profile
viewpoint

Ask questionssalt-ssh always tries to connect to reverse hostname

Description of Issue/Question

Can't connect to a minion via salt-ssh, although plain ssh works just fine. It looks like salt does reverse IP lookup and then uses this new address to connect via ssh. The machine is located behind a NAT and the connection is established via port-forwarding.

Related issues:

  • #48676
  • #47150 (PR #47191)
  • #47529
  • #49665
  • #49968

Steps to Reproduce Issue

% salt-ssh --user pi --sudo -i minion.example.com test.ping

11-22-33-44.provider.com:
    ssh: Could not resolve hostname 11-22-33-44.provider.com: nodename nor servname provided, or not known

The same with IP address:

% salt-ssh --user pi --sudo -i 11.22.33.44 test.ping

11-22-33-44.provider.com:
    ssh: Could not resolve hostname 11-22-33-44.provider.com: nodename nor servname provided, or not known

DNS info:

dig +short minion.example.com
11.22.33.44

dig +short -x 11.22.33.44
11.22.33.44.provider.com.

dig +short 11.22.33.44.provider.com.

Note the last command. It doesn't return anything, and that is the reason why it fails.

And also the second command dig +short -x 11.22.33.44 could return any garbage (it is set up by the hosting provider, not by the owner of example.com). Salt shouldn't trust that data to connect to hosts.

The log below shows that salt-ssh uses reverse hostname to connect and not the one I specified on the command line. I feel this could be potentially bad security-wise.

[TRACE   ] Terminal Command: /bin/sh -c 11-22-33-44.provider.com -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o Port=22 -o IdentityFile=agent-forwarding -o User=pi  /bin/sh << 'EOF'

Versions Report

<details><summary>salt --versions-report</summary>

Salt Version:
           Salt: 2018.3.2

Dependency Versions:
           cffi: 1.11.5
       cherrypy: Not Installed
       dateutil: Not Installed
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.10
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.5.6
   mysql-python: Not Installed
      pycparser: 2.18
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 3.6.6 (default, Jun 28 2018, 05:43:53)
   python-gnupg: Not Installed
         PyYAML: 3.13
          PyZMQ: 17.1.2
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.2.5

System Versions:
           dist:
         locale: UTF-8
        machine: x86_64
        release: 17.7.0
         system: Darwin
        version: 10.13.6 x86_64

</details>

saltstack/salt

Answer questions jf

@Ch3LL I think the problem might be somewhere else. At least on my system.

If I insert a log.error(running) in the handle_ssh method, after the for host in running: line (this would be https://github.com/saltstack/salt/blob/v2019.2.2/salt/client/ssh/init.py#L607 if you're still looking at that version; but my version is now as per detailed above, and for me I am editing /opt/salt/lib/python3.5/site-packages/salt-3000.1-py3.5.egg/salt/client/ssh/__init__.py), I can see that I only loop through things twice:

[ERROR   ] {'vm-aa': {'thread': <Process(Process-1, started)>}}
[ERROR   ] {'vm-aa': {'thread': <Process(Process-1, stopped[SIGSEGV])>}}

It looks like a problem in Single (?), where the thread results in a SIGSEGV. If I have an entry in /etc/hosts, I do not get the SIGSEGV and salt-ssh runs successfully

useful!

Related questions

Neon: name 'pip' is not defined hot 1
Typos/missing spaces in grains/core.py get_server_id() hot 1
Proxy minion startup problem hot 1
GPG Decryption Failed hot 1
salt-api authentication denied (http 401 is returned) using runner module hot 1
salt-master on CentOS 7 using the Python 3 packages cannot use pygit2 via normal means hot 1
GitFS locking issues hot 1
Fix this warning please. hot 1
Salt Master 2018.3.4 on Debian 9 with Python3 - Can't use gitfs at all hot 1
x509.sign_remote_certificate not working after upgrade to 2019.2.0 hot 1
win_wua.<anything> tracebacks on some computers hot 1
2019.2.1: Warning: zmq.eventloop.minitornado is deprecated in pyzmq 14.0 and will be removed hot 1
Could "pip3 install salt" break the existing salt installation? hot 1
Log filled with "Exception occurred while Subscriber handling stream: Already reading" hot 1
salt state 'pkg.install' was not found in SLS - windows os hot 1
Github User Rank List