Documentation
¶
Overview ¶
Package hostkey implements a callback for the ssh.ClientConfig.HostKeyCallback
Index ¶
- Variables
- func KnownHostsFileCallback(path string, permissive, hash bool) (ssh.HostKeyCallback, error)
- func KnownHostsFileCallbackWithIPCheck(path string, permissive, hash bool) (ssh.HostKeyCallback, error)
- func KnownHostsReadOnlyFileCallback(path string, permissive bool) (ssh.HostKeyCallback, error)
- func KnownHostsReadOnlyFileCallbackWithIPCheck(path string, permissive bool) (ssh.HostKeyCallback, error)
- func StaticKeyCallback(trustedKey string) ssh.HostKeyCallback
- func WithAlias(callback ssh.HostKeyCallback, alias string) ssh.HostKeyCallback
- func WithCheckHostIP(cb ssh.HostKeyCallback, path string, permissive bool) (ssh.HostKeyCallback, error)
Constants ¶
This section is empty.
Variables ¶
var ( // ErrHostKeyMismatch is returned when the host key does not match the host key or a key in known_hosts file. ErrHostKeyMismatch = errors.New("host key mismatch") // ErrCheckHostKey is returned when the callback could not be created. ErrCheckHostKey = errors.New("check hostkey") // InsecureIgnoreHostKeyCallback is an insecure HostKeyCallback that accepts any host key. InsecureIgnoreHostKeyCallback = ssh.InsecureIgnoreHostKey() //nolint:gosec )
var KnownHostsPathFromEnv = func() (string, bool) { return os.LookupEnv("SSH_KNOWN_HOSTS") }
KnownHostsPathFromEnv returns the path to a known_hosts file from the environment variable SSH_KNOWN_HOSTS.
Functions ¶
func KnownHostsFileCallback ¶
func KnownHostsFileCallback(path string, permissive, hash bool) (ssh.HostKeyCallback, error)
KnownHostsFileCallback returns a HostKeyCallback that uses a known hosts file to verify host keys.
func KnownHostsFileCallbackWithIPCheck ¶
func KnownHostsFileCallbackWithIPCheck(path string, permissive, hash bool) (ssh.HostKeyCallback, error)
KnownHostsFileCallbackWithIPCheck is like KnownHostsFileCallback but also verifies the connecting IP address. It parses the known_hosts file once, sharing the checker between hostname and IP verification.
func KnownHostsReadOnlyFileCallback ¶
func KnownHostsReadOnlyFileCallback(path string, permissive bool) (ssh.HostKeyCallback, error)
KnownHostsReadOnlyFileCallback returns a HostKeyCallback that only reads from an existing known hosts file — it never creates the file or appends new entries. This is appropriate for system-wide files such as /etc/ssh/ssh_known_hosts that should not be modified by unprivileged users.
func KnownHostsReadOnlyFileCallbackWithIPCheck ¶
func KnownHostsReadOnlyFileCallbackWithIPCheck(path string, permissive bool) (ssh.HostKeyCallback, error)
KnownHostsReadOnlyFileCallbackWithIPCheck is like KnownHostsReadOnlyFileCallback but also verifies the connecting IP address. It parses the known_hosts file once, sharing the checker between hostname and IP verification.
func StaticKeyCallback ¶
func StaticKeyCallback(trustedKey string) ssh.HostKeyCallback
StaticKeyCallback returns a HostKeyCallback that checks the host key against a given host key.
func WithAlias ¶
func WithAlias(callback ssh.HostKeyCallback, alias string) ssh.HostKeyCallback
WithAlias wraps callback so that alias replaces the actual hostname for all known_hosts lookups and new-entry storage. This implements the HostKeyAlias ssh_config option: connecting through a bastion or tunnel stores the entry under the logical alias, not the TCP address.
func WithCheckHostIP ¶
func WithCheckHostIP(cb ssh.HostKeyCallback, path string, permissive bool) (ssh.HostKeyCallback, error)
WithCheckHostIP wraps cb to also verify the connecting IP address in known_hosts. When the remote address is a TCP connection the actual connected IP is checked directly; otherwise all DNS-resolved addresses are checked. If the IP is found in known_hosts with a different key (potential DNS spoofing), ErrHostKeyMismatch is returned. DNS resolution failures are non-fatal. Skipped when hostname is already an IP address. Unlike OpenSSH, this implementation never writes IP addresses to known_hosts.
Types ¶
This section is empty.
Source Files