[
https://issues.apache.org/jira/browse/AIRFLOW-7044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17060435#comment-17060435
]
ASF GitHub Bot commented on AIRFLOW-7044:
-----------------------------------------
aaronfowles commented on pull request #7739: [AIRFLOW-7044] Add host_key option
to SSH connection extras
URL: https://github.com/apache/airflow/pull/7739
This PR adds a new option in the SSH connection extras where you can specify
base64 ssh-rsa public key of a host. The SSHHook constructor will then add this
key to ~/.ssh/known_hosts if not present.
---
Issue link: WILL BE INSERTED BY
[boring-cyborg](https://github.com/kaxil/boring-cyborg)
Make sure to mark the boxes below before creating PR: [x]
- [ ] Description above provides context of the change
- [ ] Commit message/PR title starts with `[AIRFLOW-NNNN]`. AIRFLOW-NNNN =
JIRA ID<sup>*</sup>
- [ ] Unit tests coverage for changes (not needed for documentation changes)
- [ ] Commits follow "[How to write a good git commit
message](http://chris.beams.io/posts/git-commit/)"
- [ ] Relevant documentation is updated including usage instructions.
- [ ] I will engage committers as explained in [Contribution Workflow
Example](https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#contribution-workflow-example).
<sup>*</sup> For document-only changes commit message can start with
`[AIRFLOW-XXXX]`.
---
In case of fundamental code change, Airflow Improvement Proposal
([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvements+Proposals))
is needed.
In case of a new dependency, check compliance with the [ASF 3rd Party
License Policy](https://www.apache.org/legal/resolved.html#category-x).
In case of backwards incompatible changes please leave a note in
[UPDATING.md](https://github.com/apache/airflow/blob/master/UPDATING.md).
Read the [Pull Request
Guidelines](https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#pull-request-guidelines)
for more information.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> SSH connection (and hook) should support public host_key usage
> --------------------------------------------------------------
>
> Key: AIRFLOW-7044
> URL: https://issues.apache.org/jira/browse/AIRFLOW-7044
> Project: Apache Airflow
> Issue Type: Improvement
> Components: hooks
> Affects Versions: 2.0.0
> Reporter: Aaron Fowles
> Priority: Major
> Labels: newbie, security
>
> It would be good to be able to enforce a public host key check against a
> known value when making a SSH or SFTP connection.
> Currently, people are forced into using
> {code:java}
> 'no_host_key_check' = True{code}
> which could allow a Man-in-the-middle attack.
> There are two components as far as I can see:
> * The connection should support specify the key_type and key (either as
> fields or in extra)
> * The hook should write get and write those values (along with the hostname)
> to the ~/.ssh/known_hosts file if
> {code:java}
> 'no_host_key_check' = False{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
