-
Notifications
You must be signed in to change notification settings - Fork 406
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dbclient: support -o StrictHostKeyChecking #269
Conversation
8fad255
to
4b4c9d3
Compare
I added other options that already have a flag. This will make interoperability with OpenSSH better because -K -J flags have a different meaning. So with the options we can help to write scripts that will work similarly. |
4b4c9d3
to
ea40869
Compare
dbclient -y is -o StrictHostKeyChecking=accept-new dbclient -y -y is -o StrictHostKeyChecking=no
When executing: $ dbclient -i ~/id_rsa then shell expands path to /home/user/id_rsa. But when the key path is quoted or executed without a shell then this not happens: $ dbclient -i '~/id_rsa' Failed loading keyfile '~/id_rsa' We already have a home dir expanding used for ~/.ssh/id_dropbear so reuse it.
1896443
to
72412d0
Compare
The dbclient has flags that have equivalent opts: -b to -o BindAddress -i to -o IdentityFile -A to -o ForwardAgent -g to -o GatewayPorts -K to -o ServerAliveInterval -J to -o ProxyCommand Note: in the OpenSSH "-K Enables GSSAPI‐based authentication". For interoperability use the -o ServerAliveInterval. Note: in the OpenSSH the -J is same a -o ProxyJump. For interoperability use the -o ProxyCommand.
The BatchMode same as PasswordAuthentication=no but it has more priority. So you can't re-enable the PasswordAuthentication like in: dbclient -v -o BatchMode=yes -o PasswordAuthentication=yes example.com It also disables the interactive confirmation when a host key changed. Close mkj#224
72412d0
to
cad0484
Compare
Tested.
The behavior of |
Right, so the dbclient should also store the hostkey to known_hosts without confirming. |
Thanks, this has been requested a bit. I still need to review the code. One thing I notice, |
will add a fix in a minute |
If the DROPBEAR_PASSWORD is set then use a password from it instead of asking for a user. In the BatchMode this keeps working
I moved the batch mode cheking before the |
Updated man page with new options |
For multihop support you need to change multihop_passthrough_args() in cli-runopts.c and pass the -o values. |
The options shouldn't be applied to jump servers. Or maybe the dropbear supports this? If you know how to make it please send a PR once this become merged. |
Maybe not, but I see -y -y being passed when using multihop in function |
I just checked and removed the -y -y in that function and when I do a multihop now, it asks for confirmation because the hostkey is not in the trusted host file. |
I tested how the PasswordAuth and BatchMode works with keyboard interactive auth. No issues with this. The BatchMode=yes won't stuck in interactive auth but it will try it and fail only when the interactive asks for a user input. This is even better behavior that OpenSSH client have. When the PasswordAuth=no it will stuck in the interactive mode and wait for a user input. I made a simple SSH server in Golang to test this. If you'll need it I'll share. |
Added a pull request for -o BatchMode=yes and also passed it when multihop was selected. |
@HansH111 make an archive and send to me at [email protected]. You can't add commits to another one's PR |
Only the m_strdup(proxycmd) changes execution, the rest are just for better const correctness.
Keyboard-interactive is treated as an equivalent of password auth
Entries will not be automatically added to known_hosts "ask" is added, the same behaviour as default.
Thank you, I'll retest today. |
Fixes #226