Merge pull request #1482 from Javier-varez/add-cert-auth-support-v5.x

pjbgf · web-flow · commit 768fda7b166e · 2025-04-10T09:26:13.000+01:00
plumbing: add cert auth support to `releases/v5.x`
diff --git a/plumbing/transport/ssh/auth_method.go b/plumbing/transport/ssh/auth_method.go
@@ -54,7 +54,7 @@ func (a *KeyboardInteractive) String() string {
 }
 
 func (a *KeyboardInteractive) ClientConfig() (*ssh.ClientConfig, error) {
-	return a.SetHostKeyCallback(&ssh.ClientConfig{
+	return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{
 		User: a.User,
 		Auth: []ssh.AuthMethod{
 			a.Challenge,
@@ -78,7 +78,7 @@ func (a *Password) String() string {
 }
 
 func (a *Password) ClientConfig() (*ssh.ClientConfig, error) {
-	return a.SetHostKeyCallback(&ssh.ClientConfig{
+	return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{
 		User: a.User,
 		Auth: []ssh.AuthMethod{ssh.Password(a.Password)},
 	})
@@ -101,7 +101,7 @@ func (a *PasswordCallback) String() string {
 }
 
 func (a *PasswordCallback) ClientConfig() (*ssh.ClientConfig, error) {
-	return a.SetHostKeyCallback(&ssh.ClientConfig{
+	return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{
 		User: a.User,
 		Auth: []ssh.AuthMethod{ssh.PasswordCallback(a.Callback)},
 	})
@@ -150,7 +150,7 @@ func (a *PublicKeys) String() string {
 }
 
 func (a *PublicKeys) ClientConfig() (*ssh.ClientConfig, error) {
-	return a.SetHostKeyCallback(&ssh.ClientConfig{
+	return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{
 		User: a.User,
 		Auth: []ssh.AuthMethod{ssh.PublicKeys(a.Signer)},
 	})
@@ -211,7 +211,7 @@ func (a *PublicKeysCallback) String() string {
 }
 
 func (a *PublicKeysCallback) ClientConfig() (*ssh.ClientConfig, error) {
-	return a.SetHostKeyCallback(&ssh.ClientConfig{
+	return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{
 		User: a.User,
 		Auth: []ssh.AuthMethod{ssh.PublicKeysCallback(a.Callback)},
 	})
@@ -230,11 +230,23 @@ func (a *PublicKeysCallback) ClientConfig() (*ssh.ClientConfig, error) {
 //	~/.ssh/known_hosts
 //	/etc/ssh/ssh_known_hosts
 func NewKnownHostsCallback(files ...string) (ssh.HostKeyCallback, error) {
-	kh, err := newKnownHosts(files...)
-	return ssh.HostKeyCallback(kh), err
+	kh, err := NewKnownHostsDb(files...)
+	return kh.HostKeyCallback(), err
 }
 
-func newKnownHosts(files ...string) (knownhosts.HostKeyCallback, error) {
+// NewKnownHostsDb returns knownhosts.HostKeyDB based on a file based on a
+// known_hosts file. http://man.openbsd.org/sshd#SSH_KNOWN_HOSTS_FILE_FORMAT
+//
+// If list of files is empty, then it will be read from the SSH_KNOWN_HOSTS
+// environment variable, example:
+//
+//	/home/foo/custom_known_hosts_file:/etc/custom_known/hosts_file
+//
+// If SSH_KNOWN_HOSTS is not set the following file locations will be used:
+//
+//	~/.ssh/known_hosts
+//	/etc/ssh/ssh_known_hosts
+func NewKnownHostsDb(files ...string) (*knownhosts.HostKeyDB, error) {
 	var err error
 
 	if len(files) == 0 {
@@ -247,7 +259,7 @@ func newKnownHosts(files ...string) (knownhosts.HostKeyCallback, error) {
 		return nil, err
 	}
 
-	return knownhosts.New(files...)
+	return knownhosts.NewDB(files...)
 }
 
 func getDefaultKnownHostsFiles() ([]string, error) {
@@ -289,25 +301,23 @@ func filterKnownHostsFiles(files ...string) ([]string, error) {
 }
 
 // HostKeyCallbackHelper is a helper that provides common functionality to
-// configure HostKeyCallback into a ssh.ClientConfig.
+// configure HostKeyCallback and HostKeyAlgorithms into a ssh.ClientConfig.
 type HostKeyCallbackHelper struct {
 	// HostKeyCallback is the function type used for verifying server keys.
-	// If nil default callback will be create using NewKnownHostsCallback
+	// If nil, a default callback will be created using NewKnownHostsDb
 	// without argument.
 	HostKeyCallback ssh.HostKeyCallback
-}
 
