x/crypto/ssh: Host key to be verified should be choosen based on knownhosts entries

[cardil]

What version of Go are you using (go version)?

$ go version
go version go1.16 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/ksuszyns/.cache/go-build"
GOENV="/home/ksuszyns/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/ksuszyns/.gvm/pkgsets/go1.16/global/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/ksuszyns/.gvm/pkgsets/go1.16/global"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/home/ksuszyns/.gvm/gos/go1.16"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/home/ksuszyns/.gvm/gos/go1.16/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.16"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3253216311=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Test: cardil/golang-x-crypto@4758476

What did you expect to see?

I expected not to see a knownhosts: key mismatch error, but an auth error, as tests doesn't set proper authentication.

Using the same config and my machine, I can connect to that Github server. OpenSSH used:

$ ssh -V
OpenSSH_8.6p1, OpenSSL 1.1.1l  FIPS 24 Aug 2021

See attached OpenSSH log: https://gist.github.com/cardil/18611bcc01538cb8b08170a93f4bc4db where you could observe correct behavior of choosing a host public key type (ssh-rsa) based on known hosts entries.

In this case, remote SSH server supports various host key algorithms. If we got a known host entry for that host:port we should choose host key algorithm based on that known host entry type.

OpenSSH orders the algorithms based on known hosts entries, see: https://github.com/openssh/openssh-portable/blob/e665ed2d0c24fe11d5470ce72fa1e187377d3fc4/sshconnect2.c#L201

What did you see instead?

The knownhosts.KeyError is returned at https://github.com/golang/crypto/blob/b4de73f9ece8163b492578e101e4ef8923ac2c5c/ssh/knownhosts/knownhosts.go#L385, where remoteKey.Type() == "ecdsa-sha2-nistp256", but knownKeys map contains a key only for type "ssh-rsa".

Workaround

The problem can be workaround by forcing correct trusted host key algorithm in the HostKeyAlgorithms setting, before connecting:

sshConfig := &ssh.ClientConfig{
    HostKeyAlgorithms: []string{"ssh-rsa"},
}

[cardil]

Another workaround for the problem could be to remove old host key, and force to use the same host key algorithm as Go does by default:

$ sed -i '/github.com/d' ~/.ssh/known_hosts
$ ssh -o "HostKeyAlgorithms ecdsa-sha2-nistp256" git@github.com
The authenticity of host 'github.com (140.82.121.4)' can't be established.
ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'github.com' (ECDSA) to the list of known hosts.
PTY allocation request failed on channel 0
Hi cardil! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.

[seankhliao]

Duplicate of #29286