ssh: require host key checking in the ClientConfig

This change breaks existing behavior. Before, a missing ClientConfig.HostKeyCallback would cause host key checking to be disabled. In this configuration, establishing a connection to any host just works, so today, most SSH client code in the wild does not perform any host key checks. This makes it easy to perform a MITM attack: * SSH installations that use keyboard-interactive or password authentication can be attacked with MITM, thereby stealing passwords. * Clients that use public-key authentication with agent forwarding are also vulnerable: the MITM server could allow the login to succeed, and then immediately ask the agent to authenticate the login to the real server. * Clients that use public-key authentication without agent forwarding are harder to attack unnoticedly: an attacker cannot authenticate the login to the real server, so it cannot in general present a convincing server to the victim. Now, a missing HostKeyCallback will cause the handshake to fail. This change also provides InsecureIgnoreHostKey() and FixedHostKey(key) as ready made host checkers. A simplistic parser for OpenSSH's known_hosts file is given as an example. This change does not provide a full-fledged parser, as it has complexity (wildcards, revocation, hashed addresses) that will need further consideration. When introduced, the host checking feature maintained backward compatibility at the expense of security. We have decided this is not the right tradeoff for the SSH library. Fixes golang/go#19767 Change-Id: I45fc7ba9bd1ea29c31ec23f115cdbab99913e814 Reviewed-on: https://go-review.googlesource.com/38701 Run-TryBot: Han-Wen Nienhuys <hanwen@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
golang · Mar 30, 2017 · e4e2799 · e4e2799 · Matthelonianxl · Jan 24, 2021
1 parent 459e265
commit e4e2799
Show file tree

Hide file tree

Showing 13 changed files with 193 additions and 30 deletions.
diff --git a/ssh/agent/client_test.go b/ssh/agent/client_test.go
@@ -233,7 +233,9 @@ func TestAuth(t *testing.T) {
 		conn.Close()
 	}()
 
-	conf := ssh.ClientConfig{}
+	conf := ssh.ClientConfig{
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
 	conf.Auth = append(conf.Auth, ssh.PublicKeysCallback(agent.Signers))
 	conn, _, _, err := ssh.NewClientConn(b, "", &conf)
 	if err != nil {

diff --git a/ssh/agent/example_test.go b/ssh/agent/example_test.go
@@ -6,20 +6,20 @@ package agent_test
 
 import (
 	"log"
-	"os"
 	"net"
+	"os"
 
-        "golang.org/x/crypto/ssh"
-        "golang.org/x/crypto/ssh/agent"
+	"golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh/agent"
 )
 
 func ExampleClientAgent() {
 	// ssh-agent has a UNIX socket under $SSH_AUTH_SOCK
 	socket := os.Getenv("SSH_AUTH_SOCK")
-        conn, err := net.Dial("unix", socket)
-        if err != nil {
-                log.Fatalf("net.Dial: %v", err)
-        }
+	conn, err := net.Dial("unix", socket)
+	if err != nil {
+		log.Fatalf("net.Dial: %v", err)
+	}
 	agentClient := agent.NewClient(conn)
 	config := &ssh.ClientConfig{
 		User: "username",
@@ -29,6 +29,7 @@ func ExampleClientAgent() {
 			// wants it.
 			ssh.PublicKeysCallback(agentClient.Signers),
 		},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
 	}
 
 	sshc, err := ssh.Dial("tcp", "localhost:22", config)

diff --git a/ssh/agent/server_test.go b/ssh/agent/server_test.go
@@ -56,7 +56,9 @@ func TestSetupForwardAgent(t *testing.T) {
 		incoming <- conn
 	}()
 
-	conf := ssh.ClientConfig{}
+	conf := ssh.ClientConfig{
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
 	conn, chans, reqs, err := ssh.NewClientConn(b, "", &conf)
 	if err != nil {
 		t.Fatalf("NewClientConn: %v", err)

diff --git a/ssh/certs.go b/ssh/certs.go
@@ -268,7 +268,7 @@ type CertChecker struct {
 	// HostKeyFallback is called when CertChecker.CheckHostKey encounters a
 	// public key that is not a certificate. It must implement host key
 	// validation or else, if nil, all such keys are rejected.
-	HostKeyFallback func(addr string, remote net.Addr, key PublicKey) error
+	HostKeyFallback HostKeyCallback
 
 	// IsRevoked is called for each certificate so that revocation checking
 	// can be implemented. It should return true if the given certificate

diff --git a/ssh/client.go b/ssh/client.go
@@ -5,6 +5,7 @@
 package ssh
 
 import (
+	"bytes"
 	"errors"
 	"fmt"
 	"net"
@@ -68,6 +69,11 @@ func NewClient(c Conn, chans <-chan NewChannel, reqs <-chan *Request) *Client {
 func NewClientConn(c net.Conn, addr string, config *ClientConfig) (Conn, <-chan NewChannel, <-chan *Request, error) {
 	fullConf := *config
 	fullConf.SetDefaults()
+	if fullConf.HostKeyCallback == nil {
+		c.Close()
+		return nil, nil, nil, errors.New("ssh: must specify HostKeyCallback")
+	}
+
 	conn := &connection{
 		sshConn: sshConn{conn: c},
 	}
@@ -173,6 +179,13 @@ func Dial(network, addr string, config *ClientConfig) (*Client, error) {
 	return NewClient(c, chans, reqs), nil
 }
 
