Libguestfs - Jun 2021 - [PATCH nbdkit] plugins/ssh: remove pointless code fetching SHA1 fingerprint

The result of calling ssh_get_publickey_hash() is never used in the
code, simply being freed on all exit paths. It appears this was
copied from the libssh docs example code, where the fingerprint
was indeed printed on the console.

The ssh_session_is_known_server() call will validate against any
fingerprint stored in the $HOME/.ssh/known_hosts file. The hashes
in this file will use the algorithm configured for the openssh
client, which will usually be SHA256 in modern OS.

Signed-off-by: Daniel P. Berrang? <berrange at redhat.com>
---
 plugins/ssh/ssh.c | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/plugins/ssh/ssh.c b/plugins/ssh/ssh.c
index 994e9834..6d18f18d 100644
--- a/plugins/ssh/ssh.c
+++ b/plugins/ssh/ssh.c
@@ -228,14 +228,6 @@ do_verify_remote_host (struct ssh_handle *h)
     nbdkit_error ("could not get server public key");
     return -1;
   }
-  rc = ssh_get_publickey_hash (srv_pubkey,
-                               SSH_PUBLICKEY_HASH_SHA1,
-                               &hash, &hlen);
-  ssh_key_free (srv_pubkey);
-  if (rc < 0) {
-    nbdkit_error ("could not get server public key SHA1 hash");
-    return -1;
-  }
 
   state = ssh_session_is_known_server (h->session);
   switch (state) {
@@ -245,13 +237,11 @@ do_verify_remote_host (struct ssh_handle *h)
 
   case SSH_KNOWN_HOSTS_CHANGED:
     nbdkit_error ("host key for server changed");
-    ssh_clean_pubkey_hash (&hash);
     return -1;
 
   case SSH_KNOWN_HOSTS_OTHER:
     nbdkit_error ("host key for server was not found "
                   "but another type of key exists");
-    ssh_clean_pubkey_hash (&hash);
     return -1;
 
   case SSH_KNOWN_HOSTS_NOT_FOUND:
@@ -259,22 +249,18 @@ do_verify_remote_host (struct ssh_handle *h)
      * host key is set up before using nbdkit so we error out here.
      */
     nbdkit_error ("could not find known_hosts file");
-    ssh_clean_pubkey_hash (&hash);
     return -1;
 
   case SSH_KNOWN_HOSTS_UNKNOWN:
     nbdkit_error ("host key is unknown, you must use ssh first "
                   "and accept the host key");
-    ssh_clean_pubkey_hash (&hash);
     return -1;
 
   case SSH_KNOWN_HOSTS_ERROR:
     nbdkit_error ("known hosts error: %s", ssh_get_error
(h->session));
-    ssh_clean_pubkey_hash (&hash);
     return -1;
   }
 
-  ssh_clean_pubkey_hash (&hash);
   return 0;
 }
 
-- 
2.31.1

On Tue, Jun 22, 2021 at 01:24:56PM +0100, Daniel P. Berrang?
wrote:
> The result of calling ssh_get_publickey_hash() is never used in the
> code, simply being freed on all exit paths. It appears this was
> copied from the libssh docs example code, where the fingerprint
> was indeed printed on the console.
> 
> The ssh_session_is_known_server() call will validate against any
> fingerprint stored in the $HOME/.ssh/known_hosts file. The hashes
> in this file will use the algorithm configured for the openssh
> client, which will usually be SHA256 in modern OS.
> 
> Signed-off-by: Daniel P. Berrang? <berrange at redhat.com>
> ---
>  plugins/ssh/ssh.c | 14 --------------
>  1 file changed, 14 deletions(-)
> 
> diff --git a/plugins/ssh/ssh.c b/plugins/ssh/ssh.c
> index 994e9834..6d18f18d 100644
> --- a/plugins/ssh/ssh.c
> +++ b/plugins/ssh/ssh.c
> @@ -228,14 +228,6 @@ do_verify_remote_host (struct ssh_handle *h)
>      nbdkit_error ("could not get server public key");
>      return -1;
>    }
> -  rc = ssh_get_publickey_hash (srv_pubkey,
> -                               SSH_PUBLICKEY_HASH_SHA1,
> -                               &hash, &hlen);
This makes the hash and hlen variables unused, but that's an easy fix.
I fixed it and pushed it, thanks.

Rich.
> -  ssh_key_free (srv_pubkey);
> -  if (rc < 0) {
> -    nbdkit_error ("could not get server public key SHA1 hash");
> -    return -1;
> -  }
>  
>    state = ssh_session_is_known_server (h->session);
>    switch (state) {
> @@ -245,13 +237,11 @@ do_verify_remote_host (struct ssh_handle *h)
>  
>    case SSH_KNOWN_HOSTS_CHANGED:
>      nbdkit_error ("host key for server changed");
> -    ssh_clean_pubkey_hash (&hash);
>      return -1;
>  
>    case SSH_KNOWN_HOSTS_OTHER:
>      nbdkit_error ("host key for server was not found "
>                    "but another type of key exists");
> -    ssh_clean_pubkey_hash (&hash);
>      return -1;
>  
>    case SSH_KNOWN_HOSTS_NOT_FOUND:
> @@ -259,22 +249,18 @@ do_verify_remote_host (struct ssh_handle *h)
>       * host key is set up before using nbdkit so we error out here.
>       */
>      nbdkit_error ("could not find known_hosts file");
> -    ssh_clean_pubkey_hash (&hash);
>      return -1;
>  
>    case SSH_KNOWN_HOSTS_UNKNOWN:
>      nbdkit_error ("host key is unknown, you must use ssh first "
>                    "and accept the host key");
> -    ssh_clean_pubkey_hash (&hash);
>      return -1;
>  
>    case SSH_KNOWN_HOSTS_ERROR:
>      nbdkit_error ("known hosts error: %s", ssh_get_error
(h->session));
> -    ssh_clean_pubkey_hash (&hash);
>      return -1;
>    }
>  
> -  ssh_clean_pubkey_hash (&hash);
>    return 0;
>  }
>  
> -- 
> 2.31.1
> 
> _______________________________________________
> Libguestfs mailing list
> Libguestfs at redhat.com
> https://listman.redhat.com/mailman/listinfo/libguestfs
-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html