[
https://issues.apache.org/jira/browse/AIRFLOW-7044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17087507#comment-17087507
]
ASF GitHub Bot commented on AIRFLOW-7044:
-----------------------------------------
aaronfowles commented on a change in pull request #7739:
URL: https://github.com/apache/airflow/pull/7739#discussion_r411204750
##########
File path: airflow/providers/ssh/hooks/ssh.py
##########
@@ -275,3 +281,36 @@ def create_tunnel(
category=DeprecationWarning)
return self.get_tunnel(remote_port, remote_host, local_port)
+
+ @staticmethod
+ def _add_new_record_to_known_hosts(record, file):
+ file.write(''.join([record, '\n']))
+
+ @staticmethod
+ def add_host_to_known_hosts(host, key_type, host_key):
+ """This adds a specified remote_host public key to the known_hosts
+ in order to prevent man-in-the-middle attacks."""
+ # The .ssh hidden directory is required and not present on all airflow
deployments
+ known_hosts_file_ref = SSHHook._create_known_hosts()
Review comment:
@RosterIn Thanks for the input. Yes, I was assuming the user would have
write access to everything under their home dir but there are certainly
instances where this may not be the case which I hadn't considered such as
default umask for example. Changes made.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> SSH connection (and hook) should support public host_key usage
> --------------------------------------------------------------
>
> Key: AIRFLOW-7044
> URL: https://issues.apache.org/jira/browse/AIRFLOW-7044
> Project: Apache Airflow
> Issue Type: Improvement
> Components: hooks
> Affects Versions: 2.0.0
> Reporter: Aaron Fowles
> Assignee: Aaron Fowles
> Priority: Minor
> Labels: newbie, security, sftp, ssh
>
> It would be good to be able to enforce a public host key check against a
> known value when making a SSH or SFTP connection.
> Currently, people are forced into using
> {code:java}
> 'no_host_key_check' = True{code}
> which could allow a Man-in-the-middle attack.
> There are two components as far as I can see:
> * The connection should support specify the key_type and key (either as
> fields or in extra)
> * The hook should write get and write those values (along with the hostname)
> to the ~/.ssh/known_hosts file if
> {code:java}
> 'no_host_key_check' = False{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
