Re: [PATCH 1/3] block: better document SSH host key fingerprint checking

[Hanna Reitz]

On 18.11.21 15:35, Daniel P. Berrangé wrote:
> The docs still illustrate host key fingerprint checking using the old
> md5 hashes which are considered insecure and obsolete. Change it to
> illustrate using a sha256 hash. Also show how to extract the hash
> value from the known_hosts file.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>   docs/system/qemu-block-drivers.rst.inc | 30 ++++++++++++++++++++++----
>   1 file changed, 26 insertions(+), 4 deletions(-)
>
> diff --git a/docs/system/qemu-block-drivers.rst.inc 
> b/docs/system/qemu-block-drivers.rst.inc
> index 16225710eb..2aeeaf6361 100644
> --- a/docs/system/qemu-block-drivers.rst.inc
> +++ b/docs/system/qemu-block-drivers.rst.inc
> @@ -778,10 +778,32 @@ The optional *HOST_KEY_CHECK* parameter controls how the 
> remote
>   host's key is checked.  The default is ``yes`` which means to use
>   the local ``.ssh/known_hosts`` file.  Setting this to ``no``
>   turns off known-hosts checking.  Or you can check that the host key
> -matches a specific fingerprint:
> -``host_key_check=md5:78:45:8e:14:57:4f:d5:45:83:0a:0e:f3:49:82:c9:c8``
> -(``sha1:`` can also be used as a prefix, but note that OpenSSH
> -tools only use MD5 to print fingerprints).
> +matches a specific fingerprint. The fingerprint can be provided in
> +``md5``, ``sha1``, or ``sha256`` format, however, it is strongly
> +recommended to only use ``sha256``, since the other options are
> +considered insecure by modern standards. The fingerprint value
> +must be given as a hex encoded string::
> +
> +  
> host_key_check=sha256:04ce2ae89ff4295a6b9c4111640bdcb3297858ee55cb434d9dd88796e93aa795``

I think the backticks at the end of this line should be dropped.

With that done:

Reviewed-by: Hanna Reitz <hreitz@redhat.com>

> +
> +The key string may optionally contain ":" separators between
> +each pair of hex digits.
> +
> +The ``$HOME/.ssh/known_hosts`` file contains the base64 encoded
> +host keys. These can be converted into the format needed for
> +QEMU using a command such as::
> +
> +   $ for key in `grep 10.33.8.112 known_hosts | awk '{print $3}'`
> +     do
> +       echo $key | base64 -d | sha256sum
> +     done
> +     6c3aa525beda9dc83eadfbd7e5ba7d976ecb59575d1633c87cd06ed2ed6e366f  -
> +     12214fd9ea5b408086f98ecccd9958609bd9ac7c0ea316734006bc7818b45dc8  -
> +     d36420137bcbd101209ef70c3b15dc07362fbe0fa53c5b135eba6e6afa82f0ce  -
> +
> +Note that there can be multiple keys present per host, each with
> +different key ciphers. Care is needed to pick the key fingerprint
> +that matches the cipher QEMU will negotiate with the remote server.
>   
>   Currently authentication must be done using ssh-agent.  Other
>   authentication methods may be supported in future.