skeema / knownhosts

93%

main: 93%

Pull #10

github

host matching: handle wildcards with non-standard port

In OpenSSH, wildcard host pattern entries in a known_hosts file can match
hosts regardless of their port number. However, x/crypto/ssh/knownhosts does
not follow this behavior, instead requiring strict port equality; see bug
https://github.com/golang/go/issues/52056 for background.

This commit implements a workaround in skeema/knownhosts, which is enabled
when using the NewDB constructor. Conceptually, the workaround works like
this:

* At constructor time, when re-reading the known_hosts file (originally to
  look for @cert-authority lines), also look for lines that have wildcards
  in the host pattern and no port number specified. Track these lines in a
  new field of the HostKeyDB struct for later use.

* When a host key callback returns no matches (KeyError with empty Want slice)
  and the host had a nonstandard (non-22) port number, try the callback again,
  this time manipulating the host arg to be on port 22.

* If this second call returned nil error, that means the host key now matched
  a known_hosts entry on port 22, so consider the host as known.

* If this second call returned a KeyError with non-empty Want slice, filter
  down the resulting keys to only correspond to lines with known wildcards,
  using the preprocessed information from the first step. This ensures we
  aren't incorrectly returning non-wildcard entries among the Want slice.

The implementation for the latter 3 bullets gets embedded directly in the
host key callback returned by HostKeyDB.HostKeyCallback, by way of some
nested callback wrapping. This only happens if the first bullet actually
found at least one wildcard in the file.

49 of 51 new or added lines in 1 file covered. (96.08%)

223 of 239 relevant lines covered (93.31%)

20.41 hits per line