Git log: commit 2ee47e4d11b6fd15534cfd996e6f53f3538f97bb
Author: Reinhard Tartler <siretart@tauware.de>
Date: Sat Nov 9 21:22:56 2024 -0500
debian/changelog: update
commit 564ef5ab9702ba1e1457deb16684ccd4f97732dc
Merge: e033bfd ef6b4bc
Author: Reinhard Tartler <siretart@tauware.de>
Date: Sat Nov 9 21:22:39 2024 -0500
Update upstream source from tag 'upstream/1.3.0'
Update to upstream version '1.3.0'
with Debian dir d39408204a1b52ef3a0c9d8005ede593fea0e987
commit ef6b4bc19c9175f5e7ce5eff8cccc1f8ccd7451b
Merge: fd19680 9485bde
Author: Reinhard Tartler <siretart@tauware.de>
Date: Sat Nov 9 21:22:39 2024 -0500
New upstream version 1.3.0
commit 9485bdec8ed521b32ab0e9310619effa071a99d6
Author: Evan Elias <evan@skeema.net>
Date: Tue Jul 16 17:20:57 2024 -0400
docs: add PR template and CONTRIBUTING.md guide; minor README tweaks
commit 8b8ca37f5c06772b6ec58e2f13aca8b16eda0600
Author: Evan Elias <evan@skeema.net>
Date: Tue Jul 16 16:14:12 2024 -0400
host matching: handle wildcards with non-standard port (#10)
In OpenSSH, wildcard host pattern entries in a known_hosts file can match
hosts regardless of their port number. However, x/crypto/ssh/knownhosts does
not follow this behavior, instead requiring strict port equality; see bug
https://github.com/golang/go/issues/52056 for background.
This commit implements a workaround in skeema/knownhosts, which is enabled
when using the NewDB constructor. Conceptually, the workaround works like
this:
* At constructor time, when re-reading the known_hosts file (originally to
look for @cert-authority lines), also look for lines that have wildcards
in the host pattern and no port number specified. Track these lines in a
new field of the HostKeyDB struct for later use.
* When a host key callback returns no matches (KeyError with empty Want slice)
and the host had a nonstandard (non-22) port number, try the callback again,
this time manipulating the host arg to be on port 22.
* If this second call returned nil error, that means the host key now matched
a known_hosts entry on port 22, so consider the host as known.
* If this second call returned a KeyError with non-empty Want slice, filter
down the resulting keys to only correspond to lines with known wildcards,
using the preprocessed information from the first step. This ensures we
aren't incorrectly returning non-wildcard entries among the Want slice.
The implementation for the latter 3 bullets gets embedded directly in the
host key callback returned by HostKeyDB.HostKeyCallback, by way of some
nested callback wrapping. This only happens if the first bullet actually
found at least one wildcard in the file.
commit 7c797a490676f902bcfa160d09664815d75dfaec
Merge: 5832aa8 53a26cc
Author: Evan Elias <evan@skeema.net>
Date: Fri Jul 12 17:03:03 2024 -0400
Merge pull request #9 from skeema/certs-backwards-compat
Backwards-compatible support for @cert-authority, implemented in a new HostKeyDB type, created with constructor NewDB.
commit 53a26ccd67909a2b2a5cfad598c6ba7c860996d2
Author: Evan Elias <evan@skeema.net>
Date: Tue Jul 9 16:27:21 2024 -0400
Minor adjustments based on initial PR feedback
* Add new exported method HostKeyCallback.ToDB, to provide a mechanism for
callers who want to conditionally enable or disable CA support, while still
using a *HostKeyDB for both cases.
* Clarify many doc string comments.
* Add new exported function WriteKnownHostCA for writing a @cert-authority
line to a known_hosts file. Previously this logic was in a test helper, but
it could be useful to others, so let's export it outside of the tests.
commit 69b4a6244d5cd06d0ad414d4cef40edeead3c115
Author: Evan Elias <evan@skeema.net>
Date: Sun Jul 7 18:46:26 2024 -0400
certs: reimplement previous commit to maintain backwards compat
The previous commit d314bf36 added support for @cert-authority lines, but
technically broke backwards compatibility due to changing the return type of
one exported method. This commit adjusts that previous commit's new logic to
restore backwards compatibility, and makes additional changes as follows:
* Introduce new exported type HostKeyDB, which handles @cert-authority lines
correctly and is returned by NewDB; old exported type HostKeyCallback (which
is returned by New) omits that handling. Git-specific use-cases can likely
remain with using New, since Git forges typically don't support CAs. Non-Git
use-cases, such as general-purpose SSH clients, should consider switching to
NewDB to get the CA logic.
