never known: the .ssh/known_hosts file is linked to
/dev/null
Can't you change that?
Actually, I've seen this a lot. If you have default /etc/ssh/ssh_config,
ssh will ask

Host '10.0.0.6' is not in the trusted hosts file.
(fingerprint md5 18:c9:58:ab:3b:77:79:7e:30:70:76:4f:b8:41:12:a3)
Do you want to continue connecting? (y/n)

whenever you talk to a host for the first time.
Which is annoying. But if you talk to the host for the first time
_using scp_, it is not only annoying - it doesn't work.
You cannot answer that prompt - pressing "y" doesn't work.

I recommend setting

StrictHostKeyChecking no

in /etc/ssh/ssh_config (by default it is sent to "ask").
This way, ssh will just remember the host's fingerprint without
prompting.
--
vda
Cristian Ionescu-Idbohrn
2008-02-20 20:22:17 UTC
Permalink
Post by Denys Vlasenko
Actually, I've seen this a lot. If you have default /etc/ssh/ssh_config,
ssh will ask
Host '10.0.0.6' is not in the trusted hosts file.
(fingerprint md5 18:c9:58:ab:3b:77:79:7e:30:70:76:4f:b8:41:12:a3)
Do you want to continue connecting? (y/n)
Which is a good (tm) thing. Validate the fingerpront and get over with
it.
Post by Denys Vlasenko
whenever you talk to a host for the first time.
Which is annoying.
Which is also (IMO) a good thing. You should not need to answer that more
than once. At least untill the MITM surprises you.
Post by Denys Vlasenko
But if you talk to the host for the first time
_using scp_, it is not only annoying - it doesn't work.
Not supposed to, is it?
Post by Denys Vlasenko
You cannot answer that prompt - pressing "y" doesn't work.
I didn't experience that.
Post by Denys Vlasenko
I recommend setting
StrictHostKeyChecking no
I wouldn't.
Post by Denys Vlasenko
in /etc/ssh/ssh_config (by default it is sent to "ask").
This way, ssh will just remember the host's fingerprint without
prompting.
And the MITM will have his way.

All, unless you trust every movement on your network.


Cheers,
--
Cristian
Denys Vlasenko
2008-02-20 20:56:38 UTC
Permalink
Post by Cristian Ionescu-Idbohrn
Post by Denys Vlasenko
I recommend setting
StrictHostKeyChecking no
I wouldn't.
Post by Denys Vlasenko
in /etc/ssh/ssh_config (by default it is sent to "ask").
This way, ssh will just remember the host's fingerprint without
prompting.
And the MITM will have his way.
All, unless you trust every movement on your network.
Well, it happens only on first connect. On next connects, fingerprint
is already stored and remote's fingerprint is compared to it.
If it doesn't match, you get big fat warning and ssh aborts.

Which makes sense. When you meet someone for the very first time,
usually you have no means to verify it. When you connected
to your bank's e-banking system over https _for the first time_,
did you actually verify that it is your bank's site,
not someone else playing with DNS spoofing?
--
vda
Cristian Ionescu-Idbohrn
2008-02-20 21:08:15 UTC
Permalink
Post by Denys Vlasenko
Post by Cristian Ionescu-Idbohrn
And the MITM will have his way.
All, unless you trust every movement on your network.
Well, it happens only on first connect.
But, of course.
Post by Denys Vlasenko
On next connects, fingerprint is already stored and remote's fingerprint
is compared to it. If it doesn't match, you get big fat warning and ssh
aborts.
Sure.
Post by Denys Vlasenko
Which makes sense.
If you say so.
Post by Denys Vlasenko
When you meet someone for the very first time,
usually you have no means to verify it.
True, unfortunately.
Post by Denys Vlasenko
When you connected to your bank's e-banking system over https _for the
first time_, did you actually verify that it is your bank's site, not
someone else playing with DNS spoofing?
Also true. But is it acceptable banks do not provide fingerprints for
their certificates? And who bothers?


