fix(ssh): present only the CA-signed host certificate#370
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the SSH gateway’s downstream host-key presentation to only advertise the CA-signed host certificate (removing the raw host-key fallback), and adds an integration test to enforce the expected negotiation failure for clients restricted to plain host-key algorithms.
Changes:
- Remove the downstream raw host-key fallback so only
*-cert-v01@openssh.comhost key algorithms are offered. - Add an integration test that confirms connection failure when the client restricts
HostKeyAlgorithmsto plainssh-ed25519.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
internal/sshhandler/config.go |
Removes adding the raw keySigner as a fallback host key, leaving only the cert signer advertised. |
test/integration/ssh_test.go |
Adds a regression test asserting that clients offering only plain host-key algorithms cannot negotiate a host key. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #370 +/- ##
==========================================
- Coverage 86.18% 86.09% -0.09%
==========================================
Files 40 40
Lines 2830 2827 -3
==========================================
- Hits 2439 2434 -5
- Misses 265 267 +2
Partials 126 126
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
Related Tickets & Documents
Changes
Notes
Clients that accept only plain host-key algorithms (not
*-cert-v01@openssh.com) can no longer negotiate a host key. This is intended: presenting the raw ephemeral key is what let host identity drift across restarts.