dbclient: support -o StrictHostKeyChecking #269
Conversation
stokito
force-pushed
the
dbclient-StrictHostKeyChecking
branch
from
8fad255
to
4b4c9d3
Compare
|
I added other options that already have a flag. This will make interoperability with OpenSSH better because -K -J flags have a different meaning. So with the options we can help to write scripts that will work similarly. |
stokito
force-pushed
the
dbclient-StrictHostKeyChecking
branch
from
4b4c9d3
to
ea40869
Compare
dbclient -y is -o StrictHostKeyChecking=accept-new dbclient -y -y is -o StrictHostKeyChecking=no
When executing:
$ dbclient -i ~/id_rsa
then shell expands path to /home/user/id_rsa.
But when the key path is quoted or executed without a shell then this not happens:
$ dbclient -i '~/id_rsa'
Failed loading keyfile '~/id_rsa'
We already have a home dir expanding used for ~/.ssh/id_dropbear so reuse it.
stokito
force-pushed
the
dbclient-StrictHostKeyChecking
branch
2 times, most recently
from
1896443
to
72412d0
Compare
The dbclient has flags that have equivalent opts: -b to -o BindAddress -i to -o IdentityFile -A to -o ForwardAgent -g to -o GatewayPorts -K to -o ServerAliveInterval -J to -o ProxyCommand Note: in the OpenSSH "-K Enables GSSAPI‐based authentication". For interoperability use the -o ServerAliveInterval. Note: in the OpenSSH the -J is same a -o ProxyJump. For interoperability use the -o ProxyCommand.
The BatchMode same as PasswordAuthentication=no but it has more priority.
So you can't re-enable the PasswordAuthentication like in:
dbclient -v -o BatchMode=yes -o PasswordAuthentication=yes example.com
It also disables the interactive confirmation when a host key changed.
Close mkj#224
stokito
force-pushed
the
dbclient-StrictHostKeyChecking
branch
from
72412d0
to
cad0484
Compare
|
Tested.
The behavior of |
|
Right, so the dbclient should also store the hostkey to known_hosts without confirming. |
|
Thanks, this has been requested a bit. I still need to review the code. One thing I notice, |
|
will add a fix in a minute |
If the DROPBEAR_PASSWORD is set then use a password from it instead of asking for a user. In the BatchMode this keeps working
|
I moved the batch mode cheking before the |
|
Updated man page with new options |
|
For multihop support you need to change multihop_passthrough_args() in cli-runopts.c and pass the -o values. |
|
The options shouldn't be applied to jump servers. Or maybe the dropbear supports this? If you know how to make it please send a PR once this become merged. |
|
Maybe not, but I see -y -y being passed when using multihop in function |
|
I just checked and removed the -y -y in that function and when I do a multihop now, it asks for confirmation because the hostkey is not in the trusted host file. |
|
I tested how the PasswordAuth and BatchMode works with keyboard interactive auth. No issues with this. The BatchMode=yes won't stuck in interactive auth but it will try it and fail only when the interactive asks for a user input. This is even better behavior that OpenSSH client have. When the PasswordAuth=no it will stuck in the interactive mode and wait for a user input. I made a simple SSH server in Golang to test this. If you'll need it I'll share. |
|
Added a pull request for -o BatchMode=yes and also passed it when multihop was selected. |
|
@HansH111 make an archive and send to me at [email protected]. You can't add commits to another one's PR |
Only the m_strdup(proxycmd) changes execution, the rest are just for better const correctness.
Keyboard-interactive is treated as an equivalent of password auth
Entries will not be automatically added to known_hosts "ask" is added, the same behaviour as default.
|
Thank you, I'll retest today. |
Fixes #226