Use skeema/knownhosts, not x/crypto/ssh/knownhosts #2212
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 22, 2024
The e2e test introduced by this PR verifies that the command `system connection add` against an SSH server parses and updates correctly the local `known_hosts` file. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
l0rd
force-pushed
the
skeema-knownhosts
branch
2 times, most recently
from
064f89f
to
6599177
Compare
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 23, 2024
The e2e test introduced by this PR verifies that the command `system connection add` against an SSH server parses and updates correctly the local `known_hosts` file. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 24, 2024
The e2e test introduced by this PR verifies that the command `system connection add`, run against an SSH server, parses and updates correctly the local `known_hosts` file. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 24, 2024
The e2e test introduced by this PR verifies that the command `system connection add`, run against an SSH server, parses and updates correctly the local `known_hosts` file. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 24, 2024
The e2e test introduced by this PR verifies that the command `system connection add`, run against an SSH server, parses and updates correctly the local `known_hosts` file. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 24, 2024
The e2e test introduced by this PR verifies that the command `system connection add`, run against an SSH server, parses and updates correctly the local `known_hosts` file. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 24, 2024
The e2e test introduced by this PR verifies that the command `system connection add`, run against an SSH server, parses and updates correctly the local `known_hosts` file. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 25, 2024
Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 25, 2024
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 25, 2024
Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 25, 2024
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
l0rd
force-pushed
the
skeema-knownhosts
branch
from
6599177
to
f5a4be3
Compare
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 25, 2024
Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 25, 2024
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
Package [golang.org/x/crypto/ssh/knownhosts](https://pkg.go.dev/golang.org/x/crypto/ssh/knownhosts) has an issue when an SSH server has many public keys (i.e. supports multiple crypto algorithms). For instance, if the local `known_hosts` file entries don't match the first SSH server key but match other keys of the SSH server, the handshake fails with a key mismatch error. See golang/go#29286 and containers/podman#23575. Package [github.com/skeema/knownhosts](https://github.com/skeema/knownhosts) is a wrapper of `x/crypto/ssh/knownhosts` that addresses this issue. This commit replaces the usage of `x/crypto/ssh/knownhosts` in containers/common with `github.com/skeema/knownhosts`. Signed-off-by: Mario Loriedo <[email protected]>
l0rd
force-pushed
the
skeema-knownhosts
branch
from
f5a4be3
to
2564c8d
Compare
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 28, 2024
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 28, 2024
Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 28, 2024
Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 28, 2024
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 28, 2024
Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Oct 28, 2024
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
|
LGTM |
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Nov 4, 2024
Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Nov 4, 2024
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Nov 4, 2024
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Nov 4, 2024
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
|
@containers/podman-maintainers PTAL, I have added some new podman tests that are passing with the changes included in this PR. |
Luap99
approved these changes
Nov 5, 2024
| return nil, err | ||
| } | ||
| keyDir := path.Dir(keyFilePath) | ||
| if err := fileutils.Exists(keyDir); errors.Is(err, os.ErrNotExist) { |
There was a problem hiding this comment.
this seems pointless, why check if the dir already exists. We could also just directly call mkdir and ignore ErrExist there
There was a problem hiding this comment.
Agreed. I just left as it was as it's not doing any harm (except that's hard to read with all those nested conditions...).
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: l0rd, Luap99 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Nov 7, 2024
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
l0rd
added a commit
to l0rd/podman
that referenced
this pull request
Nov 7, 2024
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TL;DR This PR addresses this issue. In this containers/podman PR, I have added some specific tests.
The package golang.org/x/crypto/ssh/knownhosts has an issue when an SSH server has many public keys (i.e., supports multiple crypto algorithms).
For instance, if the local
known_hostsfile entries don't match the first SSH server key but match other SSH server keys, the handshake fails with a key mismatch error.See golang/go#29286 and containers/podman#23575.
Package github.com/skeema/knownhosts is a wrapper of
x/crypto/ssh/knownhoststhat addresses this issue.This commit replaces the usage of
x/crypto/ssh/knownhostsin containers/common withgithub.com/skeema/knownhosts.