From 32e89e92600a361bdfe65ef34e3ac874515919f5 Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Sun, 9 Nov 2014 15:18:18 -0800
Subject: make sure to specify HostKeyAlgorithms for ssh and rsync. this is
 needed because otherwise you can't connect to a server that has ecdsa host
 key if all you have is an rsa key host key. closes bug #6337

---
 lib/leap_cli/commands/shell.rb      |  3 +++
 lib/leap_cli/config/node.rb         |  9 +++++++++
 lib/leap_cli/ssh_key.rb             | 17 +++++++++++++++++
 lib/leap_cli/util/remote_command.rb |  3 +++
 4 files changed, 32 insertions(+)

diff --git a/lib/leap_cli/commands/shell.rb b/lib/leap_cli/commands/shell.rb
index 2138e9d..a7a0d85 100644
--- a/lib/leap_cli/commands/shell.rb
+++ b/lib/leap_cli/commands/shell.rb
@@ -62,6 +62,9 @@ module LeapCli; module Commands
     else
       options << "-o 'StrictHostKeyChecking=yes'"
     end
+    if !node.supported_ssh_host_key_algorithms.empty?
+      options << "-o 'HostKeyAlgorithms=#{node.supported_ssh_host_key_algorithms}'"
+    end
     username = 'root'
     if LeapCli.log_level >= 3
       options << "-vv"
diff --git a/lib/leap_cli/config/node.rb b/lib/leap_cli/config/node.rb
index 30af5d1..fe685cf 100644
--- a/lib/leap_cli/config/node.rb
+++ b/lib/leap_cli/config/node.rb
@@ -63,6 +63,15 @@ module LeapCli; module Config
     def test_dependencies
       []
     end
+
+    # returns a string list of supported ssh host key algorithms for this node.
+    # or an empty string if it could not be determined
+    def supported_ssh_host_key_algorithms
+      @host_key_algo ||= SshKey.supported_host_key_algorithms(
+        Util.read_file([:node_ssh_pub_key, @node.name])
+      )
+    end
+
   end
 
 end; end
diff --git a/lib/leap_cli/ssh_key.rb b/lib/leap_cli/ssh_key.rb
index 3cbeddd..5a7ac23 100644
--- a/lib/leap_cli/ssh_key.rb
+++ b/lib/leap_cli/ssh_key.rb
@@ -107,6 +107,23 @@ module LeapCli
       return keys.map{|k| SshKey.load(k[1], k[0])}
     end
 
+    #
+    # takes a string with one or more ssh keys, one key per line,
+    # and returns a string that specified the ssh key algorithms
+    # that are supported by the keys, in order of preference.
+    #
+    # eg: ecdsa-sha2-nistp256,ssh-rsa,ssh-ed25519
+    #
+    def self.supported_host_key_algorithms(string)
+      if string
+        self.parse_keys(string).map {|key|
+          key.type
+        }.join(',')
+      else
+        ""
+      end
+    end
+
     ##
     ## INSTANCE METHODS
     ##
diff --git a/lib/leap_cli/util/remote_command.rb b/lib/leap_cli/util/remote_command.rb
index 2dd22ca..16d2b22 100644
--- a/lib/leap_cli/util/remote_command.rb
+++ b/lib/leap_cli/util/remote_command.rb
@@ -149,6 +149,9 @@ module LeapCli; module Util; module RemoteCommand
         opts[:verbose] = :error # suppress all the warnings about adding host keys to known_hosts, since it is not actually doing that.
       end
     end
+    if !node.supported_ssh_host_key_algorithms.empty?
+      opts[:host_key] = node.supported_ssh_host_key_algorithms
+    end
     return opts
   end
 
-- 
cgit v1.2.3