-// SetHostKeyCallback sets the field HostKeyCallback in the given cfg. If
-// HostKeyCallback is empty a default callback is created using
-// NewKnownHostsCallback.
-func (m *HostKeyCallbackHelper) SetHostKeyCallback(cfg *ssh.ClientConfig) (*ssh.ClientConfig, error) {
-	var err error
-	if m.HostKeyCallback == nil {
-		if m.HostKeyCallback, err = NewKnownHostsCallback(); err != nil {
-			return cfg, err
-		}
-	}
+	// HostKeyAlgorithms is a list of supported host key algorithms that will
+	// be used for host key verification.
+	HostKeyAlgorithms []string
+}
 
+// SetHostKeyCallbackAndAlgorithms sets the field HostKeyCallback and HostKeyAlgorithms in the given cfg.
+// If the host key callback or algorithms is empty it is left empty. It will be handled by the dial method,
+// falling back to knownhosts.
+func (m *HostKeyCallbackHelper) SetHostKeyCallbackAndAlgorithms(cfg *ssh.ClientConfig) (*ssh.ClientConfig, error) {
 	cfg.HostKeyCallback = m.HostKeyCallback
+	cfg.HostKeyAlgorithms = m.HostKeyAlgorithms
 	return cfg, nil
 }
diff --git a/plumbing/transport/ssh/auth_method_test.go b/plumbing/transport/ssh/auth_method_test.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"runtime"
+	"slices"
 	"strings"
 
 	"github.com/go-git/go-billy/v5/osfs"
@@ -18,7 +19,8 @@ import (
 type (
 	SuiteCommon struct{}
 
-	mockKnownHosts struct{}
+	mockKnownHosts         struct{}
+	mockKnownHostsWithCert struct{}
 )
 
 func (mockKnownHosts) host() string { return "github.com" }
@@ -27,6 +29,19 @@ func (mockKnownHosts) knownHosts() []byte {
 }
 func (mockKnownHosts) Network() string { return "tcp" }
 func (mockKnownHosts) String() string  { return "github.com:22" }
+func (mockKnownHosts) Algorithms() []string {
+	return []string{ssh.KeyAlgoRSA, ssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512}
+}
+
+func (mockKnownHostsWithCert) host() string { return "github.com" }
+func (mockKnownHostsWithCert) knownHosts() []byte {
+	return []byte(`@cert-authority github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==`)
+}
+func (mockKnownHostsWithCert) Network() string { return "tcp" }
+func (mockKnownHostsWithCert) String() string  { return "github.com:22" }
+func (mockKnownHostsWithCert) Algorithms() []string {
+	return []string{ssh.CertAlgoRSASHA512v01, ssh.CertAlgoRSASHA256v01, ssh.CertAlgoRSAv01}
+}
 
 var _ = Suite(&SuiteCommon{})
 
@@ -230,3 +245,75 @@ func (*SuiteCommon) TestNewKnownHostsCallback(c *C) {
 	err = clb(mock.String(), mock, hostKey)
 	c.Assert(err, IsNil)
 }
+
+func (*SuiteCommon) TestNewKnownHostsDbWithoutCert(c *C) {
+	if runtime.GOOS == "js" {
+		c.Skip("not available in wasm")
+	}
+
+	var mock = mockKnownHosts{}
+
+	f, err := util.TempFile(osfs.Default, "", "known-hosts")
+	c.Assert(err, IsNil)
+
+	_, err = f.Write(mock.knownHosts())
+	c.Assert(err, IsNil)
+
+	err = f.Close()
+	c.Assert(err, IsNil)
+
+	defer util.RemoveAll(osfs.Default, f.Name())
+
+	f, err = osfs.Default.Open(f.Name())
+	c.Assert(err, IsNil)
+
+	defer f.Close()
+
+	db, err := NewKnownHostsDb(f.Name())
+	c.Assert(err, IsNil)
+
+	algos := db.HostKeyAlgorithms(mock.String())
+	c.Assert(algos, HasLen, len(mock.Algorithms()))
+
+	for _, algorithm := range mock.Algorithms() {
+		if !slices.Contains(algos, algorithm) {
+			c.Error("algos does not contain ", algorithm)
+		}
+	}
+}
+
+func (*SuiteCommon) TestNewKnownHostsDbWithCert(c *C) {
+	if runtime.GOOS == "js" {
+		c.Skip("not available in wasm")
+	}
+
+	var mock = mockKnownHostsWithCert{}
+
+	f, err := util.TempFile(osfs.Default, "", "known-hosts")
+	c.Assert(err, IsNil)
+
+	_, err = f.Write(mock.knownHosts())
+	c.Assert(err, IsNil)
+
+	err = f.Close()
+	c.Assert(err, IsNil)
+
+	defer util.RemoveAll(osfs.Default, f.Name())
+
+	f, err = osfs.Default.Open(f.Name())
+	c.Assert(err, IsNil)
+
+	defer f.Close()
+
+	db, err := NewKnownHostsDb(f.Name())
+	c.Assert(err, IsNil)
+
+	algos := db.HostKeyAlgorithms(mock.String())
+	c.Assert(algos, HasLen, len(mock.Algorithms()))
+
+	for _, algorithm := range mock.Algorithms() {
+		if !slices.Contains(algos, algorithm) {
+			c.Error("algos does not contain ", algorithm)
+		}
+	}
+}
diff --git a/plumbing/transport/ssh/common.go b/plumbing/transport/ssh/common.go
@@ -11,7 +11,6 @@ import (
 
