Canonical Juju

juju ssh fails to connect when host keys have been changed (until the machine agent is restarted)

Bug #1940956 reported by Loïc Gomez on 2021-08-24

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Triaged	Low	Unassigned

Bug Description

When trying to connect to a machine with juju ssh, it might fail with this error:

$ juju ssh 6
ERROR cannot connect to any address: [10.0.5.26:22 my.host.name:22]

Enabling debug gives a lot more details, including:

12:26:57 DEBUG juju.network.ssh reachable.go:110 host key for 10.0.5.26:22 not in our accepted set: log at TRACE to see raw keys
12:26:57 DEBUG juju.network.ssh reachable.go:110 host key for my.host.name:22 at 10.0.5.26:22 not in our accepted set: log at TRACE to see raw keys
12:26:57 DEBUG juju.network.ssh reachable.go:159 dial 10.0.5.26:22 failed with: dial tcp 10.0.5.26:22: i/o timeout
12:26:57 DEBUG juju.cmd.juju.commands ssh_machine.go:516 getting target "6" address(es) failed: cannot connect to any address: [10.0.5.26:22 my.host.name:22] (retrying)

We should be able to tell juju to either update or remove SSH host keys from its internal database in case there's been a voluntary change of these on a machine.

Also, the error message should be clearer and tell the user this is a host keys trust issue.

As a workaround, it's possible to juju ssh --no-host-key-checks, but security-wise I wouldn't recommend it.

Thanks

See original description

Tags:

Loïc Gomez (kotodama) on 2021-08-24

description:

updated

Haw Loeung (hloeung) on 2021-08-25

Changed in juju:
status:	New → Confirmed

Revision history for this message

John A Meinel (jameinel) wrote on 2021-08-25:

Digging internally, it looks like the host keys are checked on machine agent start. So one workaround should be to just bounce the machine agent (juju run --machine 10 systemctl restart jujud-machine-10).

I think we could treat host key checking (where we got valid keys but they didn't match our records) at something higher than DEBUG.

John A Meinel (jameinel) on 2021-08-25

Changed in juju:
importance:	Undecided → Medium
milestone:	2.9.1 → 2.9.13
status:	Confirmed → Triaged
tags:	added: bitesize

Revision history for this message

James Simpson (jsimpso) wrote on 2021-08-26:

Thanks John - can confirm that restarting the machine agent got this working for us. Really appreciate the quick response there!

FWIW we figured out that the root cause of our particular issue was actually an openssh package upgrade - we had originally removed our ECDSA host key and the package upgrade very helpfully created a new one.

Canonical Juju QA Bot (juju-qa-bot) on 2021-09-08

Changed in juju:
milestone:	2.9.13 → 2.9.14

Canonical Juju QA Bot (juju-qa-bot) on 2021-09-10

Changed in juju:
milestone:	2.9.14 → 2.9.15

John A Meinel (jameinel) on 2021-09-13

summary:	- juju ssh fails to connect when host keys have been changed + juju ssh fails to connect when host keys have been changed (until the + machine agent is restarted)
Changed in juju:
importance:	Medium → Low

Canonical Juju QA Bot (juju-qa-bot) on 2021-09-24

Changed in juju:
milestone:	2.9.15 → 2.9.16

Canonical Juju QA Bot (juju-qa-bot) on 2021-10-07

Changed in juju:
milestone:	2.9.16 → 2.9.17

Canonical Juju QA Bot (juju-qa-bot) on 2021-10-22

Changed in juju:
milestone:	2.9.17 → 2.9.18

Canonical Juju QA Bot (juju-qa-bot) on 2021-11-04

Changed in juju:
milestone:	2.9.18 → 2.9.19

Canonical Juju QA Bot (juju-qa-bot) on 2021-11-17

Changed in juju:
milestone:	2.9.19 → 2.9.20

Canonical Juju QA Bot (juju-qa-bot) on 2021-11-26

Changed in juju:
milestone:	2.9.20 → 2.9.21

Canonical Juju QA Bot (juju-qa-bot) on 2021-12-01

Changed in juju:
milestone:	2.9.21 → 2.9.22

Canonical Juju QA Bot (juju-qa-bot) on 2021-12-10

Changed in juju:
milestone:	2.9.22 → 2.9.23

Canonical Juju QA Bot (juju-qa-bot) on 2022-01-12

Changed in juju:
milestone:	2.9.23 → 2.9.24

Canonical Juju QA Bot (juju-qa-bot) on 2022-02-01

Changed in juju:
milestone:	2.9.24 → 2.9.25

Canonical Juju QA Bot (juju-qa-bot) on 2022-02-15

Changed in juju:
milestone:	2.9.25 → 2.9.26

Canonical Juju QA Bot (juju-qa-bot) on 2022-03-09

Changed in juju:
milestone:	2.9.26 → 2.9.27

Canonical Juju QA Bot (juju-qa-bot) on 2022-03-18

Changed in juju:
milestone:	2.9.27 → 2.9.28

Canonical Juju QA Bot (juju-qa-bot) on 2022-03-30

Changed in juju:
milestone:	2.9.28 → 2.9.29

Revision history for this message

John A Meinel (jameinel) wrote on 2022-04-26:

The one thing we could do better here is:
a) better docs around how to handle if your SSH server keys have changed
b) better error messages if trying to SSH is failing because the host keys the client is seeing don't match the expected host keys (as it is functionally a sign of a person-in-the-middle attack).
However, as the workaround works (restarting the machine agent), we probably won't schedule this work in the next 6 months.

Changed in juju:
milestone:	2.9.29 → none

Loïc Gomez (kotodama) on 2022-05-30

tags:

added: canonical-is

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.