Open NattyNarwhal opened 3 years ago
abmusse
commented
3 years ago Describe alternatives you've considered The toolkit gets passed an object with state and handlers defined already, like the Python toolkit needs a Paramiko session object instead of making one for you.
PR #314 adds support for passing an existing odbc and idb-connector objects for those transports. Being able to pass in a ssh client object instead of creating one for the ssh transport makes sense too.
abmusse
commented
3 years ago Found some ssh2 connect config options that would help verify the host key and pass in an ssh agent. In theory this should work with the existing code just need pass this along these confis options on the Connection.transport options object. Still need to test these options out to confirm things are working properly.
hostHash - string - Any valid hash algorithm supported by node. The host's key is hashed using this
algorithm and passed to the hostVerifier function as a hex string. Default: (none)
hostVerifier - function - Function with parameters (hashedKey[, callback]) where hashedKey is a string
hex hash of the host's key for verification purposes. Return true to continue with the handshake or false
to reject and disconnect, or call callback() with true or false if you need to perform asynchronous
verification. Default: (auto-accept if hostVerifier is not set)
...
agent - string - Path to ssh-agent's UNIX socket for ssh-agent-based user authentication.
Windows users: set to 'pageant' for authenticating with Pageant or (actual) path to a cygwin
"UNIX socket." Default: (none)
agentForward - boolean - Set to true to use OpenSSH agent forwarding (auth-agent@openssh.com)
for the life of the connection. agent must also be set to use this feature. Default: false
github-actions[bot]
commented
3 years ago :wave: Hi! This issue has been marked stale due to inactivity. If no further activity occurs, it will automatically be closed.
abmusse
commented
3 years ago Example of host fingerprint verification:
https://github.com/mscdex/ssh2/issues/985#issuecomment-806266569 https://github.com/mscdex/ssh2/issues/985#issuecomment-809583839
We could add some wrappers in this lib to make it easier user just passes in the public key (base64) and we can setup the required configuration.
Is your feature request related to a problem? Please describe. The SSH transport doesn't check fingerprints and other non-trivial SSH use cases.
Describe the solution you'd like The toolkit should support other use cases (validate fingerprints, keys, agents, etc.) for security. Being able to trust a fingerprint would make attackers' lives harder, for instance.
Describe alternatives you've considered The toolkit gets passed an object with state and handlers defined already, like the Python toolkit needs a Paramiko session object instead of making one for you.
Additional context I'm developing the SSH feature for the PHP toolkit, so it would be wise to have both parity and security features be consistent.