podman machine and podman-remote need some softer handling when it co…

…mes to key verification

this ensures that podman machine will still work (until we want to make this mandatory). I made the call back function more verbose so we know what is happening from now on.

Signed-off-by: Charlie Doern <cdoern@redhat.com>

pkg/config/config.go

@@ -376,6 +376,8 @@ type EngineConfig struct {
 	// RemoteIdentity key file for RemoteURI
 	RemoteIdentity string `toml:"remote_identity,omitempty"`
 
+	MachineMode bool `toml:"machine_mode,omitempty"`
+
 	// ActiveService index to Destinations added v2.0.3
 	ActiveService string `toml:"active_service,omitempty"`
 
@@ -613,6 +615,8 @@ type Destination struct {
 
 	// Identity file with ssh key, optional
 	Identity string `toml:"identity,omitempty"`
+
+	Machine bool `toml:"machine,omitempty"`
 }
 
 // NewConfig creates a new Config. It starts with an empty config and, if
@@ -1235,32 +1239,32 @@ func Reload() (*Config, error) {
 	return defConfig()
 }
 
-func (c *Config) ActiveDestination() (uri, identity string, err error) {
+func (c *Config) ActiveDestination() (uri, identity string, machine bool, err error) {
 	if uri, found := os.LookupEnv("CONTAINER_HOST"); found {
 		if v, found := os.LookupEnv("CONTAINER_SSHKEY"); found {
 			identity = v
 		}
-		return uri, identity, nil
+		return uri, identity, false, nil
 	}
 	connEnv := os.Getenv("CONTAINER_CONNECTION")
 	switch {
 	case connEnv != "":
 		d, found := c.Engine.ServiceDestinations[connEnv]
 		if !found {
-			return "", "", fmt.Errorf("environment variable CONTAINER_CONNECTION=%q service destination not found", connEnv)
+			return "", "", false, fmt.Errorf("environment variable CONTAINER_CONNECTION=%q service destination not found", connEnv)
 		}
-		return d.URI, d.Identity, nil
+		return d.URI, d.Identity, d.Machine, nil
 
 	case c.Engine.ActiveService != "":
 		d, found := c.Engine.ServiceDestinations[c.Engine.ActiveService]
 		if !found {
-			return "", "", fmt.Errorf("%q service destination not found", c.Engine.ActiveService)
+			return "", "", false, fmt.Errorf("%q service destination not found", c.Engine.ActiveService)
 		}
-		return d.URI, d.Identity, nil
+		return d.URI, d.Identity, d.Machine, nil
 	case c.Engine.RemoteURI != "":
-		return c.Engine.RemoteURI, c.Engine.RemoteIdentity, nil
+		return c.Engine.RemoteURI, c.Engine.RemoteIdentity, c.Engine.MachineMode, nil
 	}
-	return "", "", errors.New("no service destination configured")
+	return "", "", false, errors.New("no service destination configured")
 }
 
 var (

pkg/config/config_test.go

@@ -588,9 +588,10 @@ image_copy_tmp_dir="storage"`
 			cfg, err = ReadCustomConfig()
 			gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
 
-			u, i, err := cfg.ActiveDestination()
+			u, i, m, err := cfg.ActiveDestination()
 			gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
 
+			gomega.Expect(m).To(gomega.Equal(false))
 			gomega.Expect(u).To(gomega.Equal("https://qa/run/podman/podman.sock"))
 			gomega.Expect(i).To(gomega.Equal("/.ssh/id_rsa"))
 		})
@@ -620,7 +621,7 @@ image_copy_tmp_dir="storage"`
 			oldContainerConnection, hostEnvSet := os.LookupEnv("CONTAINER_CONNECTION")
 			os.Setenv("CONTAINER_CONNECTION", "QB")
 
-			u, i, err := cfg.ActiveDestination()
+			u, i, _, err := cfg.ActiveDestination()
 			// Undo that
 			if hostEnvSet {
 				os.Setenv("CONTAINER_CONNECTION", oldContainerConnection)
@@ -660,7 +661,7 @@ image_copy_tmp_dir="storage"`
 			os.Setenv("CONTAINER_HOST", "foo.bar")
 			os.Setenv("CONTAINER_SSHKEY", "/.ssh/newid_rsa")
 
-			u, i, err := cfg.ActiveDestination()
+			u, i, _, err := cfg.ActiveDestination()
 			// Undo that
 			if hostEnvSet {
 				os.Setenv("CONTAINER_HOST", oldContainerHost)
@@ -684,7 +685,7 @@ image_copy_tmp_dir="storage"`
 			cfg, err := ReadCustomConfig()
 			gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
 
-			_, _, err = cfg.ActiveDestination()
+			_, _, _, err = cfg.ActiveDestination()
 			gomega.Expect(err).Should(gomega.HaveOccurred())
 		})
 

pkg/ssh/connection_golang.go

@@ -3,6 +3,7 @@ package ssh
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -70,7 +71,7 @@ func golangConnectionDial(options ConnectionDialOptions) (*ConnectionDialReport,
 	if err != nil {
 		return nil, err
 	}
-	cfg, err := ValidateAndConfigure(uri, options.Identity)
+	cfg, err := ValidateAndConfigure(uri, options.Identity, options.InsecureIsMachineConnection)
 	if err != nil {
 		return nil, err
 	}
@@ -89,7 +90,7 @@ func golangConnectionExec(options ConnectionExecOptions) (*ConnectionExecReport,
 		return nil, err
 	}
 
