Skip to content

Commit 80e4369

Browse files
pjbgfpjbgf
authored
Merge pull request #1157 from Javier-varez/ja/knownHostsDb
plumbing: transport/ssh, Add support for SSH @cert-authority.
2 parents ec13306 + 20b556b commit 80e4369

File tree

3 files changed

+124
-12
lines changed

3 files changed

+124
-12
lines changed

plumbing/transport/ssh/auth_method.go

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -230,11 +230,11 @@ func (a *PublicKeysCallback) ClientConfig() (*ssh.ClientConfig, error) {
230230
// ~/.ssh/known_hosts
231231
// /etc/ssh/ssh_known_hosts
232232
func NewKnownHostsCallback(files ...string) (ssh.HostKeyCallback, error) {
233-
kh, err := newKnownHosts(files...)
234-
return ssh.HostKeyCallback(kh), err
233+
db, err := newKnownHostsDb(files...)
234+
return db.HostKeyCallback(), err
235235
}
236236

237-
func newKnownHosts(files ...string) (knownhosts.HostKeyCallback, error) {
237+
func newKnownHostsDb(files ...string) (*knownhosts.HostKeyDB, error) {
238238
var err error
239239

240240
if len(files) == 0 {
@@ -247,7 +247,7 @@ func newKnownHosts(files ...string) (knownhosts.HostKeyCallback, error) {
247247
return nil, err
248248
}
249249

250-
return knownhosts.New(files...)
250+
return knownhosts.NewDB(files...)
251251
}
252252

253253
func getDefaultKnownHostsFiles() ([]string, error) {
@@ -301,11 +301,12 @@ type HostKeyCallbackHelper struct {
301301
// HostKeyCallback is empty a default callback is created using
302302
// NewKnownHostsCallback.
303303
func (m *HostKeyCallbackHelper) SetHostKeyCallback(cfg *ssh.ClientConfig) (*ssh.ClientConfig, error) {
304-
var err error
305304
if m.HostKeyCallback == nil {
306-
if m.HostKeyCallback, err = NewKnownHostsCallback(); err != nil {
305+
db, err := newKnownHostsDb()
306+
if err != nil {
307307
return cfg, err
308308
}
309+
m.HostKeyCallback = db.HostKeyCallback()
309310
}
310311

311312
cfg.HostKeyCallback = m.HostKeyCallback

plumbing/transport/ssh/auth_method_test.go

Lines changed: 105 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,8 @@ import (
1818
type (
1919
SuiteCommon struct{}
2020

21-
mockKnownHosts struct{}
21+
mockKnownHosts struct{}
22+
mockKnownHostsWithCert struct{}
2223
)
2324

2425
func (mockKnownHosts) host() string { return "github.com" }
@@ -27,6 +28,19 @@ func (mockKnownHosts) knownHosts() []byte {
2728
}
2829
func (mockKnownHosts) Network() string { return "tcp" }
2930
func (mockKnownHosts) String() string { return "github.com:22" }
31+
func (mockKnownHosts) Algorithms() []string {
32+
return []string{ssh.KeyAlgoRSA, ssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512}
33+
}
34+
35+
func (mockKnownHostsWithCert) host() string { return "github.com" }
36+
func (mockKnownHostsWithCert) knownHosts() []byte {
37+
return []byte(`@cert-authority github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==`)
38+
}
39+
func (mockKnownHostsWithCert) Network() string { return "tcp" }
40+
func (mockKnownHostsWithCert) String() string { return "github.com:22" }
41+
func (mockKnownHostsWithCert) Algorithms() []string {
42+
return []string{ssh.CertAlgoRSASHA512v01, ssh.CertAlgoRSASHA256v01, ssh.CertAlgoRSAv01}
43+
}
3044

