[
https://issues.apache.org/jira/browse/AIRFLOW-7044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17062586#comment-17062586
]
Aaron Fowles commented on AIRFLOW-7044:
---------------------------------------
Would someone be able to take a look at this PR please
[https://github.com/apache/airflow/pull/7739]?
Benefits:
* Would make it easier for users to be sure of identity of server they're
sending files to when using SFTP operator (no using `no_host_key_check` all the
time).
* If using Airflow on kubernetes where pods come and go, it would be nice to
know that the public host key will be there on the pod when the SSHHook
constructor is called (and therefore present for connection).
> SSH connection (and hook) should support public host_key usage
> --------------------------------------------------------------
>
> Key: AIRFLOW-7044
> URL: https://issues.apache.org/jira/browse/AIRFLOW-7044
> Project: Apache Airflow
> Issue Type: Improvement
> Components: hooks
> Affects Versions: 2.0.0
> Reporter: Aaron Fowles
> Assignee: Aaron Fowles
> Priority: Major
> Labels: newbie, security, sftp, ssh
>
> It would be good to be able to enforce a public host key check against a
> known value when making a SSH or SFTP connection.
> Currently, people are forced into using
> {code:java}
> 'no_host_key_check' = True{code}
> which could allow a Man-in-the-middle attack.
> There are two components as far as I can see:
> * The connection should support specify the key_type and key (either as
> fields or in extra)
> * The hook should write get and write those values (along with the hostname)
> to the ~/.ssh/known_hosts file if
> {code:java}
> 'no_host_key_check' = False{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