Cheers,
--
Cristian
Cristian Ionescu-Idbohrn
2008-02-20 21:08:15 UTC
Permalink
Post by Denys Vlasenko
Post by Cristian Ionescu-Idbohrn
And the MITM will have his way.
All, unless you trust every movement on your network.
Well, it happens only on first connect.
But, of course.
Post by Denys Vlasenko
On next connects, fingerprint is already stored and remote's fingerprint
is compared to it. If it doesn't match, you get big fat warning and ssh
aborts.
Sure.
Post by Denys Vlasenko
Which makes sense.
If you say so.
Post by Denys Vlasenko
When you meet someone for the very first time,
usually you have no means to verify it.
True, unfortunately.
Post by Denys Vlasenko
When you connected to your bank's e-banking system over https _for the
first time_, did you actually verify that it is your bank's site, not
someone else playing with DNS spoofing?
Also true. But is it acceptable banks do not provide fingerprints for
their certificates? And who bothers?


Cheers,
--
Cristian
Denys Vlasenko
2008-02-20 20:56:38 UTC
Permalink
Post by Cristian Ionescu-Idbohrn
Post by Denys Vlasenko
I recommend setting
StrictHostKeyChecking no
I wouldn't.
Post by Denys Vlasenko
in /etc/ssh/ssh_config (by default it is sent to "ask").
This way, ssh will just remember the host's fingerprint without
prompting.
And the MITM will have his way.
All, unless you trust every movement on your network.
Well, it happens only on first connect. On next connects, fingerprint
is already stored and remote's fingerprint is compared to it.
If it doesn't match, you get big fat warning and ssh aborts.

Which makes sense. When you meet someone for the very first time,
usually you have no means to verify it. When you connected
to your bank's e-banking system over https _for the first time_,
did you actually verify that it is your bank's site,
not someone else playing with DNS spoofing?
--
vda
Cristian Ionescu-Idbohrn
2008-02-20 20:22:17 UTC
Permalink
Post by Denys Vlasenko
Actually, I've seen this a lot. If you have default /etc/ssh/ssh_config,
ssh will ask
Host '10.0.0.6' is not in the trusted hosts file.
(fingerprint md5 18:c9:58:ab:3b:77:79:7e:30:70:76:4f:b8:41:12:a3)
Do you want to continue connecting? (y/n)
Which is a good (tm) thing. Validate the fingerpront and get over with
it.
Post by Denys Vlasenko
whenever you talk to a host for the first time.
Which is annoying.
Which is also (IMO) a good thing. You should not need to answer that more
than once. At least untill the MITM surprises you.
Post by Denys Vlasenko
But if you talk to the host for the first time
_using scp_, it is not only annoying - it doesn't work.
Not supposed to, is it?
Post by Denys Vlasenko
You cannot answer that prompt - pressing "y" doesn't work.
I didn't experience that.
Post by Denys Vlasenko
I recommend setting
StrictHostKeyChecking no
I wouldn't.
Post by Denys Vlasenko
in /etc/ssh/ssh_config (by default it is sent to "ask").
This way, ssh will just remember the host's fingerprint without
prompting.
And the MITM will have his way.

All, unless you trust every movement on your network.


Cheers,
--
Cristian
Denys Vlasenko
2008-02-20 19:40:31 UTC
Permalink
Post by Cristian Ionescu-Idbohrn
Post by Marc Leeman
Post by hinko.kocevar
And if you try to scp for the second time - eg. when the fingerprint
is already saved on your host? I've experienced similar problems with
earlier versions of busybox and it helped if fingerprint was already known.
The fingerprint is never known: the .ssh/known_hosts file is linked to
/dev/null
Can't you change that?
Actually, I've seen this a lot. If you have default /etc/ssh/ssh_config,
ssh will ask

Host '10.0.0.6' is not in the trusted hosts file.
(fingerprint md5 18:c9:58:ab:3b:77:79:7e:30:70:76:4f:b8:41:12:a3)
Do you want to continue connecting? (y/n)

whenever you talk to a host for the first time.
Which is annoying. But if you talk to the host for the first time
_using scp_, it is not only annoying - it doesn't work.
You cannot answer that prompt - pressing "y" doesn't work.

I recommend setting

StrictHostKeyChecking no

in /etc/ssh/ssh_config (by default it is sent to "ask").
This way, ssh will just remember the host's fingerprint without
prompting.
--
vda
Cristian Ionescu-Idbohrn
2008-02-20 17:28:37 UTC
Permalink
Post by Marc Leeman
Post by hinko.kocevar
And if you try to scp for the second time - eg. when the fingerprint
is already saved on your host? I've experienced similar problems with
earlier versions of busybox and it helped if fingerprint was already known.
The fingerprint is never known: the .ssh/known_hosts file is linked to
/dev/null
Can't you change that?


