feat(ssh): wire CheckHostIP from sshconfig for DNS-spoofing detection

[kke]

When CheckHostIP is enabled, the host key callback additionally resolves the connecting hostname to IP addresses and checks whether any of those IPs appear in known_hosts with a different key. A mismatch returns ErrHostKeyMismatch; unknown IPs and DNS failures are non-fatal.

The IP check is read-only — no new entries are written for resolved IPs (writing both hostname and IP on first connect is deferred as a follow-on).

[Copilot]

Pull request overview

This PR wires the CheckHostIP ssh config option into the SSH host-key verification flow by wrapping the existing known_hosts host key callback with an additional “resolved IP mismatch” check to detect potential DNS spoofing.

Changes:

• Added hostkey.WithCheckHostIP(...) wrapper that resolves hostnames to IPs and checks those IPs in known_hosts for conflicting keys (read-only, DNS failures/nonexistent IP entries are non-fatal).
• Updated protocol/ssh/connection.go to conditionally apply the wrapper when sshconfig.CheckHostIP is enabled, and adjusted global known_hosts selection to return the chosen path for wrapping.
• Added focused unit tests for the new behavior and a test-only hook to stub DNS resolution.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
protocol/ssh/hostkey/export_test.go	Exposes a test-only hook to override hostname resolution.
protocol/ssh/hostkey/callbacks.go	Implements WithCheckHostIP and the IP-verification wrapper logic.
protocol/ssh/hostkey/callbacks_test.go	Adds unit tests covering mismatch detection, unknown IP non-fatal behavior, DNS failure behavior, permissive behavior, and IP-host skip behavior.
protocol/ssh/connection.go	Wraps host-key callbacks with WithCheckHostIP when CheckHostIP is enabled; returns selected global known_hosts path for wrapping.
protocol/ssh/connection_test.go	Adds an integration-style test ensuring hostkeyCallback enables CheckHostIP wrapping without breaking known_hosts verification.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

protocol/ssh/hostkey/callbacks_test.go:16

• The tests override a package-level variable (hostkey.LookupHostFunc). Without any synchronization, this becomes race-prone if these tests (or future tests in the same package) are run with t.Parallel(), since multiple tests could swap the global resolver concurrently. Adding a local mutex around the override makes the helper safe and documents that the override is global.

import (
	"crypto/ed25519"
	"crypto/rand"
	"fmt"
	"net"
	"os"
	"path/filepath"
	"testing"

	"github.com/k0sproject/rig/v2/protocol/ssh/hostkey"
	"github.com/stretchr/testify/require"
	"golang.org/x/crypto/ssh"
	"golang.org/x/crypto/ssh/knownhosts"
)

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.