testing/safekeep: ssh StrictHostKeyChecking configurable

patch from Safekeep master branch

2 files changed, 101 insertions, 3 deletions

diff --git a/testing/safekeep/0001-ssh.strict_hostkey_checking-configurable.patch b/testing/safekeep/0001-ssh.strict_hostkey_checking-configurable.patch
new file mode 100644
index 0000000000..c0004fcf30
--- /dev/null
+++ b/testing/safekeep/0001-ssh.strict_hostkey_checking-configurable.patch
@@ -0,0 +1,95 @@
+From 5d66f5106e77c378e387c9c9159a3fdc150b0818 Mon Sep 17 00:00:00 2001
+From: Henrik Riomar <henrik.riomar@gmail.com>
+Date: Sun, 19 Feb 2017 21:10:27 +0100
+Subject: [PATCH] ssh.strict_hostkey_checking configurable
+
+Make ssh StrictHostKeyChecking configurable in safekeep.conf with
+'ask' as default if not configured.
+---
+ doc/safekeep.conf.txt |  9 +++++++++
+ safekeep              | 14 +++++++++++---
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/doc/safekeep.conf.txt b/doc/safekeep.conf.txt
+index 43fff57..11f6876 100644
+--- a/doc/safekeep.conf.txt
++++ b/doc/safekeep.conf.txt
+@@ -151,6 +151,15 @@ ssh.keygen.bits::
+ 	option with no corresponding bit size.
+ 	This value is optional, it defaults to '4096'.
+ 
++ssh.strict_hostkey_checking::
++	Specifies if StrictHostKeyChecking should be performed by the ssh
++	client when connecting to the remote host.
++	This value is optional, it defaults to 'ask'.
++	Set to 'yes' if you sign host keys with a CA key or manage host keys
++	by other means (FreeIPA/sssd, Ansible,,,).
++	Setting this to 'no' is a bit unsafe as new hosts are automatically
++	added to known_hosts without any validation.
++
+ NOTES
+ -----
+ Safekeep uses `trickle` to implement bandwidth throttling (see
+diff --git a/safekeep b/safekeep
+index 4cbf374..43b6cd1 100755
+--- a/safekeep
++++ b/safekeep
+@@ -79,6 +79,8 @@ ssh_keygen_type = 'rsa'
+ ssh_keygen_bits = 4096
+ SSH_TYPES = ['dsa', 'rsa', 'ed25519', 'ecdsa']
+ SSH_KEY_TYPES = ['ssh-dss', 'ssh-rsa', 'ssh-ed25519', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521']
++ssh_StrictHostKeyChecking = 'ask'
++SSH_STRICT_HOSTKEY_CHECK_OPTS = ['ask', 'yes', 'no' ]
+ # Default mount options, overridden elsewhere:
+ # Key is a file system type, or 'snapshot' for default for snapshot mount
+ # or 'bind' for a bind mount (check mount for details)
+@@ -1548,7 +1550,7 @@ def do_server_rdiff(cfg, bdir, nice, ionice, force):
+     args.extend(['rdiff-backup'])
+ 
+     if cfg['host']:
+-        basessh = 'ssh -oStrictHostKeyChecking=no'
++        basessh = 'ssh -oStrictHostKeyChecking=%s' % (ssh_StrictHostKeyChecking)
+         if cfg['port']: basessh += ' -p %s' % cfg['port']
+         schema = '%s %s -i %s %%s rdiff-backup --server' % (basessh, verbosity_ssh, cfg['key_data'])
+         args.extend(['--remote-schema', schema])
+@@ -1694,6 +1696,7 @@ def do_server(cfgs, ids, nice, ionice, force, cleanup):
+                 cmd.extend(['ssh'])
+                 if verbosity_ssh: cmd.extend([verbosity_ssh])
+                 if cfg['port']: cmd.extend(['-p', cfg['port']])
++                cmd.extend(['-oStrictHostKeyChecking=%s' % (ssh_StrictHostKeyChecking)])
