Fix host key checking #656
Conversation
|
Steps to reproduce: #!/usr/bin/env ruby
require 'net/ssh'
Net::SSH.start('example.com', 'username', :verify_host_key=>:always) do |ssh|
puts ssh.exec!('hostname')
endWithout this patch, will only work if the known_hosts file has a line matching |
|
@smortex thanks for the PR, can you please add a testcase for it? |
|
Hi @mfazekas! My previous attempt to add tests failed because of another bug. A fresh view allowed me to spot it (b5af8a8) and add a few tests. It also allowed me to see a difference between net-ssh and ssh(1), I detailed the issue in 855d617. Globing is also still not handled for matching entries in the known_hosts file, but I think this can be part of another PR (only do bugfix in tis PR and add adding missing features in another one). |
|
Just added a commit that fix the issue detailed in 855d617. This is ready for review / merging 🎉 Please note that I have anther commit on top of this for matching hostnames against patterns that can be found in the known_host file. I plan to open another PR when this one is merged, but if you prefer, I can include the change in this branch. Just let me know! |
Codecov Report
@@ Coverage Diff @@
## master #656 +/- ##
==========================================
- Coverage 95.82% 95.75% -0.08%
==========================================
Files 144 144
Lines 9515 9509 -6
==========================================
- Hits 9118 9105 -13
- Misses 397 404 +7
Continue to review full report at Codecov.
|
|
This seems like a really nice improvement. Would love to see it adopted. |
This method is supposed to transform a relative path into an absolute one, but ignrore the provided path and always return the full path to the same fixture file.
smortex
force-pushed
the
fix-host-key-checking
branch
from
ecd30bf
to
6412972
Compare
The known_hosts file may contain keys associated with a hostname, an ip-address, or both. When validating a key, the net-ssh gem ensure that both the hostname and the ip-address match beforce adding that key. Thus, if the known_hosts file only contains one of these two pieces of information, the host key verification fails. Instead of adding keys when both the hostname and the ip-address match, add them when the user-supplied identification of the remote host match an entry in the known_hosts file. Optionaly, if `check_host_ip` is set to true, the resolved IP address of the remote host is also checked.
smortex
force-pushed
the
fix-host-key-checking
branch
from
6412972
to
c31d059
Compare
|
@smortex thanks much for the PR, i'll probably change check_host_ip default to true in 5.1.1, and will change to false in next major version. |
|
@mfazekas When do you expect to release 5.1.1? Would like to use this! Thanks. |
The known_hosts file may contain keys associated with a hostname, an
ip-address, or both.
When validating a key, the net-ssh gem ensure that both the hostname and
the ip-address match beforce adding a key. Thus, if the known_hosts
file only contains one of these two pieces of information, the host key
verification fails.
Instead of adding keys when both the hostname and the ip-address match,
add them when any of these information match.