plumbing: transport/ssh, Add support for SSH @cert-authority.

skeema/knownhosts v1.3.0 introduced a HostKeyDB type that extends the HostKeyCallback functionality to support @cert-authority algorithms. `known_hosts` files may contain lines with @cert-authority markers to indicate that a line corresponds to a certificate instead of a key. If a git remote uses cert authorities as the preferred host identification mechanism, the functionality added in skeema/knownhosts v1.3.0 is needed so that go-git can interact with this remote. See skeema/knownhosts#9 for details.
Javier-varez · Jul 24, 2024 · 08e0000 · 08e0000
1 parent ec13306
commit 08e0000
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 11 deletions.
diff --git a/plumbing/transport/ssh/auth_method.go b/plumbing/transport/ssh/auth_method.go
@@ -230,11 +230,11 @@ func (a *PublicKeysCallback) ClientConfig() (*ssh.ClientConfig, error) {
 //	~/.ssh/known_hosts
 //	/etc/ssh/ssh_known_hosts
 func NewKnownHostsCallback(files ...string) (ssh.HostKeyCallback, error) {
-	kh, err := newKnownHosts(files...)
-	return ssh.HostKeyCallback(kh), err
+	db, err := newKnownHostsDb(files...)
+	return db.HostKeyCallback(), err
 }
 
-func newKnownHosts(files ...string) (knownhosts.HostKeyCallback, error) {
+func newKnownHostsDb(files ...string) (*knownhosts.HostKeyDB, error) {
 	var err error
 
 	if len(files) == 0 {
@@ -247,7 +247,7 @@ func newKnownHosts(files ...string) (knownhosts.HostKeyCallback, error) {
 		return nil, err
 	}
 
-	return knownhosts.New(files...)
+	return knownhosts.NewDB(files...)
 }
 
 func getDefaultKnownHostsFiles() ([]string, error) {
@@ -301,11 +301,12 @@ type HostKeyCallbackHelper struct {
 // HostKeyCallback is empty a default callback is created using
 // NewKnownHostsCallback.
 func (m *HostKeyCallbackHelper) SetHostKeyCallback(cfg *ssh.ClientConfig) (*ssh.ClientConfig, error) {
-	var err error
 	if m.HostKeyCallback == nil {
-		if m.HostKeyCallback, err = NewKnownHostsCallback(); err != nil {
+		db, err := newKnownHostsDb()
+		if err != nil {
 			return cfg, err
 		}
+		m.HostKeyCallback = db.HostKeyCallback()
 	}
 
 	cfg.HostKeyCallback = m.HostKeyCallback

diff --git a/plumbing/transport/ssh/common.go b/plumbing/transport/ssh/common.go
@@ -11,7 +11,6 @@ import (
 
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/internal/common"
-	"github.com/skeema/knownhosts"
 
 	"github.com/kevinburke/ssh_config"
 	"golang.org/x/crypto/ssh"
@@ -127,17 +126,25 @@ func (c *command) connect() error {
 	}
 	hostWithPort := c.getHostWithPort()
 	if config.HostKeyCallback == nil {
-		kh, err := newKnownHosts()
+		db, err := newKnownHostsDb()
 		if err != nil {
 			return err
 		}
-		config.HostKeyCallback = kh.HostKeyCallback()
-		config.HostKeyAlgorithms = kh.HostKeyAlgorithms(hostWithPort)
+
+		config.HostKeyCallback = db.HostKeyCallback()
+		config.HostKeyAlgorithms = db.HostKeyAlgorithms(hostWithPort)
 	} else if len(config.HostKeyAlgorithms) == 0 {
 		// Set the HostKeyAlgorithms based on HostKeyCallback.
 		// For background see https://github.com/go-git/go-git/issues/411 as well as
 		// https://github.com/golang/go/issues/29286 for root cause.
-		config.HostKeyAlgorithms = knownhosts.HostKeyAlgorithms(config.HostKeyCallback, hostWithPort)
+		db, err := newKnownHostsDb()
+		if err != nil {
+			return err
+		}
+
+		// Note that the knownhost database is used, as it provides additional functionality
+		// to handle ssh cert-authorities.
+		config.HostKeyAlgorithms = db.HostKeyAlgorithms(hostWithPort)
 	}
 
 	overrideConfig(c.config, config)