Commits on Jul 15, 2024

1. host matching: handle wildcards with non-standard port …

   In OpenSSH, wildcard host pattern entries in a known_hosts file can match
   hosts regardless of their port number. However, x/crypto/ssh/knownhosts does
   not follow this behavior, instead requiring strict port equality; see bug
   golang/go#52056 for background.
   
   This commit implements a workaround in skeema/knownhosts, which is enabled
   when using the NewDB constructor. Conceptually, the workaround works like
   this:
   
   * At constructor time, when re-reading the known_hosts file (originally to
     look for @cert-authority lines), also look for lines that have wildcards
     in the host pattern and no port number specified. Track these lines in a
     new field of the HostKeyDB struct for later use.
   
   * When a host key callback returns no matches (KeyError with empty Want slice)
     and the host had a nonstandard (non-22) port number, try the callback again,
     this time manipulating the host arg to be on port 22.
   
   * If this second call returned nil error, that means the host key now matched
     a known_hosts entry on port 22, so consider the host as known.
   
   * If this second call returned a KeyError with non-empty Want slice, filter
     down the resulting keys to only correspond to lines with known wildcards,
     using the preprocessed information from the first step. This ensures we
     aren't incorrectly returning non-wildcard entries among the Want slice.
   
   The implementation for the latter 3 bullets gets embedded directly in the
   host key callback returned by HostKeyDB.HostKeyCallback, by way of some
   nested callback wrapping. This only happens if the first bullet actually
   found at least one wildcard in the file.

   

   evanelias committed Jul 15, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 9706e13
   • Browse repository at this point

   Copy the full SHA

   9706e13 View commit details

   Browse the repository at this point in the history