-	cfg, err := ValidateAndConfigure(uri, options.Identity)
+	cfg, err := ValidateAndConfigure(uri, options.Identity, false)
 	if err != nil {
 		return nil, err
 	}
@@ -115,7 +116,7 @@ func golangConnectionScp(options ConnectionScpOptions) (*ConnectionScpReport, er
 	if err != nil {
 		return nil, err
 	}
-	cfg, err := ValidateAndConfigure(uri, options.Identity)
+	cfg, err := ValidateAndConfigure(uri, options.Identity, false)
 	if err != nil {
 		return nil, err
 	}
@@ -209,7 +210,7 @@ func GetUserInfo(uri *url.URL) (*url.Userinfo, error) {
 // ValidateAndConfigure will take a ssh url and an identity key (rsa and the like) and ensure the information given is valid
 // iden iden can be blank to mean no identity key
 // once the function validates the information it creates and returns an ssh.ClientConfig.
-func ValidateAndConfigure(uri *url.URL, iden string) (*ssh.ClientConfig, error) {
+func ValidateAndConfigure(uri *url.URL, iden string, insecureMachine bool) (*ssh.ClientConfig, error) {
 	var signers []ssh.Signer
 	passwd, passwdSet := uri.User.Password()
 	if iden != "" { // iden might be blank if coming from image scp or if no validation is needed
@@ -272,23 +273,54 @@ func ValidateAndConfigure(uri *url.URL, iden string) (*ssh.ClientConfig, error)
 	if err != nil {
 		return nil, err
 	}
-	keyFilePath := filepath.Join(homedir.Get(), ".ssh", "known_hosts")
-	known, err := knownhosts.New(keyFilePath)
-	if err != nil {
-		return nil, fmt.Errorf("creating host key callback function for %s: %w", keyFilePath, err)
-	}
 
+	var keyErr *knownhosts.KeyError
 	cfg := &ssh.ClientConfig{
-		User:            uri.User.Username(),
-		Auth:            authMethods,
-		HostKeyCallback: known,
-		Timeout:         tick,
+		User: uri.User.Username(),
+		Auth: authMethods,
+		HostKeyCallback: ssh.HostKeyCallback(func(host string, remote net.Addr, pubKey ssh.PublicKey) error {
+			keyFilePath := filepath.Join(homedir.Get(), ".ssh", "known_hosts")
+			known, err := knownhosts.New(keyFilePath)
+			if err != nil {
+				if os.IsNotExist(err) && insecureMachine {
+					logrus.Warn("please create a known_hosts file and recreate the machine to add the public key entry")
+					return nil
+				}
+				return err
+			}
+			hErr := known(host, remote, pubKey)
+			if errors.As(hErr, &keyErr) && len(keyErr.Want) > 0 {
+				logrus.Warnf("ssh host key mismatch for host %s, got key %s of type %s", host, ssh.FingerprintSHA256(pubKey), pubKey.Type())
+				return keyErr
+			} else if errors.As(hErr, &keyErr) && len(keyErr.Want) == 0 {
+				// write to known_hosts
+				hd := homedir.Get()
+				known := filepath.Join(hd, ".ssh", "known_hosts")
+				f, err := os.OpenFile(known, os.O_APPEND|os.O_WRONLY, 0600)
+				if err != nil {
+					if os.IsNotExist(err) {
+						logrus.Warn("podman will soon require a known_hosts file to function properly. Podman will create and mamage keys within " + known)
+						return nil
+					}
+					return err
+				}
+				// normalize the line, then add it to known_hosts
+				normalized := knownhosts.Normalize(remote.String())
+				l := knownhosts.Line([]string{normalized}, pubKey)
+				if _, err = f.WriteString("\n" + l); err != nil {
+					return err
+				}
+				logrus.Infof("key %s added to %s", ssh.FingerprintSHA256(pubKey), known)
+			}
+			return nil
+		}),
+		Timeout: tick,
 	}
 	return cfg, nil
 }
 
 func getUDS(uri *url.URL, iden string) (string, error) {
-	cfg, err := ValidateAndConfigure(uri, iden)
+	cfg, err := ValidateAndConfigure(uri, iden, false)
 	if err != nil {
 		return "", fmt.Errorf("failed to validate: %w", err)
 	}

pkg/ssh/types.go

@@ -27,12 +27,13 @@ type ConnectionCreateOptions struct {
 }
 
 type ConnectionDialOptions struct {
-	Host     string
-	Identity string
-	User     *url.Userinfo
-	Port     int
-	Auth     []string
-	Timeout  time.Duration
+	Host                        string
+	Identity                    string
+	User                        *url.Userinfo
+	Port                        int
+	Auth                        []string
+	Timeout                     time.Duration
+	InsecureIsMachineConnection bool
 }
 
 type ConnectionDialReport struct {