-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libgit2: use provided host to validate public key #288
Conversation
9b1e939
to
c00fa60
Compare
4fd0d86
to
f4730cb
Compare
f4730cb
to
8c967f2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
37cdbc4
to
31efe5c
Compare
We discovered further changes are needed, after the review
e25476b
to
70fdfb5
Compare
The callback from libgit2 only provides a hostname (without the port), but the `known_hosts` file indexes the public keys based on the full host (e.g. `[localhost]:123` for a host behind a specific port). As a result, it was unable to find the correct public key for the hostname when it was added to the `known_hosts` file with the port. To work around this, we add the user provided host that includes the port to the `PublicKeyAuth` strategy, and use this to find the right entry in the `known_hosts` file, after having validated that the hostname provided to the callback matches the hostname of the host provided by the user. Signed-off-by: Hidde Beydals <hello@hidde.co>
70fdfb5
to
b2f6639
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've run this locally with the tests in image-automation-controller#109 and it works there, as well as in a real cluster using a github repo.
This enables SSH tests with fluxcd/pkg/gittestserver, hurrah 🙌
The callback from libgit2 only provides a hostname (without the port),
but the
known_hosts
file indexes the public keys based on the fullhost (e.g.
[localhost]:123
for a host behind a specific port).As a result, it was unable to find the correct public key for the
hostname when it was added to the
known_hosts
file with the port.To work around this, we add the user provided host that includes the
port to the
PublicKeyAuth
strategy, and use this to find the rightentry in the
known_hosts
file, after having validated that thehostname provided to the callback matches the hostname of the host
provided by the user.
Fixes: #287