skeema / knownhosts Goto Github PK
View Code? Open in Web Editor NEWGo SSH known_hosts wrapper with host key lookup
License: Apache License 2.0
Go SSH known_hosts wrapper with host key lookup
License: Apache License 2.0
Using WriteKnownHost
will get an entry with ipv6:
mbp.local,[fe80::abc:abcd:abcd:abcd%en0] ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyN...
The next login fails:
knownhosts: /Users/lonny/.ssh/known_hosts:26: address [fe80::abc:abcd:abcd:abcd%en0]: missing port in address
here is the base ~/.ssh/known_hosts
file.
qiwang@Qi15Pro .ssh % more known_hosts
localhost ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoLveVRGZHdwPX70TZxScl0hgf94gSF+HaM/RMlIAGB
localhost ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5UUsy6H8B/RzOtvNOuDyzaRta4PquwUtKH9JeWkqg9oAW+esAE98vEACjZ3pIqhFC9QjrRVjB6cHk2j3Q4gCVCkiyZOvPwMPwUfq/M97hZq1nwJre7V+2245ls/3mdnL/6dJu3GNckqueyBImKhBAz8gNDzqsKGshzcWwHW523Ktd+QZqsqtfhEB4C09wqcRN+BrNwkmPItfshOGd4AYwmZUGADxUhcg1MG0TakakNLSj6jL7aKPEbm7dYVj/F/TQQGapmA/p++xeodUmwcpGCaXZml3nKIjkqWCgZIGECkQKN6Cm+yGvFSgENRf/2n4qxGp2Vy6eMYRDc5LluFN3rdc6bCOBOM0NIi6IkkHoxVkxeSxOPt7UFlfaVEm1J5BmmkSDDyHoYpo+nNzqFfrnDPW7JBc8GIwbiKtH++EMiHTU+0c5YNXdOtiHxWaLTvUTJobzyMdsbQ8Ahy12ABYpUUJgbLPae9IVepwA49WMrPzM+8GJCncOvwxLpW02XNs=
localhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFmkUUaDuZhC3T95dus3F+W7wuhKhc55RCTtqb0DZOX9jg/GB7pG7SZKMkldZpkQd2BPYSFGg624/mgDD5WBCYU=
Then I login with ssh -p 8022 ide@localhost
:
qiwang@Qi15Pro client % ssh -p 8022 ide@localhost
The authenticity of host '[localhost]:8022 ([::1]:8022)' can't be established.
ED25519 key fingerprint is SHA256:O70nOfpgMg+4JRdyiRRX1DUXrHf8BNmbTymbzwVaXCA.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[localhost]:8022' (ED25519) to the list of known hosts.
Welcome to Alpine!
The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <https://wiki.alpinelinux.org/>.
You can setup the system with the command: setup-alpine
You may change this message by editing /etc/motd.
openrc-abuild:~$
here is the ~/.ssh/known_hosts
file after ssh client login. we notice that 3 lines of [localhost]:8022 was added.
qiwang@Qi15Pro .ssh % more known_hosts
localhost ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoLveVRGZHdwPX70TZxScl0hgf94gSF+HaM/RMlIAGB
localhost ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5UUsy6H8B/RzOtvNOuDyzaRta4PquwUtKH9JeWkqg9oAW+esAE98vEACjZ3pIqhFC9QjrRVjB6cHk2j3Q4gCVCkiyZOvPwMPwUfq/M97hZq1nwJre7V+2245ls/3mdnL/6dJu3GNckqueyBImKhBAz8gNDzqsKGshzcWwHW523Ktd+QZqsqtfhEB4C09wqcRN+BrNwkmPItfshOGd4AYwmZUGADxUhcg1MG0TakakNLSj6jL7aKPEbm7dYVj/F/TQQGapmA/p++xeodUmwcpGCaXZml3nKIjkqWCgZIGECkQKN6Cm+yGvFSgENRf/2n4qxGp2Vy6eMYRDc5LluFN3rdc6bCOBOM0NIi6IkkHoxVkxeSxOPt7UFlfaVEm1J5BmmkSDDyHoYpo+nNzqFfrnDPW7JBc8GIwbiKtH++EMiHTU+0c5YNXdOtiHxWaLTvUTJobzyMdsbQ8Ahy12ABYpUUJgbLPae9IVepwA49WMrPzM+8GJCncOvwxLpW02XNs=
localhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFmkUUaDuZhC3T95dus3F+W7wuhKhc55RCTtqb0DZOX9jg/GB7pG7SZKMkldZpkQd2BPYSFGg624/mgDD5WBCYU=
[localhost]:8022 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLprakLbWrM0uWPS2ToU1JvDW+B/Of9kIxqBD/E6uTE