Cheers,
--
Cristian
Marc Leeman
2008-02-20 14:40:44 UTC
Permalink
Post by hinko.kocevar
And if you try to scp for the second time - eg. when the fingerprint is
already saved on your host? I've experienced similar problems with
earlier versions of busybox and it helped if fingerprint was already known.
The fingerprint is never known: the .ssh/known_hosts file is linked to
/dev/null
--
greetz, marc
You honestly believe I could find you appealing? I mean, you're so,
so, blue!
Rygel - DNA Mad Scientist
chiana 2.6.18-4-ixp4xx #1 Tue Mar 27 18:01:56 BST 2007 GNU/Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.busybox.net/pipermail/busybox/attachments/20080220/1838fb91/attachment-0002.pgp
Marc Leeman
2008-02-14 14:29:05 UTC
Permalink
There seems to be a small problem introduced with 1.9.1: trying to scp
out a file to another machine with 1.9.1 fails:

# scp server.port mleeman at 10.0.0.6:

Host '10.0.0.6' is not in the trusted hosts file.
(fingerprint md5 18:c9:58:ab:3b:77:79:7e:30:70:76:4f:b8:41:12:a3)
Do you want to continue connecting? (y/n) y
<hang indefinately>

When replacing the 1.9.1 with 1.9.0; this is no longer the case. Can
anybody reproduce this?

Transfers that are initiated from the other side (in this case, from
10.0.0.6) are just fine.
--
greetz, marc
It's going to be more real than real. It's going to be super 3-D
smell-o-vision in sensoround
Crichton - A Clockwork Nebari
chiana 2.6.18-4-ixp4xx #1 Tue Mar 27 18:01:56 BST 2007 GNU/Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.busybox.net/pipermail/busybox/attachments/20080214/9ac553ff/attachment-0002.pgp
Denys Vlasenko
2008-02-15 08:36:57 UTC
Permalink
Post by Marc Leeman
There seems to be a small problem introduced with 1.9.1: trying to scp
Host '10.0.0.6' is not in the trusted hosts file.
(fingerprint md5 18:c9:58:ab:3b:77:79:7e:30:70:76:4f:b8:41:12:a3)
Do you want to continue connecting? (y/n) y
<hang indefinately>
When replacing the 1.9.1 with 1.9.0; this is no longer the case. Can
anybody reproduce this?
I assume you mean:
'with "cp" on local machine being a "cp" from bbox 1.9.1'

Tried with current svn, doesn't happen.

can you do "strace -f -o logfile scp server.port mleeman at 10.0.0.6"
and send the log (bzip2 if it's big)?

The result of "strace -f -o log scp TODO 127.0.0.1:/tmp"
on my machine is attached.

As far as I see, it does not even use any bbox apps, scp
execs ssh, not cp or something else...
--
vda
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log.bz2
Type: application/x-bzip2
Size: 5880 bytes
Desc: not available
Url : http://lists.busybox.net/pipermail/busybox/attachments/20080215/3bc3d56d/attachment-0002.bin
hinko.kocevar
2008-02-15 08:22:29 UTC
Permalink
Post by Marc Leeman
There seems to be a small problem introduced with 1.9.1: trying to scp
Host '10.0.0.6' is not in the trusted hosts file.
(fingerprint md5 18:c9:58:ab:3b:77:79:7e:30:70:76:4f:b8:41:12:a3)
Do you want to continue connecting? (y/n) y
<hang indefinately>
When replacing the 1.9.1 with 1.9.0; this is no longer the case. Can
anybody reproduce this?
And if you try to scp for the second time - eg. when the fingerprint is
already saved on your host? I've experienced similar problems with
earlier versions of busybox and it helped if fingerprint was already known.

HTH,
Hinko
--
?ETRTA POT, d.o.o., Kranj
Planina 3
4000 Kranj
Slovenia, Europe
Tel. +386 (0) 4 280 66 03
E-mail: hinko.kocevar at cetrtapot.si
Http: www.cetrtapot.si
Loading...