Class OpenSshServerKeyDatabase

  • All Implemented Interfaces:
    ServerKeyDatabase

    public class OpenSshServerKeyDatabase
    extends java.lang.Object
    implements ServerKeyDatabase
    A sever host key verifier that honors the StrictHostKeyChecking and UserKnownHostsFile values from the ssh configuration.

    The verifier can be given default known_hosts files in the constructor, which will be used if the ssh config does not specify a UserKnownHostsFile. If the ssh config does set UserKnownHostsFile, the verifier uses the given files in the order given. Non-existing or unreadable files are ignored.

    StrictHostKeyChecking accepts the following values:

    ask
    Ask the user whether new or changed keys shall be accepted and be added to the known_hosts file.
    yes/true
    Accept only keys listed in the known_hosts file.
    no/false
    Silently accept all new or changed keys, add new keys to the known_hosts file.
    accept-new
    Silently accept keys for new hosts and add them to the known_hosts file.

    If StrictHostKeyChecking is not set, or set to any other value, the default value ask is active.

    This implementation relies on the ClientSession being a JGitClientSession. By default Apache MINA sshd does not forward the config file host entry to the session, so it would be unknown here which entry it was and what setting of StrictHostKeyChecking should be used. If used with some other session type, the implementation assumes "ask".

    Asking the user is done via a CredentialsProvider obtained from the session. If none is set, the implementation falls back to strict host key checking ("yes").

    Note that adding a key to the known hosts file may create the file. You can specify in the constructor whether the user shall be asked about that, too. If the user declines updating the file, but the key was otherwise accepted (user confirmed for "ask", or "no" or "accept-new" are active), the key is accepted for this session only.

    If several known hosts files are specified, a new key is always added to the first file (even if it doesn't exist yet; see the note about file creation above).

    See Also:
    man ssh-config
    • Constructor Detail

      • OpenSshServerKeyDatabase

        public OpenSshServerKeyDatabase​(boolean askAboutNewFile,
                                        java.util.List<java.nio.file.Path> defaultFiles)
        Parameters:
        askAboutNewFile - whether to ask the user, if possible, about creating a new non-existing known_hosts file
        defaultFiles - typically ~/.ssh/known_hosts and ~/.ssh/known_hosts2. May be empty or null, in which case no default files are installed. The files need not exist.
    • Method Detail

      • lookup

        public java.util.List<java.security.PublicKey> lookup​(@NonNull
                                                              java.lang.String connectAddress,
                                                              @NonNull
                                                              java.net.InetSocketAddress remoteAddress,
                                                              @NonNull
                                                              ServerKeyDatabase.Configuration config)
        Description copied from interface: ServerKeyDatabase
        Retrieves all known host keys for the given addresses.
        Specified by:
        lookup in interface ServerKeyDatabase
        Parameters:
        connectAddress - IP address the session tried to connect to
        remoteAddress - IP address as reported for the remote end point
        config - giving access to potentially interesting configuration settings
        Returns:
        the list of known keys for the given addresses
      • accept

        public boolean accept​(@NonNull
                              java.lang.String connectAddress,
                              @NonNull
                              java.net.InetSocketAddress remoteAddress,
                              @NonNull
                              java.security.PublicKey serverKey,
                              @NonNull
                              ServerKeyDatabase.Configuration config,
                              CredentialsProvider provider)
        Description copied from interface: ServerKeyDatabase
        Determines whether to accept a received server host key.
        Specified by:
        accept in interface ServerKeyDatabase
        Parameters:
        connectAddress - IP address the session tried to connect to
        remoteAddress - IP address as reported for the remote end point
        serverKey - received from the remote end
        config - giving access to potentially interesting configuration settings
        provider - for interacting with the user, if required; may be null
        Returns:
        true if the serverKey is accepted, false otherwise
      • find

        private boolean find​(java.util.Collection<org.apache.sshd.common.util.net.SshdSocketAddress> candidates,
                             java.security.PublicKey serverKey,
                             java.util.List<org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair> entries,
                             org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair[] modified)
                      throws OpenSshServerKeyDatabase.RevokedKeyException
        Throws:
        OpenSshServerKeyDatabase.RevokedKeyException
      • updateKnownHostsFile

        private void updateKnownHostsFile​(java.util.Collection<org.apache.sshd.common.util.net.SshdSocketAddress> candidates,
                                          java.security.PublicKey serverKey,
                                          java.nio.file.Path path,
                                          ServerKeyDatabase.Configuration config)
                                   throws java.lang.Exception
        Throws:
        java.lang.Exception
      • updateModifiedServerKey

        private void updateModifiedServerKey​(java.security.PublicKey serverKey,
                                             org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair entry,
                                             java.nio.file.Path path)
                                      throws java.io.IOException
        Throws:
        java.io.IOException
      • parsePort

        private int parsePort​(java.lang.String s)
      • toSshdSocketAddress

        private org.apache.sshd.common.util.net.SshdSocketAddress toSshdSocketAddress​(@NonNull
                                                                                      java.lang.String address)
      • getCandidates

        private java.util.Collection<org.apache.sshd.common.util.net.SshdSocketAddress> getCandidates​(@NonNull
                                                                                                      java.lang.String connectAddress,
                                                                                                      @NonNull
                                                                                                      java.net.InetSocketAddress remoteAddress)
      • createHostKeyLine

        private java.lang.String createHostKeyLine​(java.util.Collection<org.apache.sshd.common.util.net.SshdSocketAddress> patterns,
                                                   java.security.PublicKey key,
                                                   ServerKeyDatabase.Configuration config)
                                            throws java.lang.Exception
        Throws:
        java.lang.Exception
      • updateHostKeyLine

        private java.lang.String updateHostKeyLine​(java.lang.String line,
                                                   java.security.PublicKey newKey)
                                            throws java.io.IOException
        Throws:
        java.io.IOException