* When NewDB re-reads the known_hosts files to implement the CA support, it
only re-reads each file a single time (vs potentially multiple times at
callback execution time in d314bf36), and it reads using buffered IO similar
to x/crypto/ssh/knownhosts.
* This package's PublicKey struct now exports its Cert boolean field, vs
keeping it private in d314bf36.
* Refactor the RSA-to-algo expansion logic to simplify its handling in the CA
situation.
* Add test coverage for all new behaviors and @cert-authority logic.
commit d314bf36fde12e8064efdd5de9779beba65cb644
Author: Javier Alvarez Garcia <ja@daedalean.ai>
Date: Mon Jun 17 15:20:11 2024 +0200
Support cert authorities
commit 5832aa8abbe19d2e27ddc7e63528efe787578b75
Author: Evan Elias <evan@skeema.net>
Date: Wed Jul 3 18:53:05 2024 -0400
ci: send coverage to Coveralls; upgrade action versions
This commit adjusts the following parts of the GitHub Actions configuration
for this repo:
* Report test coverage to Coveralls via github.com/mattn/goveralls
* Bump versions of actions/setup-go and actions/checkout to prevent "Node.js
16 actions are deprecated" warnings
* Simplify installation command for golint
* Include coverage badge in README
commit 7acc57b56da9234643c88b13d31b3bfaabba9b7b
Author: Evan Elias <evan@skeema.net>
Date: Wed Jul 3 18:46:08 2024 -0400
go.mod: update golang.org/x dependencies
commit e73fcfc9b72e7558740d3c5bcce12259b3cb7a65
Merge: f2b518c bd8e67e
Author: Evan Elias <evan@skeema.net>
Date: Tue Mar 12 11:16:52 2024 -0400
Merge pull request #6 from trzsz/main
HostKeyAlgorithms: add rsa-sha2-256 and rsa-sha2-512 for ssh-rsa
commit bd8e67ecaa664984a8af209daa256b8aab3454a5
Author: Lonny Wong <lonnywong@qq.com>
Date: Mon Mar 11 19:36:57 2024 +0800
HostKeyAlgorithms: add rsa-sha2-256 and rsa-sha2-512 for ssh-rsa
commit f2b518cbd77bb75f04d18fc8a19040ed2c02d1cf
Author: Evan Elias <evan@skeema.net>
Date: Mon Mar 11 15:56:26 2024 -0400
docs: bump year to 2024
commit 379d675ad94594866afec09140f270766709763d
Author: Evan Elias <evan@skeema.net>
Date: Mon Mar 11 15:52:08 2024 -0400
ci: bump GOVERSION and fix golint
GitHub Actions was configured to use Go 1.17, which is quite old. This commit
bumps it to Go 1.21, which is the older of the two currently-supported Go
versions.
This commit also adjusts the command-line for installing `golint` to be
compatible with more recent Go versions.
Keeping go.mod at 1.17 for now though, unless/until we actually need newer Go
language features. Since github.com/skeema/knownhosts is imported by a lot of
other Go packages, we don't want to force increases to that listed version
unnecessarily.
commit 3a35d9f4bebfa398ab3e4ba875aa55fd679a2b63
Author: Evan Elias <evan@skeema.net>
Date: Mon Sep 18 15:47:09 2023 -0400
HostKeyAlgorithms: ensure result never contains duplicates
Currently the behavior of HostKeyAlgorithms never contains duplicates, only by
virtue of golang.org/x/crypto/ssh/knownhosts exposing a maximum of one key per
algorithm in its KeyError.Want slice.
However, that upstream behavior could theoretically change in the future,
especially since golang.org/x/crypto is versioned as a pre-v1 module, and the
one-key-per-type behavior is only documented as a comment (e.g. not part of
any type or function signature).
This commit makes our HostKeyAlgorithms function more robust / future-proof
by ensuring that its result does not contain duplicates, regardless of
upstream behavior.
This means if https://github.com/golang/go/issues/28870 is solved (for example
by https://github.com/golang/crypto/pull/254), there should not be any harm to
our behavior here in github.com/skeema/knownhosts.
commit 2442217a08f2072ac0640054256d10f5b6268978
Author: Evan Elias <evan@skeema.net>
Date: Mon Sep 18 15:30:56 2023 -0400
tests: memoize the generated test known_hosts file
Previously, several test functions each wrote their own test known_hosts file,
generating different random keys each time. This is slow and CPU-intensive.
This commit changes the test logic to generate random keys once per overall
test process, and re-use those test known_hosts contents across multiple test
functions.
commit 7198c0f5ef3821febcf382f399ed64612f53a457
Author: Evan Elias <evan@skeema.net>
Date: Mon Sep 18 14:51:06 2023 -0400
update golang.org/x dependencies
commit 09454b7d568378cd20c6a98d599e09970ce713e6
Merge: 903aab7 4d5bb77
Author: Evan Elias <evan@skeema.net>
Date: Sat Sep 16 15:22:30 2023 -0400
Merge pull request #4 from trzsz/main
Omit the IPv6 zone ID if it contains spaces
commit 4d5bb77e50c7ed3adcd02ed189d2fa318459ef10
Author: Lonny Wong <lonnywong@qq.com>
Date: Sat Sep 16 09:02:30 2023 +0800
Avoid writing extra spaces in WriteKnownHost #4
commit 903aab75389f39b3c35a4d442ea83fb42edbbf83
Author: Evan Elias <evan@skeema.net>
Date: Mon Jul 10 16:19:36 2023 -0400
docs and comments: updates ahead of tagging new release
commit 619ef88d66f2b50de11acafc3d22bfbdad439883
Author: Evan Elias <evan@skeema.net>
Date: Fri Jul 7 19:47:35 2023 -0400
tests: fix typo in helper function name
This commit corrects the name of the generatePubKeyEd25519 test helper
function.
commit 6b50f2ec811e897472aaec602748cb3b139cb565
Merge: 9483adc 1a213af
Author: Evan Elias <evan@skeema.net>
Date: Fri Jul 7 19:28:20 2023 -0400
Merge pull request #2 from trzsz/main
Implement workaround in WriteKnownHost for IPv6 addresses. Closes #1
commit 1a213af74db1f35bd56536236f63cecde258b323
Author: Lonny Wong <lonnywong@qq.com>
Date: Sat Jul 8 00:07:37 2023 +0800
Fix WriteKnownHost for IPv6 #1
commit 9483adcf622fe880025c89e373689cf4761917c1
Author: Evan Elias <evan@skeema.net>
Date: Fri May 12 19:06:59 2023 -0400
update golang.org/x dependencies
commit 5dcbe52347da5119ceb3fc7daf9ef2d904052ec9
Author: Evan Elias <evan@skeema.net>
Date: Tue Jan 10 18:23:58 2023 -0500
docs: fix shields.io build status badge in README
The previous shields.io badge URL was no longer correct due to the change
described in https://github.com/badges/shields/issues/8671.
commit 28683a41589032c59429a000a11a57165fcbbbb2
Author: Evan Elias <evan@skeema.net>
Date: Sat Jun 18 17:39:38 2022 -0400
Add several new exported functions and methods
* Add new method HostKeyCallback.HostKeys() for looking up the public keys
for a given host; result is sorted based on known_hosts filename and line
* HostKeyCallback.HostKeyAlgorithms() now uses HostKeyCallback.HostKeys(),
so its result now has a well-defined sort order
* New convenience functions IsHostKeyChanged(), IsHostUnknown(), and
WriteKnownHost(). Ideally this package now provides enough functionality
that it can cover the use-cases of golang.org/x/crypto/ssh/knownhosts
(it should be sufficient to import github.com/skeema/knownhosts alone
without ever needing to also import golang.org/x/crypto/ssh/knownhosts)
commit 02fe81dd235b731bcb12f6c17810c37b94080933
Author: Evan Elias <evan@skeema.net>
Date: Sat Jun 18 00:12:10 2022 -0400
docs: fix function name/signature in example_test.go
In order for examples to show up in Go docs, function name must begin with
Example and have no args or returns.
commit 59661f4ce01a6d6a587fbce3a01f324f9f1b87bb
Author: Evan Elias <evan@skeema.net>
Date: Fri Jun 17 19:25:56 2022 -0400
docs: add example_test.go
commit 2f9421f72e4220d59e4dd8e0dbfee43eb078b80f
Author: Evan Elias <evan@skeema.net>
Date: Fri Jun 17 19:03:51 2022 -0400
Initial commit