[localhost]:8022 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTARZ2ZBYlS4zfE/yTC/clj6xeMQXwtmuw5XDdzB+MBFBOzqVeryvDZd7iTmlb36xuPsz4Fy+gg+2aHbkl0EdFWolSKIvnTwOo8N7okPWF/x8CGcPE9lslVd7W0HMsWay6S+uS93hlIIrHESgl1cTxi1yJRdJ4GoTnTJ+9LGzyQWKlzPUychP/vv2OxjVoLt/jgeVqbg43RwFSaI8WWUbU6gD/1Uu0pRJTaPBWDsF+1Gx1V4Go6HgSl9MemVhZKFmVHQIxU+l9TuuUA5lJg5bZ4OHaxzI0Tc9FiEdaNIN3hRA+1ZpPpc4Ig7seASKQ4AVRRZ8uDX9tjqlejy6z/3FNbdcypZHoQaMhWqVeM1wctvSo05OuoqyojF9zzWJiHhkaxTwi0NPvjilye0Vz4z6kcyOmra2dMvakBgBgFpzRtCceRNGQDonclX4WxDuMsS+VcmzfzCrICPJRLwgnvHGSKLn4rucN0VJpzsY1EX4yv0xD2oZj8HtSgndpRlwKYec=
[localhost]:8022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCr9GJXG1e4qyz3Oh9Z2xuYiLSxVj8SQs6kOTcvLCQPGwZlAG27sXc3/HXIzYvB7WPcUKqNdxcFndfWhPsr/sEM=
then I restore ~/.ssh/known_hosts
file to remove the lines added by ssh client. finally, I use the following code to call my application (as bellow).
sshHost := c.host + ":" + c.sshPort
khPath := filepath.Join(os.Getenv("HOME"), ".ssh", "known_hosts")
kh, err := knownhosts.New(khPath)
if err != nil {
return err
}
// Create a custom permissive hostkey callback which still errors on hosts
// with changed keys, but allows unknown hosts and adds them to known_hosts
cb := ssh.HostKeyCallback(func(hostname string, remote net.Addr, key ssh.PublicKey) error {
err := kh(hostname, remote, key)
if knownhosts.IsHostKeyChanged(err) {
return fmt.Errorf("REMOTE HOST IDENTIFICATION HAS CHANGED for host %s! This may indicate a MitM attack.", hostname)
} else if knownhosts.IsHostUnknown(err) {
hint := "The authenticity of host '%s (%s)' can't be established.\n" +
"%s key fingerprint is %s.\n" +
"This key is not known by any other names\n" +
"Are you sure you want to continue connecting (yes/no/[fingerprint])?"
fmt.Printf(hint, hostname, remote, strings.ToUpper(key.Type()), ssh.FingerprintSHA256(key))
var answer string
fmt.Scanln(&answer)
switch answer {
case "yes", "y":
fmt.Printf("Warning: Permanently added '%s' (%s) to the list of known hosts.\n",
hostname, strings.ToUpper(key.Type()))
f, ferr := os.OpenFile(khPath, os.O_APPEND|os.O_WRONLY, 0600)
if ferr == nil {
defer f.Close()
ferr = knownhosts.WriteKnownHost(f, hostname, remote, key)
}
if ferr == nil {
fmt.Printf("Added host %s to known_hosts\n", hostname)
} else {
fmt.Printf("Failed to add host %s to known_hosts: %v\n", hostname, ferr)
}
return nil // permit previously-unknown hosts (warning: may be insecure)
case "no", "n":
fmt.Println("Host key verification failed.")
return err
}
}
return err
})
clientConfig := &ssh.ClientConfig{
User: c.user,
Auth: auth,
HostKeyCallback: cb,
HostKeyAlgorithms: kh.HostKeyAlgorithms(sshHost),
Timeout: time.Duration(3) * time.Second,
}
// TODO understand ssh login session, is that possible to replace the sshd depdends?
client, err := ssh.Dial("tcp", sshHost, clientConfig)
if err != nil {
return err
}
defer client.Close()
here is the output of my application.
qiwang@Qi15Pro client % GOCOVERDIR=./coverage/int ~/.local/bin/apsh ide@localhost:8022
The authenticity of host 'localhost:8022 ([::1]:8022)' can't be established.