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/internal/common"
-	"github.com/skeema/knownhosts"
 
 	"github.com/kevinburke/ssh_config"
 	"golang.org/x/crypto/ssh"
@@ -127,17 +126,17 @@ func (c *command) connect() error {
 	}
 	hostWithPort := c.getHostWithPort()
 	if config.HostKeyCallback == nil {
-		kh, err := newKnownHosts()
+		db, err := NewKnownHostsDb()
 		if err != nil {
 			return err
 		}
-		config.HostKeyCallback = kh.HostKeyCallback()
-		config.HostKeyAlgorithms = kh.HostKeyAlgorithms(hostWithPort)
-	} else if len(config.HostKeyAlgorithms) == 0 {
-		// Set the HostKeyAlgorithms based on HostKeyCallback.
-		// For background see https://github.com/go-git/go-git/issues/411 as well as
-		// https://github.com/golang/go/issues/29286 for root cause.
-		config.HostKeyAlgorithms = knownhosts.HostKeyAlgorithms(config.HostKeyCallback, hostWithPort)
+		config.HostKeyCallback = db.HostKeyCallback()
+		config.HostKeyAlgorithms = db.HostKeyAlgorithms(hostWithPort)
+	} else {
+		// If the user gave a custom HostKeyCallback, we do not try to detect host key algorithms
+		// based on knownhosts functionality, as the user may be requesting a FixedKey or using a
+		// different key approval strategy. In that case, the user is responsible for populating
+		// HostKeyAlgorithms appropriately
 	}
 
 	overrideConfig(c.config, config)
diff --git a/plumbing/transport/ssh/common_test.go b/plumbing/transport/ssh/common_test.go
@@ -129,12 +129,35 @@ func (s *SuiteCommon) TestFixedHostKeyCallback(c *C) {
 	c.Assert(err, IsNil)
 	c.Assert(auth, NotNil)
 	auth.HostKeyCallback = stdssh.FixedHostKey(hostKey.PublicKey())
+	auth.HostKeyAlgorithms = []string{"ssh-ed25519"}
 	ep := uploadPack.newEndpoint(c, "bar.git")
 	ps, err := uploadPack.Client.NewUploadPackSession(ep, auth)
 	c.Assert(err, IsNil)
 	c.Assert(ps, NotNil)
 }
 
+func (s *SuiteCommon) TestFixedHostKeyCallbackUnexpectedAlgorithm(c *C) {
+	hostKey, err := stdssh.ParsePrivateKey(testdata.PEMBytes["ed25519"])
+	c.Assert(err, IsNil)
+	uploadPack := &UploadPackSuite{
+		opts: []ssh.Option{
+			ssh.HostKeyPEM(testdata.PEMBytes["rsa"]),
+		},
+	}
+	uploadPack.SetUpSuite(c)
+	// Use the default client, which does not have a host key callback
+	uploadPack.Client = DefaultClient
+	auth, err := NewPublicKeys("foo", testdata.PEMBytes["rsa"], "")
+	c.Assert(err, IsNil)
+	c.Assert(auth, NotNil)
+	auth.HostKeyCallback = stdssh.FixedHostKey(hostKey.PublicKey())
+	auth.HostKeyAlgorithms = []string{"ssh-ed25519"}
+	ep := uploadPack.newEndpoint(c, "bar.git")
+	ps, err := uploadPack.Client.NewUploadPackSession(ep, auth)
+	c.Assert(err, NotNil)
+	c.Assert(ps, IsNil)
+}
+
 func (s *SuiteCommon) TestFailHostKeyCallback(c *C) {
 	uploadPack := &UploadPackSuite{
 		opts: []ssh.Option{
