SSH connection on iOS fails if the user never trusted the fingerprint

tweaselORG / appstraction

An abstraction layer for common instrumentation functions (e.g. installing and starting apps, setting preferences, etc.) on Android and iOS.

MIT License

4 stars 1 forks source link

SSH connection on iOS fails if the user never trusted the fingerprint #53

Closed baltpeter closed 1 year ago

baltpeter commented 1 year ago

If the user never manually connected to the iPhone via SSH and trusted its fingerprint, sshpass calls will not run:

❯ sshpass -p alpine ssh root@10.0.0.232 uname

If you instead use ssh directly, you get this:

The authenticity of host '[localhost]:22222 ([127.0.0.1]:22222)' can't be established.
ED25519 key fingerprint is SHA256:MgD/jNENZhLQwKPwSzFrzBg/zKBKJE/Pm6D96im7FQg.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

baltpeter commented 1 year ago

We can work around this with -o "StrictHostKeyChecking=no". While that doesn't sound ideal security-wise, I think it is a fair compromise:

With this option, the host key is added automatically to ~/.ssh/known_hosts on the first connection. But it still checks against that. So, if on a later connection, the host key doesn't match the one that was automatically served earlier, it will error.

And let's be honest, here. I certainly didn't verify the iPhones' host keys when I first connected to them, I just entered yes. :D

baltpeter commented 1 year ago

Wait, there is a problem with #43, though: When we use iproxy, we're not using the actual device IP and port anymore. Instead, we'll be connecting to localhost. And my idea was to use a random free port.

baltpeter commented 1 year ago

This problem is "solved" because NodeSSH doesn't do key checking by default anyway.