ECDSA-SHA2-NISTP256 key fingerprint is SHA256:7kG09hr4PefUaFvjT+O3LAPWHPY9CcAxu/eiaYawBRM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?yes
Warning: Permanently added 'localhost:8022' (ECDSA-SHA2-NISTP256) to the list of known hosts.
Added host localhost:8022 to known_hosts
Process exited with status 127
qiwang@Qi15Pro client %
here is the ~/.ssh/known_hosts
file after run my application. There is only one line (ecdsa-sha2-nistp256) was added.
more known_hosts
localhost ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoLveVRGZHdwPX70TZxScl0hgf94gSF+HaM/RMlIAGB
localhost ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5UUsy6H8B/RzOtvNOuDyzaRta4PquwUtKH9JeWkqg9oAW+esAE98vEACjZ3pIqhFC9QjrRVjB6cHk2j3Q4gCVCkiyZOvPwMPwUfq/M97hZq1nwJre7V+2245ls/3mdnL/6dJu3GNckqueyBImKhBAz8gNDzqsKGshzcWwHW523Ktd+QZqsqtfhEB4C09wqcRN+BrNwkmPItfshOGd4AYwmZUGADxUhcg1MG0TakakNLSj6jL7aKPEbm7dYVj/F/TQQGapmA/p++xeodUmwcpGCaXZml3nKIjkqWCgZIGECkQKN6Cm+yGvFSgENRf/2n4qxGp2Vy6eMYRDc5LluFN3rdc6bCOBOM0NIi6IkkHoxVkxeSxOPt7UFlfaVEm1J5BmmkSDDyHoYpo+nNzqFfrnDPW7JBc8GIwbiKtH++EMiHTU+0c5YNXdOtiHxWaLTvUTJobzyMdsbQ8Ahy12ABYpUUJgbLPae9IVepwA49WMrPzM+8GJCncOvwxLpW02XNs=
localhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFmkUUaDuZhC3T95dus3F+W7wuhKhc55RCTtqb0DZOX9jg/GB7pG7SZKMkldZpkQd2BPYSFGg624/mgDD5WBCYU=
[localhost]:8022,[::1]:8022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCr9GJXG1e4qyz3Oh9Z2xuYiLSxVj8SQs6kOTcvLCQPGwZlAG27sXc3/HXIzYvB7WPcUKqNdxcFndfWhPsr/sEM=
ssh client and my application return different keys for user to choose. different key has different fingerprint.
~/.ssh/known_hosts
file. it's ssh-ed25519, ssh-rsa, ecdsa-sha2-nistp256.~/.ssh/known_hosts
file, it's ecdsa-sha2-nistp256@evanelias @lonnywong do you have any idea/suggestion about the compare result?
On Windows, WriteKnownHost
may write out results like this:
[demo.local]:2222,[fe80::20c:29ff:fe18:e2b5%Ethernet 6]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAfFFhkEb
This will result in the following error:
knownhosts: C:\Users\xxx\.ssh\known_hosts:9: illegal base64 data at input byte 5
Since knownhosts split lines by spaces:
https://github.com/golang/crypto/blob/3f0842a46434ea6f56bf6e684c2b83d90e9cff07/ssh/knownhosts/knownhosts.go#L170-L177
My tests on local IPv6:
test case | platform | result |
---|---|---|
ssh fe80::20c:29ff:fe18:e2b5 | Windows | √ |
ssh "fe80::20c:29ff:fe18:e2b5%Ethernet 6" | Windows | √ |
ssh fe80::20c:29ff:fe18:e2b5 | MacOS | X |
ssh fe80::20c:29ff:fe18:e2b5%en0 | MacOS | √ |
Should we omit the Zone ID
of IPv6 if it contains spaces \t
and
?
Please append to HostKeyAlgorithms algorithms like:
ssh.CertAlgoSKED25519v01
ssh.CertAlgoECDSA256v01
ssh.CertAlgoECDSA384v01
ssh.CertAlgoECDSA521v01
ssh.CertAlgoSKECDSA256v01
ssh.CertAlgoDSAv01
ssh.CertAlgoRSAv01
ssh.CertAlgoRSASHA256v01
ssh.CertAlgoRSASHA512v01
if known_hosts has lines started with @cert-authority
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.