thaloco/banger
1
Fork 0
Code Pull requests Releases Packages Activity Actions
banger/internal/cli
History
Thales Maciel ae14b9499d
ssh: trust-on-first-use host key pinning everywhere 
Guest host-key verification was off in all three SSH paths:

  * Go SSH (internal/guest/ssh.go) used ssh.InsecureIgnoreHostKey
  * `banger vm ssh` passed StrictHostKeyChecking=no
    + UserKnownHostsFile=/dev/null
  * `~/.ssh/config` Host *.vm shipped the same posture into the
    user's global config

Now each path verifies against a banger-owned known_hosts file at
`~/.local/state/banger/ssh/known_hosts` with TOFU semantics:

  * First dial to a VM pins the key.
  * Subsequent dials require an exact match. A mismatch fails with
    an explicit "possible MITM" error.
  * `vm delete` removes the entries so a future VM reusing the IP
    or name re-pins cleanly.
  * The user's `~/.ssh/known_hosts` is untouched.

Changes:

  internal/guest/known_hosts.go (new) — OpenSSH-compatible parser,
    TOFUHostKeyCallback, RemoveKnownHosts. Process-wide mutex
    around the file.
  internal/guest/ssh.go — Dial and WaitForSSH grew a knownHostsPath
    parameter threaded through the callback. Empty path keeps the
    insecure callback (tests + throwaway tools only; documented).
  internal/daemon/{guest_sessions,session_attach,session_lifecycle,
    session_stream}.go — call sites pass d.layout.KnownHostsPath.
  internal/daemon/ssh_client_config.go — the ~/.ssh/config Host *.vm
    block now points at banger's known_hosts and uses
    StrictHostKeyChecking=accept-new. Missing path → fail closed.
  internal/daemon/vm_lifecycle.go — deleteVMLocked drops known_hosts
    entries for the VM's IP and DNS name via removeVMKnownHosts.
  internal/cli/banger.go — sshCommandArgs swaps StrictHostKeyChecking
    no + /dev/null for banger's file + accept-new. Path resolution
    failure falls through to StrictHostKeyChecking=yes.
  internal/paths/paths.go — Layout gains SSHDir + KnownHostsPath;
    Ensure creates SSHDir at 0700.

Tests (internal/guest/known_hosts_test.go): pin on first use, accept
matching key on second dial, reject mismatch, empty path skips
checking, RemoveKnownHosts drops the entry, re-pin works after
remove. Existing daemon + cli tests updated to assert the new
posture and regression-guard against the old flags.

Live verified: vm run writes the pin to banger's known_hosts at 0600
inside a 0700 dir; banger vm ssh + ssh root@<vm>.vm both succeed
using the pin; vm delete clears it.
2026-04-19 16:46:03 -03:00
..
aliases_test.go cli QoL: vm prune, list→ls aliases, delete→rm aliases 2026-04-19 12:17:46 -03:00
banger.go ssh: trust-on-first-use host key pinning everywhere 2026-04-19 16:46:03 -03:00
bangerd.go Add Go daemon-driven VM control plane 2026-03-16 12:52:54 -03:00
cli_test.go ssh: trust-on-first-use host key pinning everywhere 2026-04-19 16:46:03 -03:00
completion.go cli: shell completion via cobra + dynamic resource name lookups 2026-04-19 12:12:40 -03:00
completion_test.go cli: shell completion via cobra + dynamic resource name lookups 2026-04-19 12:12:40 -03:00
formatters_test.go coverage: easy-wins batch across cli, system, paths, vmdns, toolingplan 2026-04-18 17:57:05 -03:00
make_bundle_test.go banger internal make-bundle: build image bundles from flat rootfs tars 2026-04-17 15:17:50 -03:00
prune_test.go cli QoL: vm prune, list→ls aliases, delete→rm aliases 2026-04-19 12:17:46 -03:00
vm_spec_test.go vm defaults: host-aware sizing + spec line on spawn + doctor check 2026-04-19 13:06:51 -03:00