We need to better support known_hosts formats in KiwiJschHelpers etc.

[sleberknight]

Background

Currently KiwiJSchHelpers has a private nested class KnownHost that can only handle the following

• hostname e.g dev-svc-1.acme.com
• ip_address e.g. 192.168.1.150
• hostname,ip_address e.g. dev-svc-1.acme.com,192.168.1.150

However, known_hosts can have various other formats. For example:

• [ssh.example.org]:2222 ssh-rsa AAAAB3Nz...AKy2R2OE=
• [127.0.0.2]:4922 ssh-rsa AAAAB4mV...1d6j=
• [anga.funkfeuer.at]:2022,[78.41.115.130]:2022 ssh-rsa AAAAB...fgTHaojQ==

And it can also have salted + hashed versions of the host name and IP address, e.g.

|1|F1E1KeoE/eEWhi10WpGv4OdiO6Y=|3988QV0VE8wmZL7suNrYQLITLCg= ssh-rsa ...

The only code I found dealing with the hashed hostnames is KnownHosts.java by Christian Plattner. It came from Ganymed SSH-2 for Java which is no longer maintained. It points you to an old google code site that returns a 404, so just search for "ganymed-ssh-2". You'll find a bunch of forks on GitHub. The fork from SoftwareAG here seems to be one of the most recent ones. It's too bad this stuff isn't part of the standard JDK libraries...

Goals

We should be able to handle all these various known_hosts formats in our SFTP utilities.

• Support all the various known_hosts formats
• Make it generic (currently this code resides inside the KiwiJSchHelpers which is in the org.kiwiproject.jsch package)
• Or, possibly don't do it at all if we can find a good alternative, e.g. ganymed-ssh-2

Misc

And also, during all this searching, I came across Automatically Accept SSH Fingerprint which talks about the ssh-keyscan tool which lets you find the public keys of remote servers.

We could also consider providing a way to automatically add public keys to remote hosts, assuming we put the same caveats regarding security on whatever code comes out of it...

References

Some of the things I came across while doing this research, in no particular order:

• https://en.wikibooks.org/wiki/OpenSSH/Client_Configuration_Files#~/.ssh/known_hosts
• https://security.stackexchange.com/questions/56268/ssh-benefits-of-using-hashed-known-hosts
• https://www.howtouselinux.com/post/ssh-known_hosts-file
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/host-keys
• https://www.putorius.net/automatically-accept-ssh-fingerprint.html
• http://www.ganymed.ethz.ch/ssh2/javadoc/ch/ethz/ssh2/KnownHosts.html
• https://android.googlesource.com/platform/external/ganymed-ssh2/+/f68742b25f19026c1fa63be32df0c2c3ca92b4ab/src/main/java/ch/ethz/ssh2/KnownHosts.java
• http://www.ganymed.ethz.ch/ssh2/
• https://www.cleondris.com/opensource/ssh2/
• https://github.com/SoftwareAG/ganymed-ssh-2
• https://www.bouncycastle.org/

[sleberknight]

The few services we had that were still using SFTP for anything have now been decommissioned, so this is no longer needed. However, we probably should document this limitation in the existing KiwiJschHelpers class.