+// HostKeyCallback is the function type used for verifying server
+// keys.  A HostKeyCallback must return nil if the host key is OK, or
+// an error to reject it. It receives the hostname as passed to Dial
+// or NewClientConn. The remote address is the RemoteAddr of the
+// net.Conn underlying the the SSH connection.
+type HostKeyCallback func(hostname string, remote net.Addr, key PublicKey) error
+
 // A ClientConfig structure is used to configure a Client. It must not be
 // modified after having been passed to an SSH function.
 type ClientConfig struct {
@@ -188,10 +201,12 @@ type ClientConfig struct {
 	// be used during authentication.
 	Auth []AuthMethod
 
-	// HostKeyCallback, if not nil, is called during the cryptographic
-	// handshake to validate the server's host key. A nil HostKeyCallback
-	// implies that all host keys are accepted.
-	HostKeyCallback func(hostname string, remote net.Addr, key PublicKey) error
+	// HostKeyCallback is called during the cryptographic
+	// handshake to validate the server's host key. The client
+	// configuration must supply this callback for the connection
+	// to succeed. The functions InsecureIgnoreHostKey or
+	// FixedHostKey can be used for simplistic host key checks.
+	HostKeyCallback HostKeyCallback
 
 	// ClientVersion contains the version identification string that will
 	// be used for the connection. If empty, a reasonable default is used.
@@ -209,3 +224,33 @@ type ClientConfig struct {
 	// A Timeout of zero means no timeout.
 	Timeout time.Duration
 }
+
+// InsecureIgnoreHostKey returns a function that can be used for
+// ClientConfig.HostKeyCallback to accept any host key. It should
+// not be used for production code.
+func InsecureIgnoreHostKey() HostKeyCallback {
+	return func(hostname string, remote net.Addr, key PublicKey) error {
+		return nil
+	}
+}
+
+type fixedHostKey struct {
+	key PublicKey
+}
+
+func (f *fixedHostKey) check(hostname string, remote net.Addr, key PublicKey) error {
+	if f.key == nil {
+		return fmt.Errorf("ssh: required host key was nil")
+	}
+	if !bytes.Equal(key.Marshal(), f.key.Marshal()) {
+		return fmt.Errorf("ssh: host key mismatch")
+	}
+	return nil
+}
+
+// FixedHostKey returns a function for use in
+// ClientConfig.HostKeyCallback to accept only a specific host key.
+func FixedHostKey(key PublicKey) HostKeyCallback {
+	hk := &fixedHostKey{key}
+	return hk.check
+}
diff --git a/ssh/client_auth_test.go b/ssh/client_auth_test.go
@@ -92,6 +92,7 @@ func TestClientAuthPublicKey(t *testing.T) {
 		Auth: []AuthMethod{
 			PublicKeys(testSigners["rsa"]),
 		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
 	}
 	if err := tryAuth(t, config); err != nil {
 		t.Fatalf("unable to dial remote side: %s", err)
@@ -104,6 +105,7 @@ func TestAuthMethodPassword(t *testing.T) {
 		Auth: []AuthMethod{
 			Password(clientPassword),
 		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
 	}
 
 	if err := tryAuth(t, config); err != nil {
@@ -123,6 +125,7 @@ func TestAuthMethodFallback(t *testing.T) {
 					return "WRONG", nil
 				}),
 		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
 	}
 
 	if err := tryAuth(t, config); err != nil {
@@ -141,6 +144,7 @@ func TestAuthMethodWrongPassword(t *testing.T) {
 			Password("wrong"),
 			PublicKeys(testSigners["rsa"]),
 		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
 	}
 
 	if err := tryAuth(t, config); err != nil {
@@ -158,6 +162,7 @@ func TestAuthMethodKeyboardInteractive(t *testing.T) {
 		Auth: []AuthMethod{
 			KeyboardInteractive(answers.Challenge),
 		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
 	}
 
