Skip to content

Commit

Permalink
Add sha256 support
Browse files Browse the repository at this point in the history
  • Loading branch information
@gururajsh @a-b
gururajsh authored and a-b committed Nov 18, 2024
1 parent 9da49ab commit 079a06e
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 3 deletions.
13 changes: 10 additions & 3 deletions util/clissh/ssh.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"crypto/sha1"
"crypto/sha256"
"encoding/base64"
"encoding/hex"
"errors"
"fmt"
"io"
Expand All @@ -28,6 +29,7 @@ const (
md5FingerprintLength = 47 // inclusive of space between bytes
hexSha1FingerprintLength = 59 // inclusive of space between bytes
base64Sha256FingerprintLength = 43
sha256FingerprintLength = 64

DefaultKeepAliveInterval = 30 * time.Second
)
Expand Down Expand Up @@ -331,9 +333,12 @@ func (c *SecureShell) terminalType() string {
return term
}

func base64Sha256Fingerprint(key ssh.PublicKey) string {
func sha256Fingerprint(key ssh.PublicKey, encode bool) string {
sum := sha256.Sum256(key.Marshal())
return base64.RawStdEncoding.EncodeToString(sum[:])
if encode {
return base64.RawStdEncoding.EncodeToString(sum[:])
}
return hex.EncodeToString(sum[:])
}

func copyAndClose(wg *sync.WaitGroup, dest io.WriteCloser, src io.Reader) {
Expand Down Expand Up @@ -364,8 +369,10 @@ func fingerprintCallback(skipHostValidation bool, expectedFingerprint string) ss
var fingerprint string

switch len(expectedFingerprint) {
case sha256FingerprintLength:
fingerprint = sha256Fingerprint(key, false)
case base64Sha256FingerprintLength:
fingerprint = base64Sha256Fingerprint(key)
fingerprint = sha256Fingerprint(key, true)
case hexSha1FingerprintLength:
fingerprint = hexSha1Fingerprint(key)
case md5FingerprintLength:
Expand Down
22 changes: 22 additions & 0 deletions util/clissh/ssh_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,28 @@ var _ = Describe("CLI SSH", Serial, FlakeAttempts(9), func() {
})
})

Context("when the sha256 fingerprint matches", func() {
BeforeEach(func() {
sshEndpointFingerprint = "b29fe3acbba3ebaafecab2c350a65d254e6d773b789aafd469288d063a60afef"
})

It("does not return an error", func() {
Expect(callback("", addr, TestHostKey.PublicKey())).ToNot(HaveOccurred())
})
})

When("the SHA256 fingerprint does not match", func() {
BeforeEach(func() {
sshEndpointFingerprint = "0000000000000000000000000000000000000000000000000000000000000000"
})

It("returns an error'", func() {
err := callback("", addr, TestHostKey.PublicKey())
Expect(err).To(MatchError(MatchRegexp(`Host key verification failed\.`)))
Expect(err).To(MatchError(MatchRegexp("The fingerprint of the received key was \".*\"")))
})
})

When("the base64 SHA256 fingerprint does not match", func() {
BeforeEach(func() {
sshEndpointFingerprint = "0000000000000000000000000000000000000000000"
Expand Down

0 comments on commit 079a06e

Please sign in to comment.