Class OpenSshServerKeyDatabase
- java.lang.Object
-
- org.eclipse.jgit.internal.transport.sshd.OpenSshServerKeyDatabase
-
- All Implemented Interfaces:
ServerKeyDatabase
public class OpenSshServerKeyDatabase extends java.lang.Object implements ServerKeyDatabase
A sever host key verifier that honors theStrictHostKeyChecking
andUserKnownHostsFile
values from the ssh configuration.The verifier can be given default known_hosts files in the constructor, which will be used if the ssh config does not specify a
UserKnownHostsFile
. If the ssh config does setUserKnownHostsFile
, the verifier uses the given files in the order given. Non-existing or unreadable files are ignored.StrictHostKeyChecking
accepts the following values:- ask
- Ask the user whether new or changed keys shall be accepted and be added to the known_hosts file.
- yes/true
- Accept only keys listed in the known_hosts file.
- no/false
- Silently accept all new or changed keys, add new keys to the known_hosts file.
- accept-new
- Silently accept keys for new hosts and add them to the known_hosts file.
If
StrictHostKeyChecking
is not set, or set to any other value, the default value ask is active.This implementation relies on the
ClientSession
being aJGitClientSession
. By default Apache MINA sshd does not forward the config file host entry to the session, so it would be unknown here which entry it was and what setting ofStrictHostKeyChecking
should be used. If used with some other session type, the implementation assumes "ask".Asking the user is done via a
CredentialsProvider
obtained from the session. If none is set, the implementation falls back to strict host key checking ("yes").Note that adding a key to the known hosts file may create the file. You can specify in the constructor whether the user shall be asked about that, too. If the user declines updating the file, but the key was otherwise accepted (user confirmed for "ask", or "no" or "accept-new" are active), the key is accepted for this session only.
If several known hosts files are specified, a new key is always added to the first file (even if it doesn't exist yet; see the note about file creation above).
- See Also:
- man ssh-config
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description private static class
OpenSshServerKeyDatabase.AskUser
private static class
OpenSshServerKeyDatabase.HostKeyFile
private static class
OpenSshServerKeyDatabase.RevokedKeyException
-
Nested classes/interfaces inherited from interface org.eclipse.jgit.transport.sshd.ServerKeyDatabase
ServerKeyDatabase.Configuration
-
-
Field Summary
Fields Modifier and Type Field Description private boolean
askAboutNewFile
private java.util.List<OpenSshServerKeyDatabase.HostKeyFile>
defaultFiles
private java.util.Map<java.nio.file.Path,OpenSshServerKeyDatabase.HostKeyFile>
knownHostsFiles
private static org.slf4j.Logger
LOG
private static java.lang.String
MARKER_REVOKED
Can be used to mark revoked known host lines.private java.util.Random
prng
-
Constructor Summary
Constructors Constructor Description OpenSshServerKeyDatabase(boolean askAboutNewFile, java.util.List<java.nio.file.Path> defaultFiles)
Creates a newOpenSshServerKeyDatabase
.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
accept(java.lang.String connectAddress, java.net.InetSocketAddress remoteAddress, java.security.PublicKey serverKey, ServerKeyDatabase.Configuration config, CredentialsProvider provider)
Determines whether to accept a received server host key.private java.util.List<OpenSshServerKeyDatabase.HostKeyFile>
addUserHostKeyFiles(java.util.List<java.lang.String> fileNames)
private java.lang.String
createHostKeyLine(java.util.Collection<org.apache.sshd.common.util.net.SshdSocketAddress> patterns, java.security.PublicKey key, ServerKeyDatabase.Configuration config)
private boolean
find(java.util.Collection<org.apache.sshd.common.util.net.SshdSocketAddress> candidates, java.security.PublicKey serverKey, java.util.List<org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair> entries, org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair[] modified)
private java.util.Collection<org.apache.sshd.common.util.net.SshdSocketAddress>
getCandidates(java.lang.String connectAddress, java.net.InetSocketAddress remoteAddress)
private java.util.List<OpenSshServerKeyDatabase.HostKeyFile>
getFilesToUse(ServerKeyDatabase.Configuration config)
private boolean
isRevoked(org.apache.sshd.client.config.hosts.KnownHostEntry entry)
java.util.List<java.security.PublicKey>
lookup(java.lang.String connectAddress, java.net.InetSocketAddress remoteAddress, ServerKeyDatabase.Configuration config)
Retrieves all known and not revoked host keys for the given addresses.private int
parsePort(java.lang.String s)
private org.apache.sshd.common.util.net.SshdSocketAddress
toSshdSocketAddress(java.lang.String address)
private java.lang.String
updateHostKeyLine(java.lang.String line, java.security.PublicKey newKey)
private void
updateKnownHostsFile(java.util.Collection<org.apache.sshd.common.util.net.SshdSocketAddress> candidates, java.security.PublicKey serverKey, java.nio.file.Path path, ServerKeyDatabase.Configuration config)
private void
updateModifiedServerKey(java.security.PublicKey serverKey, org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair entry, java.nio.file.Path path)
-
-
-
Field Detail
-
LOG
private static final org.slf4j.Logger LOG
-
MARKER_REVOKED
private static final java.lang.String MARKER_REVOKED
Can be used to mark revoked known host lines.- See Also:
- Constant Field Values
-
askAboutNewFile
private final boolean askAboutNewFile
-
knownHostsFiles
private final java.util.Map<java.nio.file.Path,OpenSshServerKeyDatabase.HostKeyFile> knownHostsFiles
-
defaultFiles
private final java.util.List<OpenSshServerKeyDatabase.HostKeyFile> defaultFiles
-
prng
private java.util.Random prng
-
-
Constructor Detail
-
OpenSshServerKeyDatabase
public OpenSshServerKeyDatabase(boolean askAboutNewFile, java.util.List<java.nio.file.Path> defaultFiles)
Creates a newOpenSshServerKeyDatabase
.- Parameters:
askAboutNewFile
- whether to ask the user, if possible, about creating a new non-existing known_hosts filedefaultFiles
- typically ~/.ssh/known_hosts and ~/.ssh/known_hosts2. May be empty ornull
, in which case no default files are installed. The files need not exist.
