Skip to content
This repository has been archived by the owner on Jun 15, 2024. It is now read-only.

Allow customizing StrictHostKeyChecking #22

Closed
arichiardi opened this issue May 30, 2017 · 5 comments
Closed

Allow customizing StrictHostKeyChecking #22

arichiardi opened this issue May 30, 2017 · 5 comments
Labels
enhancement

Comments

@arichiardi
Copy link

Hello folks (again) 😁 !
I was trying to test my code against a repo and run into a UnknownKeyHost exception.

After some googling, it looks like what I really need it to correctly setup the known_host file on the machine.

However, I was wondering whether passing a configurable StrictHostKeyChecking is a good idea:

Java does

session.setConfig("StrictHostKeyChecking", "yes");

I saw that you have a proxy there so the change is straightforward, just wondering if you are interested or consider that "too much of a security risk". I see it as a debug feature.

Thanks!
@flosell
Copy link
Owner

flosell commented May 31, 2017

Since this should be a library that works for everybody, I don't think it should be opinionated about these things, it should be up to the user to determine the security impact.

So in principle, no doubts in making this configurable as long as we stick with a secure default.

I'm wondering though: Isn't jsch using the normal ssh configuration by default? And if yes, wouldn't that be the right place to configure StrictHostKeyChecking?

@arichiardi
Copy link
Author

Probably that would be the right place yes, but that option should reside in the config, which I don't think at the moment it can is passed in. All this, if I understand things right of course 😄

@flosell
Copy link
Owner

flosell commented Jun 2, 2017

I think you understand things right :) I just had the assumption in the back of my head that jsch just reads the normal ssh_config files by default. But I haven't actually gotten around to validating this assumption so I might be wrong there.
Assuming we can get jsch to just pull in and use ssh config files in the default locations, would this solve the issue or does it still make sense to add that specific config option to lambdacd-git?

@arichiardi
Copy link
Author

They might both work fine, so I am ok with either 😁

@flosell flosell mentioned this issue Jun 5, 2017
Open
@flosell
Copy link
Owner

flosell commented Jun 5, 2017

Here's what I found out so far (and documented in the README):

You can configure StrictHostKeyChecking in ~/.ssh/config as you would expect. However, configuration handling in JGit and JSch is a bit of a mess so right now /etc/ssh/ssh_config is not supported...
See #23 for more details

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flosell @arichiardi