Stocard · kronthto · Jan 23, 2022
diff --git a/README.md b/README.md
@@ -96,6 +96,7 @@ Options are an object with following properties:
 * `bastionHost` (optional): You can specify a bastion host if you want
 * `passphrase` (optional): You can specify the passphrase when you have an encrypted private key. If you don't specify the passphrase and you use an encrypted private key, you get prompted in the command line.
 * `noReadline` (optional): Don't prompt for private key passphrases using readline (eg if this is not run in an interactive session)
+* `verifyKnownHosts` (optional): Verify remote SSH hostkey using your known_hosts. The implementation only works on systems with an OpenSSH (OpenBSD) version of ssh-keygen.
 
 #### `connection.executeCommand(command: string): Promise<void>`
 

diff --git a/src/Connection.ts b/src/Connection.ts
@@ -34,7 +34,8 @@ interface Options {
   endHost: string
   agentSocket?: string,
   skipAutoPrivateKey?: boolean
-  noReadline?: boolean
+  noReadline?: boolean,
+  verifyKnownHosts?: boolean
 }
 
 interface ForwardingOptions {
@@ -148,13 +149,40 @@ class SSHConnection {
     const connection = new Client()
     return new Promise<Client>(async (resolve, reject) => {
 
-      const options = {
+      const options : {[k: string]: any} = {
         host,
         port: this.options.endPort,
         username: this.options.username,
         password: this.options.password,
         privateKey: this.options.privateKey
       }
+      if (this.options.verifyKnownHosts) {
+        options.hostVerifier = function(hashedKey, verifyCb) {
+          let b64key = hashedKey.toString('base64');
+          if (!b64key) return false;
+
+          let escapedHost = host.replace(/[^a-z\d\.\-]/g,'$1'); // Make arg safer for shell-exec by enforcing a strict whitelist of literal host chars
+          let connPort = Number(options.port);
+          if (connPort && connPort !== 22) {
+            escapedHost = '['+escapedHost+']:'+connPort;
+          }
+          let { exec } = require("child_process");
+          exec('ssh-keygen -F "'+escapedHost+'"', (error, stdout) => {
+              if (error) {
+                  verifyCb(false);
+                  return;
+              }
+              let matching_key = stdout.split("\n").find(function(keyline) {
+                return keyline.split(" ")[2] === b64key;
+              });
+              if (matching_key) {
+                verifyCb(true);
+              } else {
+                verifyCb(false);
+              }
+          });
+        };
+      }
       if (this.options.agentForward) {
         options['agentForward'] = true