 	if err := tryAuth(t, config); err != nil {
@@ -203,6 +208,7 @@ func TestAuthMethodRSAandDSA(t *testing.T) {
 		Auth: []AuthMethod{
 			PublicKeys(testSigners["dsa"], testSigners["rsa"]),
 		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
 	}
 	if err := tryAuth(t, config); err != nil {
 		t.Fatalf("client could not authenticate with rsa key: %v", err)
@@ -219,6 +225,7 @@ func TestClientHMAC(t *testing.T) {
 			Config: Config{
 				MACs: []string{mac},
 			},
+			HostKeyCallback: InsecureIgnoreHostKey(),
 		}
 		if err := tryAuth(t, config); err != nil {
 			t.Fatalf("client could not authenticate with mac algo %s: %v", mac, err)
@@ -254,6 +261,7 @@ func TestClientUnsupportedKex(t *testing.T) {
 		Config: Config{
 			KeyExchanges: []string{"diffie-hellman-group-exchange-sha256"}, // not currently supported
 		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
 	}
 	if err := tryAuth(t, config); err == nil || !strings.Contains(err.Error(), "common algorithm") {
 		t.Errorf("got %v, expected 'common algorithm'", err)
@@ -273,7 +281,8 @@ func TestClientLoginCert(t *testing.T) {
 	}
 
 	clientConfig := &ClientConfig{
-		User: "user",
+		User:            "user",
+		HostKeyCallback: InsecureIgnoreHostKey(),
 	}
 	clientConfig.Auth = append(clientConfig.Auth, PublicKeys(certSigner))
 
@@ -363,6 +372,7 @@ func testPermissionsPassing(withPermissions bool, t *testing.T) {
 		Auth: []AuthMethod{
 			PublicKeys(testSigners["rsa"]),
 		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
 	}
 	if withPermissions {
 		clientConfig.User = "permissions"
@@ -409,6 +419,7 @@ func TestRetryableAuth(t *testing.T) {
 			}), 2),
 			PublicKeys(testSigners["rsa"]),
 		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
 	}
 
 	if err := tryAuth(t, config); err != nil {
@@ -430,7 +441,8 @@ func ExampleRetryableAuthMethod(t *testing.T) {
 	}
 
 	config := &ClientConfig{
-		User: user,
+		HostKeyCallback: InsecureIgnoreHostKey(),
+		User:            user,
 		Auth: []AuthMethod{
 			RetryableAuthMethod(KeyboardInteractiveChallenge(Cb), NumberOfPrompts),
 		},
@@ -450,7 +462,8 @@ func TestClientAuthNone(t *testing.T) {
 	serverConfig.AddHostKey(testSigners["rsa"])
 
 	clientConfig := &ClientConfig{
-		User: user,
+		User:            user,
+		HostKeyCallback: InsecureIgnoreHostKey(),
 	}
 
 	c1, c2, err := netPipe()

diff --git a/ssh/client_test.go b/ssh/client_test.go
@@ -6,13 +6,15 @@ package ssh
 
 import (
 	"net"
+	"strings"
 	"testing"
 )
 
 func testClientVersion(t *testing.T, config *ClientConfig, expected string) {
 	clientConn, serverConn := net.Pipe()
 	defer clientConn.Close()
 	receivedVersion := make(chan string, 1)
+	config.HostKeyCallback = InsecureIgnoreHostKey()
 	go func() {
 		version, err := readVersion(serverConn)
 		if err != nil {
@@ -37,3 +39,43 @@ func TestCustomClientVersion(t *testing.T) {
 func TestDefaultClientVersion(t *testing.T) {
 	testClientVersion(t, &ClientConfig{}, packageVersion)
 }
+
+func TestHostKeyCheck(t *testing.T) {
+	for _, tt := range []struct {
+		name      string
+		wantError string
+		key       PublicKey
+	}{
+		{"no callback", "must specify HostKeyCallback", nil},
+		{"correct key", "", testSigners["rsa"].PublicKey()},
+		{"mismatch", "mismatch", testSigners["ecdsa"].PublicKey()},
+	} {
+		c1, c2, err := netPipe()
+		if err != nil {
+			t.Fatalf("netPipe: %v", err)
+		}
+		defer c1.Close()
+		defer c2.Close()
+		serverConf := &ServerConfig{
+			NoClientAuth: true,
+		}
+		serverConf.AddHostKey(testSigners["rsa"])
+
+		go NewServerConn(c1, serverConf)
+		clientConf := ClientConfig{
+			User: "user",
+		}
+		if tt.key != nil {
+			clientConf.HostKeyCallback = FixedHostKey(tt.key)
+		}
+
+		_, _, _, err = NewClientConn(c2, "", &clientConf)
+		if err != nil {
+			if tt.wantError == "" || !strings.Contains(err.Error(), tt.wantError) {
+				t.Errorf("%s: got error %q, missing %q", err.Error(), tt.wantError)
+			}
+		} else if tt.wantError != "" {
+			t.Errorf("%s: succeeded, but want error string %q", tt.name, tt.wantError)
+		}
+	}
+}
diff --git a/ssh/doc.go b/ssh/doc.go
@@ -14,5 +14,8 @@ others.
 References:
   [PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
   [SSH-PARAMETERS]:    http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1
+
+This package does not fall under the stability promise of the Go language itself,
+so its API may be changed when pressing needs arise.
 */
 package ssh // import "golang.org/x/crypto/ssh"