3145
var _ = Suite(&SuiteCommon{})
3246

@@ -230,3 +244,93 @@ func (*SuiteCommon) TestNewKnownHostsCallback(c *C) {
230244
err = clb(mock.String(), mock, hostKey)
231245
c.Assert(err, IsNil)
232246
}
247+
248+
func (*SuiteCommon) TestNewKnownHostsDbWithoutCert(c *C) {
249+
if runtime.GOOS == "js" {
250+
c.Skip("not available in wasm")
251+
}
252+
253+
var mock = mockKnownHosts{}
254+
255+
f, err := util.TempFile(osfs.Default, "", "known-hosts")
256+
c.Assert(err, IsNil)
257+
258+
_, err = f.Write(mock.knownHosts())
259+
c.Assert(err, IsNil)
260+
261+
err = f.Close()
262+
c.Assert(err, IsNil)
263+
264+
defer util.RemoveAll(osfs.Default, f.Name())
265+
266+
f, err = osfs.Default.Open(f.Name())
267+
c.Assert(err, IsNil)
268+
269+
defer f.Close()
270+
271+
db, err := newKnownHostsDb(f.Name())
272+
c.Assert(err, IsNil)
273+
274+
algos := db.HostKeyAlgorithms(mock.String())
275+
c.Assert(algos, HasLen, len(mock.Algorithms()))
276+
277+
contains := func(container []string, value string) bool {
278+
for _, inner := range container {
279+
if inner == value {
280+
return true
281+
}
282+
}
283+
return false
284+
}
285+
286+
for _, algorithm := range mock.Algorithms() {
287+
if !contains(algos, algorithm) {
288+
c.Error("algos does not contain ", algorithm)
289+
}
290+
}
291+
}
292+
293+
func (*SuiteCommon) TestNewKnownHostsDbWithCert(c *C) {
294+
if runtime.GOOS == "js" {
295+
c.Skip("not available in wasm")
296+
}
297+
298+
var mock = mockKnownHostsWithCert{}
299+
300+
f, err := util.TempFile(osfs.Default, "", "known-hosts")
301+
c.Assert(err, IsNil)
302+
303+
_, err = f.Write(mock.knownHosts())
304+
c.Assert(err, IsNil)
305+
306+
err = f.Close()
307+
c.Assert(err, IsNil)
308+
309+
defer util.RemoveAll(osfs.Default, f.Name())
310+
311+
f, err = osfs.Default.Open(f.Name())
312+
c.Assert(err, IsNil)
313+
314+
defer f.Close()
315+
316+
db, err := newKnownHostsDb(f.Name())
317+
c.Assert(err, IsNil)
318+
319+
algos := db.HostKeyAlgorithms(mock.String())
320+
c.Assert(algos, HasLen, len(mock.Algorithms()))
321+
322+
contains := func(container []string, value string) bool {
323+
for _, inner := range container {
324+
if inner == value {
325+
return true
326+
}
327+
}
328+
return false
329+
}
330+
331+
for _, algorithm := range mock.Algorithms() {
332+
if !contains(algos, algorithm) {
333+
c.Error("algos does not contain ", algorithm)
334+
}
335+
}
336+
}

plumbing/transport/ssh/common.go

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,6 @@ import (
1111

1212
"github.com/go-git/go-git/v5/plumbing/transport"
1313
"github.com/go-git/go-git/v5/plumbing/transport/internal/common"
14-
"github.com/skeema/knownhosts"
1514

1615
"github.com/kevinburke/ssh_config"
1716
"golang.org/x/crypto/ssh"
@@ -127,17 +126,25 @@ func (c *command) connect() error {
127126
}
128127
hostWithPort := c.getHostWithPort()
129128
if config.HostKeyCallback == nil {
130-
kh, err := newKnownHosts()
129+
db, err := newKnownHostsDb()
131130
if err != nil {
132131
return err
133132
}
134-
config.HostKeyCallback = kh.HostKeyCallback()
135-
config.HostKeyAlgorithms = kh.HostKeyAlgorithms(hostWithPort)
133+
134+
config.HostKeyCallback = db.HostKeyCallback()
135+
config.HostKeyAlgorithms = db.HostKeyAlgorithms(hostWithPort)
136136
} else if len(config.HostKeyAlgorithms) == 0 {
137137
// Set the HostKeyAlgorithms based on HostKeyCallback.
138138
// For background see https://github.com/go-git/go-git/issues/411 as well as
139139
// https://github.com/golang/go/issues/29286 for root cause.
140-
config.HostKeyAlgorithms = knownhosts.HostKeyAlgorithms(config.HostKeyCallback, hostWithPort)
140+
db, err := newKnownHostsDb()
141+
if err != nil {
142+
return err
143+
}
144+
145+
// Note that the knownhost database is used, as it provides additional functionality
146+
// to handle ssh cert-authorities.
147+
config.HostKeyAlgorithms = db.HostKeyAlgorithms(hostWithPort)
141148
}
142149

143150
overrideConfig(c.config, config)

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy