public class OpenSshServerKeyVerifier extends java.lang.Object implements org.apache.sshd.client.keyverifier.ServerKeyVerifier, ServerKeyLookup
StrictHostKeyChecking
and
UserKnownHostsFile
values from the ssh configuration.
The verifier can be given default known_hosts files in the constructor, which
will be used if the ssh config does not specify a UserKnownHostsFile
.
If the ssh config does set UserKnownHostsFile
, the verifier
uses the given files in the order given. Non-existing or unreadable files are
ignored.
StrictHostKeyChecking
accepts the following values:
If StrictHostKeyChecking
is not set, or set to any other value, the
default value ask is active.
This implementation relies on the ClientSession
being a
JGitClientSession
. By default Apache MINA sshd does not forward the
config file host entry to the session, so it would be unknown here which
entry it was and what setting of StrictHostKeyChecking
should be
used. If used with some other session type, the implementation assumes
"ask".
Asking the user is done via a CredentialsProvider
obtained from the
session. If none is set, the implementation falls back to strict host key
checking ("yes").
Note that adding a key to the known hosts file may create the file. You can specify in the constructor whether the user shall be asked about that, too. If the user declines updating the file, but the key was otherwise accepted (user confirmed for "ask", or "no" or "accept-new" are active), the key is accepted for this session only.
If several known hosts files are specified, a new key is always added to the first file (even if it doesn't exist yet; see the note about file creation above).
Modifier and Type | Class and Description |
---|---|
private static class |
OpenSshServerKeyVerifier.AskUser |
private static class |
OpenSshServerKeyVerifier.HostKeyFile |
private static class |
OpenSshServerKeyVerifier.HostKeyHelper |
private static class |
OpenSshServerKeyVerifier.ModifiedKeyHandling |
private static class |
OpenSshServerKeyVerifier.RevokedKeyException |
Modifier and Type | Field and Description |
---|---|
private boolean |
askAboutNewFile |
private java.util.List<OpenSshServerKeyVerifier.HostKeyFile> |
defaultFiles |
private java.util.Map<java.nio.file.Path,OpenSshServerKeyVerifier.HostKeyFile> |
knownHostsFiles |
private static org.slf4j.Logger |
LOG |
private static java.lang.String |
MARKER_REVOKED
Can be used to mark revoked known host lines.
|
Constructor and Description |
---|
OpenSshServerKeyVerifier(boolean askAboutNewFile,
java.util.List<java.nio.file.Path> defaultFiles)
Creates a new
OpenSshServerKeyVerifier . |
Modifier and Type | Method and Description |
---|---|
private java.util.List<OpenSshServerKeyVerifier.HostKeyFile> |
addUserHostKeyFiles(java.util.List<java.lang.String> fileNames) |
private static boolean |
askUser(CredentialsProvider provider,
URIish uri,
java.lang.String prompt,
java.lang.String... messages) |
private boolean |
find(org.apache.sshd.client.session.ClientSession clientSession,
java.net.SocketAddress remoteAddress,
java.security.PublicKey serverKey,
java.util.List<org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair> entries,
org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair[] modified,
OpenSshServerKeyVerifier.HostKeyHelper helper) |
private static CredentialsProvider |
getCredentialsProvider(org.apache.sshd.client.session.ClientSession session) |
private java.util.List<OpenSshServerKeyVerifier.HostKeyFile> |
getFilesToUse(org.apache.sshd.client.session.ClientSession session) |
java.util.List<org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair> |
lookup(org.apache.sshd.client.session.ClientSession session,
java.net.SocketAddress remote)
Retrieves all entries for a given remote address.
|
private void |
updateKnownHostsFile(org.apache.sshd.client.session.ClientSession clientSession,
java.net.SocketAddress remoteAddress,
java.security.PublicKey serverKey,
java.nio.file.Path path,
OpenSshServerKeyVerifier.HostKeyHelper updater) |
private void |
updateModifiedServerKey(org.apache.sshd.client.session.ClientSession clientSession,
java.net.SocketAddress remoteAddress,
java.security.PublicKey serverKey,
org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair entry,
java.nio.file.Path path,
OpenSshServerKeyVerifier.HostKeyHelper helper) |
boolean |
verifyServerKey(org.apache.sshd.client.session.ClientSession clientSession,
java.net.SocketAddress remoteAddress,
java.security.PublicKey serverKey) |
private static final org.slf4j.Logger LOG
private static final java.lang.String MARKER_REVOKED
private final boolean askAboutNewFile
private final java.util.Map<java.nio.file.Path,OpenSshServerKeyVerifier.HostKeyFile> knownHostsFiles
private final java.util.List<OpenSshServerKeyVerifier.HostKeyFile> defaultFiles
public OpenSshServerKeyVerifier(boolean askAboutNewFile, java.util.List<java.nio.file.Path> defaultFiles)
OpenSshServerKeyVerifier
.askAboutNewFile
- whether to ask the user, if possible, about creating a new
non-existing known_hosts filedefaultFiles
- typically ~/.ssh/known_hosts and ~/.ssh/known_hosts2. May be
empty or null
, in which case no default files are
installed. The files need not exist.private java.util.List<OpenSshServerKeyVerifier.HostKeyFile> getFilesToUse(org.apache.sshd.client.session.ClientSession session)
public java.util.List<org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair> lookup(org.apache.sshd.client.session.ClientSession session, java.net.SocketAddress remote)
ServerKeyLookup
lookup
in interface ServerKeyLookup
session
- needed to determine the config files if specified in the ssh
configremote
- to find entries forpublic boolean verifyServerKey(org.apache.sshd.client.session.ClientSession clientSession, java.net.SocketAddress remoteAddress, java.security.PublicKey serverKey)
verifyServerKey
in interface org.apache.sshd.client.keyverifier.ServerKeyVerifier
private boolean find(org.apache.sshd.client.session.ClientSession clientSession, java.net.SocketAddress remoteAddress, java.security.PublicKey serverKey, java.util.List<org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair> entries, org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair[] modified, OpenSshServerKeyVerifier.HostKeyHelper helper) throws OpenSshServerKeyVerifier.RevokedKeyException
private java.util.List<OpenSshServerKeyVerifier.HostKeyFile> addUserHostKeyFiles(java.util.List<java.lang.String> fileNames)
private void updateKnownHostsFile(org.apache.sshd.client.session.ClientSession clientSession, java.net.SocketAddress remoteAddress, java.security.PublicKey serverKey, java.nio.file.Path path, OpenSshServerKeyVerifier.HostKeyHelper updater) throws java.io.IOException
java.io.IOException
private void updateModifiedServerKey(org.apache.sshd.client.session.ClientSession clientSession, java.net.SocketAddress remoteAddress, java.security.PublicKey serverKey, org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair entry, java.nio.file.Path path, OpenSshServerKeyVerifier.HostKeyHelper helper) throws java.io.IOException
java.io.IOException
private static CredentialsProvider getCredentialsProvider(org.apache.sshd.client.session.ClientSession session)
private static boolean askUser(CredentialsProvider provider, URIish uri, java.lang.String prompt, java.lang.String... messages)