From ad74157b85063b031545ee14d79af3ead060abcf Mon Sep 17 00:00:00 2001 From: Sudhar Krishnakumar Date: Tue, 31 Dec 2024 13:02:14 -0500 Subject: [PATCH] Fixed security issue raised by CI, by removing ssh.InsecureIgnoreHostKey(), and instead using known_hosts file for host-key verification. --- ipu-plugin/pkg/ipuplugin/lifecycleservice.go | 21 +++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/ipu-plugin/pkg/ipuplugin/lifecycleservice.go b/ipu-plugin/pkg/ipuplugin/lifecycleservice.go index a9c3117..173b965 100644 --- a/ipu-plugin/pkg/ipuplugin/lifecycleservice.go +++ b/ipu-plugin/pkg/ipuplugin/lifecycleservice.go @@ -29,6 +29,8 @@ import ( "strings" "time" + kh "golang.org/x/crypto/ssh/knownhosts" + "github.com/intel/ipu-opi-plugins/ipu-plugin/pkg/p4rtclient" "github.com/intel/ipu-opi-plugins/ipu-plugin/pkg/types" "github.com/intel/ipu-opi-plugins/ipu-plugin/pkg/utils" @@ -953,12 +955,29 @@ func skipIMCReboot() (bool, string) { // The param(acc_apf) appears in 3 lines in that file, and we run // the command to fetch the value in the second line. func queryNumAccApfsInIMCConfig() (int, error) { + + log.Infof("queryNumAccApfsInIMCConfig") + //remove duplicate entries, and ensure host-key(ssh-keyscan) is present. + sshCmds := "ssh-keygen -R 192.168.0.1; ssh-keyscan 192.168.0.1 >> /root/.ssh/known_hosts" + + _, err := utils.ExecuteScript(sshCmds) + if err != nil { + log.Errorf("error->%v, for ssh key commands->%v", err, sshCmds) + return 0, fmt.Errorf("error->%v, for ssh key commands->%v", err, sshCmds) + } + + hostKeyCallback, err := kh.New("/root/.ssh/known_hosts") + if err != nil { + log.Errorf("error->%v, unable to create hostkeycallback function: ", err) + return 0, fmt.Errorf("error->%v, unable to create hostkeycallback function: ", err) + } + config := &ssh.ClientConfig{ User: "root", Auth: []ssh.AuthMethod{ ssh.Password(""), }, - HostKeyCallback: ssh.InsecureIgnoreHostKey(), + HostKeyCallback: hostKeyCallback, } // Connect to the remote server.