Skip to content

Commit 14dab96

Browse files
water-suckswater-sucks
committed
feat(apply): automatically add SSH host keys if automatic confirmation is enabled
1 parent cf081d3 commit 14dab96

2 files changed

Lines changed: 13 additions & 2 deletions

File tree

cmd/apply/apply.go

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -253,6 +253,16 @@ func applyMain(cmd *cobra.Command, opts *cmdOpts.ApplyOpts) error {
253253
}
254254
}()
255255

256+
needsConfirmation := !opts.AlwaysConfirm && !cfg.Confirmation.Always
257+
258+
// If no confirmation is needed, then manually override the host
259+
// key verification type so that host keys can always be added to
260+
// known_hosts.
261+
hostKeyVerification := cfg.SSH.HostKeyVerification
262+
if hostKeyVerification == settings.HostKeyVerificationAsk && !needsConfirmation {
263+
hostKeyVerification = settings.HostKeyVerificationAcceptNew
264+
}
265+
256266
var targetHost system.System
257267

258268
if opts.TargetHost != "" {
@@ -261,7 +271,7 @@ func applyMain(cmd *cobra.Command, opts *cmdOpts.ApplyOpts) error {
261271
var sshCfg *system.SSHConfig
262272
sshCfg, err = system.NewSSHConfig(stopCtx, opts.TargetHost, log, system.SSHConfigOptions{
263273
AgentManager: sshAgent,
264-
HostKeyVerification: cfg.SSH.HostKeyVerification,
274+
HostKeyVerification: hostKeyVerification,
265275
KnownHostsFiles: cfg.SSH.KnownHostsFiles,
266276
PrivateKeyCmd: cfg.SSH.PrivateKeyCmd,
267277
})
@@ -335,7 +345,7 @@ func applyMain(cmd *cobra.Command, opts *cmdOpts.ApplyOpts) error {
335345
var sshCfg *system.SSHConfig
336346
sshCfg, err = system.NewSSHConfig(stopCtx, opts.BuildHost, log, system.SSHConfigOptions{
337347
AgentManager: sshAgent,
338-
HostKeyVerification: cfg.SSH.HostKeyVerification,
348+
HostKeyVerification: hostKeyVerification,
339349
KnownHostsFiles: cfg.SSH.KnownHostsFiles,
340350
PrivateKeyCmd: cfg.SSH.PrivateKeyCmd,
341351
})

internal/settings/settings.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -374,6 +374,7 @@ This requires the 'nix-command' experimental feature to be enabled in the Nix co
374374
Short: "Policy on what action to take with unknown host keys",
375375
Long: "What action to take when an unknown host key is encountered." +
376376
" By default, this will mimic OpenSSH behavior and ask interactively, if possible." +
377+
" If `confirmation.always` is set, then 'ask' will be overridden to 'accept-new'." +
377378
" If turned off, then known_hosts will not be modified and man-in-the-middle attacks" +
378379
" may be possible. Mostly a direct equivalent OpenSSH `StrictHostKeyChecking` setting.",
379380
},

0 commit comments

Comments
 (0)