From 63c658886436bf1e5ab690522e0e4269962c89b7 Mon Sep 17 00:00:00 2001 From: Artem Nistratov Date: Wed, 27 Nov 2024 16:06:51 +0300 Subject: [PATCH 1/2] use proxy.Dial instead of net.Dial for ScanHostKey ssh.Dial uses net.DialTimeout under the hood and there is no possibility to use a proxy when running command like `flux create source git` so we use almost all internal implementation of ssh.Dial except net.DialTimeout is replaced with proxy.Dial like it is done in go-git Signed-off-by: Artem Nistratov --- ssh/go.mod | 2 +- ssh/host_key.go | 18 +++++++++++++++--- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/ssh/go.mod b/ssh/go.mod index a9f24343..a98fce32 100644 --- a/ssh/go.mod +++ b/ssh/go.mod @@ -5,11 +5,11 @@ go 1.22.0 require ( github.com/onsi/gomega v1.34.2 golang.org/x/crypto v0.27.0 + golang.org/x/net v0.29.0 ) require ( github.com/google/go-cmp v0.6.0 // indirect - golang.org/x/net v0.29.0 // indirect golang.org/x/sys v0.25.0 // indirect golang.org/x/text v0.18.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/ssh/host_key.go b/ssh/host_key.go index e3b2e8d3..cde1be88 100644 --- a/ssh/host_key.go +++ b/ssh/host_key.go @@ -17,6 +17,7 @@ limitations under the License. package ssh import ( + "context" "encoding/base64" "fmt" "net" @@ -24,6 +25,7 @@ import ( "golang.org/x/crypto/ssh" "golang.org/x/crypto/ssh/knownhosts" + "golang.org/x/net/proxy" ) // ScanHostKey collects the given host's preferred public key for the @@ -45,10 +47,20 @@ func ScanHostKey(host string, timeout time.Duration, clientHostKeyAlgos []string config.HostKeyAlgorithms = clientHostKeyAlgos } - client, err := ssh.Dial("tcp", host, config) - if err == nil { - defer client.Close() + ctx, cancel := context.WithTimeout(context.Background(), timeout) + defer cancel() + // support for ALL_PROXY ENV varaible + conn, err := proxy.Dial(ctx, "tcp", host) + if err != nil { + return nil, err } + c, chans, reqs, err := ssh.NewClientConn(conn, host, config) + if err != nil { + return nil, err + } + client := ssh.NewClient(c, chans, reqs) + defer client.Close() + if len(col.knownKeys) > 0 { return col.knownKeys, nil } From ddb3fd81065a8b1b17510632c8c43f53ed36b4bf Mon Sep 17 00:00:00 2001 From: Artem Nistratov Date: Wed, 27 Nov 2024 19:19:24 +0300 Subject: [PATCH 2/2] imitate ssh.Dial func for simplicity previously ScanHostKey ignored any SSH/network errors in case it managed to get host keys to make it more obvious we imitate `ssh.Dial` with `sshDial` func Signed-off-by: Artem Nistratov --- ssh/host_key.go | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/ssh/host_key.go b/ssh/host_key.go index cde1be88..e603d168 100644 --- a/ssh/host_key.go +++ b/ssh/host_key.go @@ -47,24 +47,31 @@ func ScanHostKey(host string, timeout time.Duration, clientHostKeyAlgos []string config.HostKeyAlgorithms = clientHostKeyAlgos } - ctx, cancel := context.WithTimeout(context.Background(), timeout) + err := sshDial(host, config) + + if len(col.knownKeys) > 0 { + return col.knownKeys, nil + } + + return col.knownKeys, err +} + +func sshDial(host string, config *ssh.ClientConfig) error { + ctx, cancel := context.WithTimeout(context.Background(), config.Timeout) defer cancel() - // support for ALL_PROXY ENV varaible + // this reads the ALL_PROXY environment varaible conn, err := proxy.Dial(ctx, "tcp", host) if err != nil { - return nil, err + return err } c, chans, reqs, err := ssh.NewClientConn(conn, host, config) if err != nil { - return nil, err + return err } client := ssh.NewClient(c, chans, reqs) defer client.Close() - if len(col.knownKeys) > 0 { - return col.knownKeys, nil - } - return col.knownKeys, err + return nil } // HostKeyCollector offers a StoreKey method which provides an