diff options
| author | Shulhan <ms@kilabit.info> | 2026-03-27 06:15:40 +0700 |
|---|---|---|
| committer | Shulhan <ms@kilabit.info> | 2026-03-27 06:18:19 +0700 |
| commit | df7fcb9796d330e7151761444a803f9ae3cc5011 (patch) | |
| tree | 1549fcf6a692a95957cfd2c47254becff6862629 | |
| parent | 5a765dc7f90c2ebc9a11cd79dcfbd8a8b8d99fcd (diff) | |
| download | pakakeh.go-df7fcb9796d330e7151761444a803f9ae3cc5011.tar.xz | |
lib/ssh: set client config HostKeyAlgorithms from known_hosts files
There is an issue with current SSH client implementation.
Given a single host public key in the known_hosts file,
host ssh-ed25519 key...
Calling ssh.Dial(`tcp`, "host", ...) will return an error
knownhosts: key mismatch
from [handshakeTransport.enterKeyExchange], because only key
"mlkem768x25519-sha256" is checked on the client side.
This changes add DB interface for knownhosts that have two methods:
- HostKeyAlgorithms: return the host key that matches in known_hosts
based on the "host" name or address for
[ssh.ClientConfig.HostKeyAlgorithms].
- HostKeyCallback: return the ssh.HostKeyCallback for
[ssh.ClientConfig.HostKeyCallback].
| -rw-r--r-- | go.mod | 4 | ||||
| -rw-r--r-- | go.sum | 8 | ||||
| -rw-r--r-- | lib/ssh/client.go | 23 |
3 files changed, 22 insertions, 13 deletions
@@ -10,7 +10,7 @@ require ( golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa golang.org/x/net v0.51.0 golang.org/x/sys v0.42.0 - golang.org/x/term v0.40.0 + golang.org/x/term v0.41.0 golang.org/x/tools v0.42.0 ) @@ -20,6 +20,6 @@ require ( golang.org/x/sync v0.20.0 // indirect ) -//replace golang.org/x/crypto => ../go-x-crypto +replace golang.org/x/crypto => git.sr.ht/~shulhan/go-x-crypto v0.49.1-0.20260326231004-e6291d138282 //replace golang.org/x/term => ../../../golang.org/x/term @@ -1,7 +1,7 @@ +git.sr.ht/~shulhan/go-x-crypto v0.49.1-0.20260326231004-e6291d138282 h1:tiv3enyeoZwbzASD7bHS5pE/LPuSchkkE0U6mzIlM8g= +git.sr.ht/~shulhan/go-x-crypto v0.49.1-0.20260326231004-e6291d138282/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= -golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= -golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa h1:Zt3DZoOFFYkKhDT3v7Lm9FDMEV06GpzjG2jrqW+QTE0= golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa/go.mod h1:K79w1Vqn7PoiZn+TkNpx3BUWUQksGO3JcVX6qIjytmA= golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8= @@ -12,7 +12,7 @@ golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= -golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg= -golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM= +golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU= +golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A= golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k= golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0= diff --git a/lib/ssh/client.go b/lib/ssh/client.go index cff1c9a9..e712c516 100644 --- a/lib/ssh/client.go +++ b/lib/ssh/client.go @@ -87,7 +87,7 @@ func NewClientInteractive(section *sshconfig.Section) (cl *Client, err error) { remoteAddr: fmt.Sprintf(`%s:%s`, section.Hostname(), section.Port()), } - err = cl.setConfigHostKeyCallback() + err = cl.setConfigHostKey() if err != nil { return nil, fmt.Errorf(`%s: %w`, logp, err) } @@ -134,13 +134,14 @@ func NewClientInteractive(section *sshconfig.Section) (cl *Client, err error) { return cl, nil } -// setConfigHostKeyCallback set the [sshconfig.HostKeyCallback] based on the -// UserKnownHostsFile in the Section. +// setConfigHostKey sets the [ssh.ClientConfig.HostKeyCallback] and +// [ssh.ClientConfig.HostKeyAlgorithms] based on the UserKnownHostsFile in the +// Section. // If one of the UserKnownHostsFile set to "none" it will use // [ssh.InsecureIgnoreHostKey]. -func (cl *Client) setConfigHostKeyCallback() (err error) { +func (cl *Client) setConfigHostKey() (err error) { var ( - logp = `setConfigHostKeyCallback` + logp = `setConfigHostKey` userKnownHosts = cl.section.UserKnownHostsFile() knownHosts string @@ -166,11 +167,19 @@ func (cl *Client) setConfigHostKeyCallback() (err error) { } } - cl.config.HostKeyCallback, err = knownhosts.New(cl.listKnownHosts...) + knownHostsDB, err := knownhosts.NewDB(cl.listKnownHosts...) if err != nil { return fmt.Errorf(`%s: %w`, logp, err) } + cl.config.HostKeyAlgorithms, err = knownHostsDB.HostKeyAlgorithms(cl.remoteAddr) + if err != nil { + return fmt.Errorf(`%s: %w`, logp, err) + } + if len(cl.config.HostKeyAlgorithms) == 0 { + return fmt.Errorf(`%s: no matching known_hosts for %s`, logp, cl.remoteAddr) + } + cl.config.HostKeyCallback = knownHostsDB.HostKeyCallback() return nil } @@ -250,7 +259,7 @@ func (cl *Client) dialWithPrivateKeys(sshAgent agent.ExtendedAgent) (err error) err = cl.dialError(logp, err) } if err != nil { - return err + return fmt.Errorf(`%s: %w`, logp, err) } if cl.Client == nil { // None of the private key can connect to remote address. |