SECURITY ISSUE: External SSH Tool node forces deprecated auth keys

RNovak · February 9, 2024, 5:49pm

Over a year ago, I raised an issue about the External SSH Tool node and the way it handles key-based authentication. The response from the KNIME team was that an enhancement ticket had been opened. Several versions later, there is no change to the way this node works, even in 5.x.

The problem with this node is getting worse - The desktop preferences for General, Network Connections, SSH2 only seems to allow DSA (ssh-dss) and RSA with SHA1 (ssh-rsa) key types. BOTH of which have been officially deprecated by the OpenSSH project because of algorithmic weaknesses. If you specify an rsa-sha2-512 (the current default rsa keytype generated by ssh-keygen) or ecdsa keyfile in the private key list in SSH2 network preferences, PublicKey auth will not function using the External SSH Tool. The lack of support for current SSH standards is almost becoming comical at this point, if it weren’t such a security risk.

The SSH Connector node functions properly, but it does not allow for remote command execution, only SFTP/filesystem operations. Remote command execution is a key workflow use case. As of now, I can use an ecdsa key with the SSH Connector node, but External SSH Tool refuses to recognize the exact same key when configured through preferences.

Either the External SSH Tool node needs to be re-written to use the same config semantics as the SSH Connector (auth keyfile is specific to the node), or the SSH2 network connection framework needs to be updated to support current secure key types. This is long past due. When is someone going to take this seriously instead of forcing users to kludge around it and re-activate insecure mechanisms at the sshd level?

lupo · March 16, 2024, 3:37pm

Totaly right.
this have to be fixed asap for security reasons

In my opinion, it is not a sensible approach to reduce your own and the system’s security just because the node uses current encryption algorithms.

please update the node immediately

tobias.koetter · March 19, 2024, 8:30am

Hello @RNovak ,
thanks for bringing this problem to our attention. We will rewrite the node with the 5.3 release of the KNIME Analytics Platform which is planned for summer. The plan is to rewrite the node completely. It will be based on the existing FTP Connector node which uses the Apache MINA library that supports current secure key types.
Bye
Tobias

RNovak · March 20, 2024, 2:48pm

Thank you for your response and for addressing this issue in the release timeline.

In the meantime, I have created a component that replicates the External SSH Tool functionality using a combination of KNIME file reader/writer nodes and a Python code block that leverages the paramiko SSH library. If anyone is interested, I can upload it into a new thread.

system · March 27, 2024, 2:48pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

tobias.koetter · June 18, 2024, 9:30am

Hello @RNovak ,
unfortunately the rewrite (internal ticket AP-19772) of the node has been delayed further to the 5.4 release which is planned for December. I’m glad that you have a working solution and it would be great if you could share your component here so that other may use it until the node has been updated.
Bye
Tobias