profile
viewpoint

Ask questionssalt-ssh always tries to connect to reverse hostname

Description of Issue/Question

Can't connect to a minion via salt-ssh, although plain ssh works just fine. It looks like salt does reverse IP lookup and then uses this new address to connect via ssh. The machine is located behind a NAT and the connection is established via port-forwarding.

Related issues:

  • #48676
  • #47150 (PR #47191)
  • #47529
  • #49665
  • #49968

Steps to Reproduce Issue

% salt-ssh --user pi --sudo -i minion.example.com test.ping

11-22-33-44.provider.com:
    ssh: Could not resolve hostname 11-22-33-44.provider.com: nodename nor servname provided, or not known

The same with IP address:

% salt-ssh --user pi --sudo -i 11.22.33.44 test.ping

11-22-33-44.provider.com:
    ssh: Could not resolve hostname 11-22-33-44.provider.com: nodename nor servname provided, or not known

DNS info:

dig +short minion.example.com
11.22.33.44

dig +short -x 11.22.33.44
11.22.33.44.provider.com.

dig +short 11.22.33.44.provider.com.

Note the last command. It doesn't return anything, and that is the reason why it fails.

And also the second command dig +short -x 11.22.33.44 could return any garbage (it is set up by the hosting provider, not by the owner of example.com). Salt shouldn't trust that data to connect to hosts.

The log below shows that salt-ssh uses reverse hostname to connect and not the one I specified on the command line. I feel this could be potentially bad security-wise.

[TRACE   ] Terminal Command: /bin/sh -c 11-22-33-44.provider.com -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o Port=22 -o IdentityFile=agent-forwarding -o User=pi  /bin/sh << 'EOF'

Versions Report

<details><summary>salt --versions-report</summary>

Salt Version:
           Salt: 2018.3.2

Dependency Versions:
           cffi: 1.11.5
       cherrypy: Not Installed
       dateutil: Not Installed
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.10
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.5.6
   mysql-python: Not Installed
      pycparser: 2.18
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 3.6.6 (default, Jun 28 2018, 05:43:53)
   python-gnupg: Not Installed
         PyYAML: 3.13
          PyZMQ: 17.1.2
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.2.5

System Versions:
           dist:
         locale: UTF-8
        machine: x86_64
        release: 17.7.0
         system: Darwin
        version: 10.13.6 x86_64

</details>

saltstack/salt

Answer questions jf

To add on (why, why, why) I now discover that with the latest version of salt-ssh on the mac, whereas in the past I just needed to have a host be added to /etc/salt/roster, now I need to have a reverse entry for it in /etc/hosts as well??

Without an entry in /etc/hosts:

# salt-ssh vm-aa test.ping
[ERROR   ] Target 'vm-aa' did not return any data, probably due to an error.
vm-aa:
    Target 'vm-aa' did not return any data, probably due to an error.
Salt Version:
           Salt: 3000.1

Dependency Versions:
           cffi: 1.12.2
       cherrypy: unknown
       dateutil: 2.8.0
      docker-py: Not Installed
          gitdb: 2.0.6
      gitpython: 2.1.15
         Jinja2: 2.10.1
        libgit2: Not Installed
       M2Crypto: Not Installed
           Mako: 1.0.7
   msgpack-pure: Not Installed
 msgpack-python: 0.5.6
   mysql-python: Not Installed
      pycparser: 2.19
       pycrypto: 3.8.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 3.5.4 (default, Mar 27 2020, 15:24:03)
   python-gnupg: 0.4.4
         PyYAML: 5.1.2
          PyZMQ: 18.0.1
          smmap: 3.0.1
        timelib: 0.2.4
        Tornado: 4.5.3
            ZMQ: 4.3.1

System Versions:
           dist:
         locale: UTF-8
        machine: x86_64
        release: 19.3.0
         system: Darwin
        version: 10.15.3 x86_64
useful!

Related questions

Neon: name 'pip' is not defined hot 1
Typos/missing spaces in grains/core.py get_server_id() hot 1
Proxy minion startup problem hot 1
GPG Decryption Failed hot 1
salt-api authentication denied (http 401 is returned) using runner module hot 1
salt-master on CentOS 7 using the Python 3 packages cannot use pygit2 via normal means hot 1
GitFS locking issues hot 1
Fix this warning please. hot 1
Salt Master 2018.3.4 on Debian 9 with Python3 - Can't use gitfs at all hot 1
x509.sign_remote_certificate not working after upgrade to 2019.2.0 hot 1
win_wua.<anything> tracebacks on some computers hot 1
2019.2.1: Warning: zmq.eventloop.minitornado is deprecated in pyzmq 14.0 and will be removed hot 1
Could "pip3 install salt" break the existing salt installation? hot 1
Log filled with "Exception occurred while Subscriber handling stream: Already reading" hot 1
salt state 'pkg.install' was not found in SLS - windows os hot 1
Github User Rank List