Canonical Juju

Bug #1473069
Comment #22

Comment 22 for bug 1473069

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2017-01-06:

#22

This bug is crazy :)

juju ssh <n>, where <n> is a remote node in a MAAS cluster far far away, tries to connect to my local virbr0 interface:
andreas@nsn7:~$ juju ssh --debug 5
17:24:41 INFO juju.cmd supercommand.go:63 running juju [2.1-beta3 gc go1.6.2]
17:24:41 DEBUG juju.cmd supercommand.go:64 args: []string{"juju", "ssh", "--debug", "5"}
17:24:41 INFO juju.juju api.go:72 connecting to API addresses: [10.245.202.4:17070]
17:24:41 INFO juju.api apiclient.go:570 dialing "wss://10.245.202.4:17070/model/7a97887e-34b0-4d7f-82c2-53e1cba1d8d2/api"
17:24:42 INFO juju.api apiclient.go:501 connection established to "wss://10.245.202.4:17070/model/7a97887e-34b0-4d7f-82c2-53e1cba1d8d2/api"
17:24:43 DEBUG juju.juju api.go:263 API hostnames unchanged - not resolving
17:24:43 DEBUG juju.cmd.juju.commands ssh_common.go:263 proxy-ssh is false
17:24:43 INFO juju.network hostport.go:274 dialed "192.168.122.1:22" successfully
17:24:43 DEBUG juju.cmd.juju.commands ssh_common.go:367 using target "5" address "192.168.122.1"
17:24:44 DEBUG juju.utils.ssh ssh.go:292 using OpenSSH ssh client
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:r34Eo3QVARHyMofRFeWv5ETsgykBh1jJMx2a5A8cCcM.
Please contact your system administrator.
Add correct host key in /tmp/ssh_known_hosts181812550 to get rid of this message.
Offending RSA key in /tmp/ssh_known_hosts181812550:7
remove with:
ssh-keygen -f "/tmp/ssh_known_hosts181812550" -R 192.168.122.1
ECDSA host key for 192.168.122.1 has changed and you have requested strict checking.
Host key verification failed.
17:24:44 DEBUG juju.api monitor.go:35 RPC connection died
17:24:44 INFO cmd supercommand.go:465 command finished

andreas@nsn7:~$ ip a show dev virbr0
5: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever

/var/log/auth:
Jan 6 17:33:46 nsn7 sshd[32461]: Did not receive identification string from 192.168.122.1
Jan 6 17:33:46 nsn7 sshd[32463]: Connection closed by 192.168.122.1 port 43590 [preauth]

machine 5 in juju status:
Machine State DNS Inst id Series AZ
1 started 10.245.200.40 4y3h8m xenial budapest
1/lxd/0 started 10.245.202.15 juju-a1d8d2-1-lxd-0 xenial
2 started 10.245.200.36 4y3h8k xenial budapest
2/lxd/0 started 10.245.200.41 juju-a1d8d2-2-lxd-0 xenial
5 started 10.245.200.37 4y3ha8 xenial prague
...

This bug is crazy :)

juju ssh <n>, where <n> is a remote node in a MAAS cluster far far away, tries to connect to my local virbr0 interface:
andreas@nsn7:~$ juju ssh --debug 5
17:24:41 INFO  juju.cmd supercommand.go:63 running juju [2.1-beta3 gc go1.6.2]
17:24:41 DEBUG juju.cmd supercommand.go:64   args: []string{"juju", "ssh", "--debug", "5"}
17:24:41 INFO  juju.juju api.go:72 connecting to API addresses: [10.245.202.4:17070]
17:24:41 INFO  juju.api apiclient.go:570 dialing "wss://10.245.202.4:17070/model/7a97887e-34b0-4d7f-82c2-53e1cba1d8d2/api"
17:24:42 INFO  juju.api apiclient.go:501 connection established to "wss://10.245.202.4:17070/model/7a97887e-34b0-4d7f-82c2-53e1cba1d8d2/api"
17:24:43 DEBUG juju.juju api.go:263 API hostnames unchanged - not resolving
17:24:43 DEBUG juju.cmd.juju.commands ssh_common.go:263 proxy-ssh is false
17:24:43 INFO  juju.network hostport.go:274 dialed "192.168.122.1:22" successfully
17:24:43 DEBUG juju.cmd.juju.commands ssh_common.go:367 using target "5" address "192.168.122.1"
17:24:44 DEBUG juju.utils.ssh ssh.go:292 using OpenSSH ssh client
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:r34Eo3QVARHyMofRFeWv5ETsgykBh1jJMx2a5A8cCcM.
Please contact your system administrator.
Add correct host key in /tmp/ssh_known_hosts181812550 to get rid of this message.
Offending RSA key in /tmp/ssh_known_hosts181812550:7
  remove with:
  ssh-keygen -f "/tmp/ssh_known_hosts181812550" -R 192.168.122.1
ECDSA host key for 192.168.122.1 has changed and you have requested strict checking.
Host key verification failed.
17:24:44 DEBUG juju.api monitor.go:35 RPC connection died
17:24:44 INFO  cmd supercommand.go:465 command finished

/var/log/auth:
Jan  6 17:33:46 nsn7 sshd[32461]: Did not receive identification string from 192.168.122.1
Jan  6 17:33:46 nsn7 sshd[32463]: Connection closed by 192.168.122.1 port 43590 [preauth]

machine 5 in juju status:
Machine  State    DNS            Inst id              Series  AZ
1        started  10.245.200.40  4y3h8m               xenial  budapest
1/lxd/0  started  10.245.202.15  juju-a1d8d2-1-lxd-0  xenial  
2        started  10.245.200.36  4y3h8k               xenial  budapest
2/lxd/0  started  10.245.200.41  juju-a1d8d2-2-lxd-0  xenial  
5        started  10.245.200.37  4y3ha8               xenial  prague
...