Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libgit2: use provided host to validate public key #288

Merged
merged 1 commit into from
Feb 11, 2021
Merged

libgit2: use provided host to validate public key #288

merged 1 commit into from
Feb 11, 2021

Conversation

hiddeco
Copy link
Member

@hiddeco hiddeco commented Feb 10, 2021
edited
Loading

The callback from libgit2 only provides a hostname (without the port),
but the known_hosts file indexes the public keys based on the full
host (e.g. [localhost]:123 for a host behind a specific port).

As a result, it was unable to find the correct public key for the
hostname when it was added to the known_hosts file with the port.

To work around this, we add the user provided host that includes the
port to the PublicKeyAuth strategy, and use this to find the right
entry in the known_hosts file, after having validated that the
hostname provided to the callback matches the hostname of the host
provided by the user.

Fixes: #287

@hiddeco hiddeco changed the title libgit2: use provided hostname to validate cert libgit2: use provided host to validate public key Feb 10, 2021
@hiddeco hiddeco force-pushed the libgit2-hostkey branch 5 times, most recently from 4fd0d86 to f4730cb Compare February 10, 2021 16:54
@hiddeco hiddeco marked this pull request as ready for review February 10, 2021 17:17
phillebaba
phillebaba previously approved these changes Feb 10, 2021
View reviewed changes
Copy link
Member

@phillebaba phillebaba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hiddeco hiddeco added bug Something isn't working area/git Git related issues and pull requests labels Feb 10, 2021
@hiddeco hiddeco force-pushed the libgit2-hostkey branch 3 times, most recently from 37cdbc4 to 31efe5c Compare February 10, 2021 20:53
@squaremo squaremo dismissed phillebaba’s stale review February 11, 2021 09:12

We discovered further changes are needed, after the review

@hiddeco hiddeco force-pushed the libgit2-hostkey branch 2 times, most recently from e25476b to 70fdfb5 Compare February 11, 2021 10:21
@hiddeco
libgit2: use provided host to validate public key
b2f6639 
The callback from libgit2 only provides a hostname (without the port),
but the `known_hosts` file indexes the public keys based on the full
host (e.g. `[localhost]:123` for a host behind a specific port).

As a result, it was unable to find the correct public key for the
hostname when it was added to the `known_hosts` file with the port.

To work around this, we add the user provided host that includes the
port to the `PublicKeyAuth` strategy, and use this to find the right
entry in the `known_hosts` file, after having validated that the
hostname provided to the callback matches the hostname of the host
provided by the user.

Signed-off-by: Hidde Beydals <hello@hidde.co>
@squaremo squaremo mentioned this pull request Feb 11, 2021
Merged
squaremo
squaremo approved these changes Feb 11, 2021
View reviewed changes
Copy link
Member

@squaremo squaremo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've run this locally with the tests in image-automation-controller#109 and it works there, as well as in a real cluster using a github repo.
This enables SSH tests with fluxcd/pkg/gittestserver, hurrah 🙌

@hiddeco hiddeco merged commit ca2bb80 into main Feb 11, 2021
@hiddeco hiddeco deleted the libgit2-hostkey branch February 11, 2021 14:15
This was referenced Feb 11, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squaremo squaremo squaremo approved these changes

@phillebaba phillebaba phillebaba left review comments

Assignees
No one assigned
Labels
area/git Git related issues and pull requests bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

known_hosts entry with port not recognised
3 participants
@hiddeco @squaremo @phillebaba