-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: x/crypto/ssh: allow the client to automatically detect host key algorithms #68619
Comments
I suggest a slightly different semantic: the The caller then filters the algorithms to only the ones compatible with those key types. (Host key callbacks don't usually know anything about algorithms, so let's make the error also only concern itself with key types. This also avoids the mistake of returning Our client will call the callback proactively with a fake key to filter the |
@FiloSottile thank you. Here is the updated proposal
|
Just ran into this particular mistake myself with some code that was written prior to the SHA-2 support, so something which encourages this to work would be desirable. I was thinking that maybe in addition to |
Proposal Details
If
ClientConfig.HostKeyAlgorithms
is not set, a reasonable default is set for acceptable host key type, which may be one for which you do not have a matching host key provided usingClientConfig.HostKeyCallback
.If our users don't set
ClientConfig.HostKeyAlgorithms
we should try to obtain the expected algorithms from the configuredClientConfig.HostKeyCallback
.To enable this automatic detection, I propose to add a new error that
HostKeyCallback
implementations can return to inform about supported algorithms:It is preferable to return
HostKeyAlgorithms
and not the key formats because this way implementations can decide, for example, to return only the sha-2 variants for thessh-rsa
key format.if
ClientConfig.HostKeyAlgorithms
is not set, our client will execute the callback passing a sentinel, non-existent, key type and, if the error returned is anHostKeyCallbackError
, the returned host key algorithms are used.We should return
HostKeyCallbackError
in our internalHostKeyCallback
implementations:The text was updated successfully, but these errors were encountered: