[
https://issues.apache.org/jira/browse/NIFI-7049?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Arpad Boda updated NIFI-7049:
-----------------------------
Description:
In case NiFi test are executed on a machine without knows_hosts file, it's
going to fail.
Just pasting my private message that summarised this error previously:
https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/SFTPTransfer.java#L556
So the problem is that host key file is not a mandatory, but in case it’s not
provided, we call load on the 3rd party lib without arguments:
https://github.com/hierynomus/sshj/blob/master/src/main/java/net/schmizz/sshj/SSHClient.java#L621
Which tries to load keys from the default location, but this is far from what
we state in our documentation:
{code}Host Key File If supplied, the given file will be used as the
Host Key; otherwise, no use host key file will be used {code}
So there are multiple issues here:
-Even though the ssh connection fails, somewhere the IO exception is swallowed.
Didn’t reproduce to check the logs, but I would expect exceptions to be thrown
in the testcase and these being talkative about the error. My gut feeling says
that we do the same in case the user specifies a host key file, but it’s
somehow not accessible.
-Strict host check on/off might not be enough to cover all the scenarios as
there are three: host 1# known and key matches, 2# host not known and we either
trust or not, 3# host known, but there is a mismatch (probably man in the
middle). I think this property should be improved at least in documentation
point of view as currently only the code tells what do we do in 2#. Which
depends on whether the file exists or not, so something stupid.
-Either the documentation or the behaviour should be fixed to make them aligned
(you are the security guy to tell which one is right :wink: )
-The testcase should either use a predefined key or have host key checking
completely off. According to what we see above, not sure about the latter being
nicely supported.
was:
Just pasting my private message that summarised this error:
https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/SFTPTransfer.java#L556
So the problem is that host key file is not a mandatory, but in case it’s not
provided, we call load on the 3rd party lib without arguments:
https://github.com/hierynomus/sshj/blob/master/src/main/java/net/schmizz/sshj/SSHClient.java#L621
Which tries to load keys from the default location, but this is far from what
we state in our documentation:
{code}Host Key File If supplied, the given file will be used as the
Host Key; otherwise, no use host key file will be used {code}
So there are multiple issues here:
-Even though the ssh connection fails, somewhere the IO exception is swallowed.
Didn’t reproduce to check the logs, but I would expect exceptions to be thrown
in the testcase and these being talkative about the error. My gut feeling says
that we do the same in case the user specifies a host key file, but it’s
somehow not accessible.
-Strict host check on/off might not be enough to cover all the scenarios as
there are three: host 1# known and key matches, 2# host not known and we either
trust or not, 3# host known, but there is a mismatch (probably man in the
middle). I think this property should be improved at least in documentation
point of view as currently only the code tells what do we do in 2#. Which
depends on whether the file exists or not, so something stupid.
-Either the documentation or the behaviour should be fixed to make them aligned
(you are the security guy to tell which one is right :wink: )
-The testcase should either use a predefined key or have host key checking
completely off. According to what we see above, not sure about the latter being
nicely supported.
> SFTP processors shouldn't silently try to access known hosts file on the
> system
> -------------------------------------------------------------------------------
>
> Key: NIFI-7049
> URL: https://issues.apache.org/jira/browse/NIFI-7049
> Project: Apache NiFi
> Issue Type: Bug
> Components: Extensions
> Affects Versions: 1.10.0
> Reporter: Arpad Boda
> Priority: Major
>
> In case NiFi test are executed on a machine without knows_hosts file, it's
> going to fail.
> Just pasting my private message that summarised this error previously:
> https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/util/SFTPTransfer.java#L556
> So the problem is that host key file is not a mandatory, but in case it’s
> not provided, we call load on the 3rd party lib without arguments:
> https://github.com/hierynomus/sshj/blob/master/src/main/java/net/schmizz/sshj/SSHClient.java#L621
> Which tries to load keys from the default location, but this is far from what
> we state in our documentation:
> {code}Host Key File If supplied, the given file will be used as
> the Host Key; otherwise, no use host key file will be used {code}
> So there are multiple issues here:
> -Even though the ssh connection fails, somewhere the IO exception is
> swallowed. Didn’t reproduce to check the logs, but I would expect exceptions
> to be thrown in the testcase and these being talkative about the error. My
> gut feeling says that we do the same in case the user specifies a host key
> file, but it’s somehow not accessible.
> -Strict host check on/off might not be enough to cover all the scenarios as
> there are three: host 1# known and key matches, 2# host not known and we
> either trust or not, 3# host known, but there is a mismatch (probably man in
> the middle). I think this property should be improved at least in
> documentation point of view as currently only the code tells what do we do in
> 2#. Which depends on whether the file exists or not, so something stupid.
> -Either the documentation or the behaviour should be fixed to make them
> aligned (you are the security guy to tell which one is right :wink: )
> -The testcase should either use a predefined key or have host key checking
> completely off. According to what we see above, not sure about the latter
> being nicely supported.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