+                 cmd.extend(['-T', '-i', cfg['key_ctrl'], '-l', cfg['user'], cfg['host']])
+             cmd.extend(['safekeep', '--client'])
+ 
+@@ -1977,7 +1980,7 @@ def do_keys(cfgs, ids, nice_rem, identity, status, dump, deploy):
+         if dump:
+             print output
+ 
+-        basessh = ['ssh', '-oStrictHostKeyChecking=no']
++        basessh = ['ssh', '-oStrictHostKeyChecking=%s' % (ssh_StrictHostKeyChecking) ]
+         if cfg['port']: basessh.append('-p %s' % cfg['port'])
+         if identity: basessh.append('-i %s' % (commands.mkarg(identity)))
+ 
+@@ -2306,7 +2309,7 @@ def main():
+                 default_snapshot += 'FREE'
+             client_defaults.append('snapshot.size=%s' % default_snapshot)
+ 
+-        global ssh_keygen_type, ssh_keygen_bits
++        global ssh_keygen_type, ssh_keygen_bits, ssh_StrictHostKeyChecking
+         if 'ssh.keygen.type' in props:
+             ssh_keygen_type = props['ssh.keygen.type']
+             if ssh_keygen_type not in SSH_TYPES:
+@@ -2324,6 +2327,11 @@ def main():
+             else:
+                 # For cases where no bit size is required
+                 ssh_keygen_bits = 0
++        if 'ssh.strict_hostkey_checking' in props:
++                ssh_StrictHostKeyChecking = props['ssh.strict_hostkey_checking']
++                if ssh_StrictHostKeyChecking not in SSH_STRICT_HOSTKEY_CHECK_OPTS:
++                    error('CONFIG ERROR: invalid ssh.strict_hostkey_checking value: %s' % props['ssh.strict_hostkey_checking'])
++                    sys.exit(2)
+ 
+         if len(cfglocs) == 0:
+             locs = os.path.join(os.path.dirname(cfgfile), 'backup.d')
+-- 
+2.1.4
+
diff --git a/testing/safekeep/APKBUILD b/testing/safekeep/APKBUILD
index a81c0edc5a..17f044d7b2 100644
--- a/testing/safekeep/APKBUILD
+++ b/testing/safekeep/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Henrik Riomar <henrik.riomar@gmail.com>
 pkgname=safekeep
 pkgver=1.4.4
-pkgrel=0
+pkgrel=1
 pkgdesc="SafeKeep backup system"
 url="https://github.com/dimipaun/safekeep"
 arch="noarch"
@@ -11,7 +11,9 @@ depends="openssh-client python2 rdiff-backup util-linux"
 makedepends="asciidoc libxml2-utils xmlto"
 install="$pkgname-server.post-install"
 subpackages="$pkgname-doc $pkgname-client $pkgname-server"
-source="$pkgname-$pkgver.tar.gz::https://github.com/dimipaun/$pkgname/archive/$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/dimipaun/$pkgname/archive/$pkgver.tar.gz
+	0001-ssh.strict_hostkey_checking-configurable.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 build() {
@@ -47,4 +49,5 @@ package() {
 	make install DESTDIR="$pkgdir" || return 1
 }
 
-sha512sums="2afdf6784ef2033032978554bc4b8703be86b5dde92795f1b7efe0099fc4cd35d215bc390e9b9ee3b3e396435ab1168a81dad1c7051861fb584a31749e63c68d  safekeep-1.4.4.tar.gz"
+sha512sums="2afdf6784ef2033032978554bc4b8703be86b5dde92795f1b7efe0099fc4cd35d215bc390e9b9ee3b3e396435ab1168a81dad1c7051861fb584a31749e63c68d  safekeep-1.4.4.tar.gz
+c4576c6aad11b70b3e3fbd43a726dcc9f41e6a607281178f30605ff0812833e09efc97d46dda68c89d6e1586e9dc01a74f38484c625f64d084f11f4d806e1e25  0001-ssh.strict_hostkey_checking-configurable.patch"