Lack of SFTP (SSH) Host Key Verification

[JunaidLoonat]

Connections to SFTP external storage were made without verifying the remote host's SSH host key.

This behaviour did not appear to be documented anywhere so that users may factor it into their decision to use the External Storage application for remote SFTP resources. This is important since a change of the remote host's SSH host key may indicate that a man-in-the-middle attack is in progress.

From the application logic, host key checking would only be performed if a "_sshhostKeys" file exists for the given user. However, this file was not created by default. Furthermore, the method "writeHostKeys()" would only update the list of SSH host keys if the user's "_sshhostKeys" file already existed.

To conclude, the verification logic does already exist within the current Nextcloud code base but is not used by default. I do recognise that the reason for this is because of the associated functionality that is presently missing such as the user's ability to manage their own "_sshhostKeys" file.

Steps to reproduce

1. On Nextcloud, create a SFTP external storage as normal
2. Through Nextcloud, access the files stored on the remote SFTP storage
3. On the remote SSH host, change the SSH host key and restart the SSH service
4. Through Nextcloud, once again access the files stored on the remote SFTP storage

Expected behaviour

The Nextcloud instance should alert the user with an error message stating "Host public key does not match known key". It should be noted that this message does actually appear if the user's "_sshHostKeys" file exists and contains a host key that differs the remote host's current one (i.e. verification has failed).

Actual behaviour

The Nextcloud instance permits the user to access the remote SFTP storage without any indication that the remote host's SSH host key has been changed.

Server configuration

Operating system: Ubuntu GNU/Linux 18.04.1 LTS

Web server: Apache 2.4.29-1ubuntu4.5

Database: MariaDB 10.1.34-0ubuntu0.18.04.1

PHP version: 7.2+60ubuntu1

Nextcloud version: 15.0.2

Updated from an older Nextcloud/ownCloud or fresh install: Fresh

Where did you install Nextcloud from: Official website archive

Signing status:

Signing status

No errors have been found.

Are you using external storage, if yes which one: SFTP

Are you using encryption: No

Are you using an external user-backend, if yes which one: No

[szaimen]

I'm closing this issue due to inactivity. If this is still happening please make sure to upgrade to the latest version. After that, feel free to reopen.

[danxuliu]

This is still valid.

A few more details:

• In background jobs or CLI commands there is no logged in user. Therefore the user id to get the path to the ssh_hostKeys should be got in a different way, probably using one of the base methods of the storage, like getOwner('').
• For SFTP storages set up by admins it might be better to store the keys in {DATA_DIRECTORY}/files_external/ssh_hostKeys rather than {DATA_DIRECTORY}/{USER_ID}/files_external/ssh_hostKeys; for those storages it would make more sense if only admins were able to manage the keys.
• If a ssh_hostKeys is created, the SSH keys are checked and they do not match the exception is, in most cases, silently swallowed; the issue is not explicitly logged before throwing the exception, and the exception is just ignored without logging in most methods calling getConnection() (see, for example, stat)