diff options
| author | Lars Wirzenius <liw@liw.fi> | 2013-10-20 12:17:16 +0100 |
|---|---|---|
| committer | Lars Wirzenius <liw@liw.fi> | 2013-10-20 12:17:16 +0100 |
| commit | 59aecac9c07abb452d5b8b6078a91e960ee18319 (patch) | |
| tree | d2b6f8dbc23607e4ea0b31f99f4701aa06549e68 | |
| parent | 8ed777e3abaa62b129b678a02d4c8d82ae2f4c5b (diff) | |
| download | obnam-59aecac9c07abb452d5b8b6078a91e960ee18319.tar.gz | |
Add new, better ssh host key checking option
Patch by Itamar Turner-Trauring, with changes to test-sftpfs by me.
| -rw-r--r-- | obnamlib/plugins/sftp_plugin.py | 32 | ||||
| -rwxr-xr-x | test-sftpfs | 2 |
2 files changed, 26 insertions, 8 deletions
diff --git a/obnamlib/plugins/sftp_plugin.py b/obnamlib/plugins/sftp_plugin.py index f185b05e..5e559049 100644 --- a/obnamlib/plugins/sftp_plugin.py +++ b/obnamlib/plugins/sftp_plugin.py @@ -113,6 +113,9 @@ class SftpFS(obnamlib.VirtualFileSystem): self._roundtrips = 0 self._initial_dir = None self.reinit(baseurl, create=create) + # Backwards compatibility with old, deprecated option: + if settings and settings['strict-ssh-host-keys']: + settings["ssh-host-keys-check"] = "yes" def _delay(self): self._roundtrips += 1 @@ -165,8 +168,10 @@ class SftpFS(obnamlib.VirtualFileSystem): args += ['-l', self.user] if self.settings and self.settings['ssh-key']: args += ['-i', self.settings['ssh-key']] - if self.settings and self.settings['strict-ssh-host-keys']: - args += ['-o', 'StrictHostKeyChecking=yes'] + if (self.settings and + self.settings['ssh-host-keys-check'] != "ssh-config"): + value = self.settings['ssh-host-keys-check'] + args += ['-o', 'StrictHostKeyChecking=%s' % (value,)] if self.settings and self.settings['ssh-known-hosts']: args += ['-o', 'UserKnownHostsFile=%s' % @@ -220,7 +225,7 @@ class SftpFS(obnamlib.VirtualFileSystem): known_keys = known_hosts.lookup(hostname) if known_keys is None: - if self.settings['strict-ssh-host-keys']: + if self.settings['ssh-host-keys-check'] == 'yes': raise obnamlib.Error('No known host key for %s' % hostname) logging.warning('No known host keys for %s; accepting offered key' % hostname) @@ -228,7 +233,7 @@ class SftpFS(obnamlib.VirtualFileSystem): offered_type = offered_key.get_name() if not known_keys.has_key(offered_type): - if self.settings['strict-ssh-host-keys']: + if self.settings['ssh-host-keys-check'] == 'yes': raise obnamlib.Error('No known type %s host key for %s' % (offered_type, hostname)) logging.warning('No known host key of type %s for %s; accepting ' @@ -614,10 +619,21 @@ class SftpPlugin(obnamlib.ObnamPlugin): group=ssh_group) self.app.settings.boolean(['strict-ssh-host-keys'], - 'require that the ssh host key must be ' - 'known and correct to be accepted; ' - 'default is to accept unknown keys', - group=ssh_group) + 'DEPRECATED, use --ssh-host-keys-check ' + 'instead', + group=ssh_group) + + self.app.settings.choice(['ssh-host-keys-check'], + ['ssh-config', 'yes', 'no', 'ask'], + 'If "yes", require that the ssh host key must ' + 'be known and correct to be accepted. If ' + '"no", do not require that. If "ask", the ' + 'user is interactively asked to accept new ' + 'hosts. The default ("ssh-config") is to ' + 'rely on the settings of the underlying ' + 'SSH client', + metavar='VALUE', + group=ssh_group) self.app.settings.string(['ssh-known-hosts'], 'filename of the user\'s known hosts file ' diff --git a/test-sftpfs b/test-sftpfs index 6a7b9b93..4b8e6c39 100755 --- a/test-sftpfs +++ b/test-sftpfs @@ -50,6 +50,7 @@ class SftpTests(unittest.TestCase, obnamlib.VfsTests): 'strict-ssh-host-keys': False, 'ssh-known-hosts': os.path.expanduser('~/.ssh/known_hosts'), 'ssh-command': None, + 'ssh-host-keys-check': 'no', } self.fs = obnamlib.plugins.sftp_plugin.SftpFS(baseurl, settings=settings) @@ -72,6 +73,7 @@ class SftpTests(unittest.TestCase, obnamlib.VfsTests): 'strict-ssh-host-keys': False, 'ssh-known-hosts': os.path.expanduser('~/.ssh/known_hosts'), 'ssh-command': None, + 'ssh-host-keys-check': 'no', } fs = obnamlib.plugins.sftp_plugin.SftpFS(baseurl, settings=settings) fs.connect() |