MightyMoud
commented
1 month ago Yup fair point. I honestly didn't expect anyone to actually use this... Thanks for pointing that out. I'll address this soon.
Closed DanielleMaywood closed 1 month ago
MightyMoud
commented
1 month ago Yup fair point. I honestly didn't expect anyone to actually use this... Thanks for pointing that out. I'll address this soon.
lpil
commented
1 month ago Forgive me, I'm not familiar with this library. What is one expected to do in this callback?
DanielleMaywood
commented
1 month ago Forgive me, I'm not familiar with this library. What is one expected to do in this callback?
So you're expected to check if the key matches what you expect by checking the .ssh/known_hosts file or some other source of truth.
You can use a library like https://pkg.go.dev/golang.org/x/crypto/ssh/knownhosts or https://pkg.go.dev/github.com/skeema/knownhosts for making that easier.
MightyMoud
commented
1 month ago You both are too kind! 🙂
I understand how critical this is now after some research. I'll open a PR tonight. I would be glad if you guys can review it to make sure I get this right.
Let me know if you're keen, I'll assign you then...
DanielleMaywood
commented
1 month ago I'm more than happy to check it over if you want another set of eyes.
MightyMoud
commented
1 month ago Here we go - https://github.com/MightyMoud/sidekick/pull/9
DanielleMaywood
commented
1 month ago Will get round to this later!
MightyMoud
commented
1 month ago No rush! Let's chat in the PR if you have any comments
I noticed you do not perform host key validation. Maybe this should be made more obvious to users without having to dig through the source?
https://github.com/MightyMoud/sidekick/blob/b99b61bd61d11d34d35d76bf4fc6f3c49651bd80/utils/utils.go#L77-L80