diff --git a/go.mod b/go.mod index 9ee61b3cc..ae7728ba7 100644 --- a/go.mod +++ b/go.mod @@ -149,7 +149,7 @@ require ( github.com/shirou/gopsutil/v3 v3.24.5 // indirect github.com/shopspring/decimal v1.4.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect - github.com/skeema/knownhosts v1.3.1 // indirect + github.com/skeema/knownhosts v1.3.2 // indirect github.com/spf13/cast v1.7.1 // indirect github.com/spf13/cobra v1.9.1 // indirect github.com/spf13/pflag v1.0.10 // indirect diff --git a/go.sum b/go.sum index 21a3dbe81..aff5568eb 100644 --- a/go.sum +++ b/go.sum @@ -429,8 +429,8 @@ github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+D github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8= -github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY= +github.com/skeema/knownhosts v1.3.2 h1:EDL9mgf4NzwMXCTfaxSD/o/a5fxDw/xL9nkU28JjdBg= +github.com/skeema/knownhosts v1.3.2/go.mod h1:bEg3iQAuw+jyiw+484wwFJoKSLwcfd7fqRy+N0QTiow= github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y= github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= diff --git a/vendor/github.com/skeema/knownhosts/README.md b/vendor/github.com/skeema/knownhosts/README.md index 170e04d14..58b7fbe5b 100644 --- a/vendor/github.com/skeema/knownhosts/README.md +++ b/vendor/github.com/skeema/knownhosts/README.md @@ -20,7 +20,6 @@ Package [github.com/skeema/knownhosts](https://github.com/skeema/knownhosts) pro * Auto-populate ssh.ClientConfig.HostKeyAlgorithms easily based on known_hosts, providing a solution for [golang/go#29286](https://github.com/golang/go/issues/29286). (This also properly handles cert algorithms for hosts using CA keys when [using the NewDB constructor](#enhancements-requiring-extra-parsing) added in skeema/knownhosts v1.3.0.) * Properly match wildcard hostname known_hosts entries regardless of port number, providing a solution for [golang/go#52056](https://github.com/golang/go/issues/52056). (Added in v1.3.0; requires [using the NewDB constructor](#enhancements-requiring-extra-parsing)) * Write new known_hosts entries to an io.Writer -* Properly format/normalize new known_hosts entries containing ipv6 addresses, providing a solution for [golang/go#53463](https://github.com/golang/go/issues/53463) * Easily determine if an ssh.HostKeyCallback's error corresponds to a host whose key has changed (indicating potential MitM attack) vs a host that just isn't known yet ## How host key lookup works diff --git a/vendor/github.com/skeema/knownhosts/knownhosts.go b/vendor/github.com/skeema/knownhosts/knownhosts.go index 2b7536e0d..4a8b6be09 100644 --- a/vendor/github.com/skeema/knownhosts/knownhosts.go +++ b/vendor/github.com/skeema/knownhosts/knownhosts.go @@ -194,11 +194,9 @@ func (hkdb *HostKeyDB) HostKeys(hostWithPort string) (keys []PublicKey) { // in the known_hosts file will properly be converted to the corresponding // ssh.CertAlgo* values. func (hkdb *HostKeyDB) HostKeyAlgorithms(hostWithPort string) (algos []string) { - // We ensure that algos never contains duplicates. This is done for robustness - // even though currently golang.org/x/crypto/ssh/knownhosts never exposes - // multiple keys of the same type. This way our behavior here is unaffected - // even if https://github.com/golang/go/issues/28870 is implemented, for - // example by https://github.com/golang/crypto/pull/254. + // We ensure that the return value never contains duplicates. This is needed + // since golang.org/x/crypto/ssh/knownhosts can now return multiple keys of + // the same type after https://github.com/golang/crypto/pull/254 was merged. hostKeys := hkdb.HostKeys(hostWithPort) seen := make(map[string]struct{}, len(hostKeys)) addAlgo := func(typ string, cert bool) { @@ -367,26 +365,23 @@ func IsHostUnknown(err error) bool { } // Normalize normalizes an address into the form used in known_hosts. This -// implementation includes a fix for https://github.com/golang/go/issues/53463 -// and will omit brackets around ipv6 addresses on standard port 22. +// implementation fixes the buggy IPv6 edge-cases found in golang.org/x/crypto +// below v0.42.0; see https://github.com/golang/go/issues/53463. In all other +// cases, this simply delegates to the upstream Normalize implementation. func Normalize(address string) string { - host, port, err := net.SplitHostPort(address) - if err != nil { - host = address - port = "22" - } - entry := host - if port != "22" { - entry = "[" + entry + "]:" + port - } else if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") { - entry = entry[1 : len(entry)-1] + // Although our go.mod specifies a new-enough golang.org/x/crypto to avoid + // the IPv6 bug, this logic will remain in-place for sake of robustness in + // non-go.mod use-cases (OS package managers, hacky forks like go-git's, etc) + result := xknownhosts.Normalize(address) + if strings.HasSuffix(result, "]") && strings.HasPrefix(result, "[") { + return result[1 : len(result)-1] } - return entry + return result } // Line returns a line to append to the known_hosts files. This implementation // uses the local patched implementation of Normalize in order to solve -// https://github.com/golang/go/issues/53463. +// https://github.com/golang/go/issues/53463 when using x/crypto below v0.42.0. func Line(addresses []string, key ssh.PublicKey) string { var trimmed []string for _, a := range addresses { diff --git a/vendor/modules.txt b/vendor/modules.txt index c7dacf05c..8f7cbc6d6 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -745,8 +745,8 @@ github.com/shopspring/decimal # github.com/sirupsen/logrus v1.9.3 ## explicit; go 1.13 github.com/sirupsen/logrus -# github.com/skeema/knownhosts v1.3.1 -## explicit; go 1.22 +# github.com/skeema/knownhosts v1.3.2 +## explicit; go 1.24.0 github.com/skeema/knownhosts # github.com/spf13/cast v1.7.1 ## explicit; go 1.19