-
-
Method Detail
-
getFilesToUse
private java.util.List<OpenSshServerKeyDatabase.HostKeyFile> getFilesToUse(@NonNull ServerKeyDatabase.Configuration config)
-
lookup
public java.util.List<java.security.PublicKey> lookup(@NonNull java.lang.String connectAddress, @NonNull java.net.InetSocketAddress remoteAddress, @NonNull ServerKeyDatabase.Configuration config)
Description copied from interface:ServerKeyDatabase
Retrieves all known and not revoked host keys for the given addresses.- Specified by:
lookup
in interfaceServerKeyDatabase
- Parameters:
connectAddress
- IP address the session tried to connect toremoteAddress
- IP address as reported for the remote end pointconfig
- giving access to potentially interesting configuration settings- Returns:
- the list of known and not revoked keys for the given addresses
-
accept
public boolean accept(@NonNull java.lang.String connectAddress, @NonNull java.net.InetSocketAddress remoteAddress, @NonNull java.security.PublicKey serverKey, @NonNull ServerKeyDatabase.Configuration config, CredentialsProvider provider)
Description copied from interface:ServerKeyDatabase
Determines whether to accept a received server host key.- Specified by:
accept
in interfaceServerKeyDatabase
- Parameters:
connectAddress
- IP address the session tried to connect toremoteAddress
- IP address as reported for the remote end pointserverKey
- received from the remote endconfig
- giving access to potentially interesting configuration settingsprovider
- for interacting with the user, if required; may benull
- Returns:
true
if the serverKey is accepted,false
otherwise
-
isRevoked
private boolean isRevoked(org.apache.sshd.client.config.hosts.KnownHostEntry entry)
-
find
private boolean find(java.util.Collection<org.apache.sshd.common.util.net.SshdSocketAddress> candidates, java.security.PublicKey serverKey, java.util.List<org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair> entries, org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair[] modified) throws OpenSshServerKeyDatabase.RevokedKeyException
-
addUserHostKeyFiles
private java.util.List<OpenSshServerKeyDatabase.HostKeyFile> addUserHostKeyFiles(java.util.List<java.lang.String> fileNames)
-
updateKnownHostsFile
private void updateKnownHostsFile(java.util.Collection<org.apache.sshd.common.util.net.SshdSocketAddress> candidates, java.security.PublicKey serverKey, java.nio.file.Path path, ServerKeyDatabase.Configuration config) throws java.lang.Exception
- Throws:
java.lang.Exception
-
updateModifiedServerKey
private void updateModifiedServerKey(java.security.PublicKey serverKey, org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair entry, java.nio.file.Path path) throws java.io.IOException
- Throws:
java.io.IOException
-
parsePort
private int parsePort(java.lang.String s)
-
toSshdSocketAddress
private org.apache.sshd.common.util.net.SshdSocketAddress toSshdSocketAddress(@NonNull java.lang.String address)
-
getCandidates
private java.util.Collection<org.apache.sshd.common.util.net.SshdSocketAddress> getCandidates(@NonNull java.lang.String connectAddress, @NonNull java.net.InetSocketAddress remoteAddress)
-
createHostKeyLine
private java.lang.String createHostKeyLine(java.util.Collection<org.apache.sshd.common.util.net.SshdSocketAddress> patterns, java.security.PublicKey key, ServerKeyDatabase.Configuration config) throws java.lang.Exception
- Throws:
java.lang.Exception
-
updateHostKeyLine
private java.lang.String updateHostKeyLine(java.lang.String line, java.security.PublicKey newKey) throws java.io.IOException
- Throws:
java.io.IOException
-
-