SSH host-key mode (--hostkey) for first-contact workflows#38
Merged
Conversation
Adds an SshHostKeyMode (only-existing / accept-new / accept-all) on ExecuteRequest, a --hostkey CLI flag, and a matching guard_run MCP tool argument. When binary==ssh, the daemon folds the mode into the command once (right after verb rendering) by prepending the corresponding -o options, so the policy decision, the evaluator, the audit record, and the spawned process all act on the identical command. only-existing (default) injects nothing and preserves ssh's strict host-key checking. accept-new injects StrictHostKeyChecking=accept-new and UpdateHostKeys=yes, both of which the read-only fast-path allow-list already vets, so a fixed diagnostic still qualifies. accept-all injects StrictHostKeyChecking=no and UserKnownHostsFile=/dev/null; it forfeits the deterministic fast path both because that value fails the allow-list and via an explicit guard, so giving up host authentication always goes through the evaluator. The daemon spawns ssh, so the systemd unit now pins HOME to the state directory and pre-creates .ssh for accept-new to record keys into. Tested: injection per mode, non-ssh no-op, fast-path reconciliation (accept-new keeps it, accept-all forfeits), and MCP arg/schema.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds an ssh host-key mode so a guarded ssh command can accept a new host on first contact without hand-editing known_hosts. An SshHostKeyMode (only-existing, accept-new, accept-all) rides on the request via a --hostkey CLI flag and a matching guard_run MCP argument; when the binary is ssh the daemon folds the mode into the command once, right after verb rendering, by prepending the corresponding -o options, so the policy decision, the evaluator, the audit record, and the spawned process all act on the identical command. only-existing (default) injects nothing and preserves ssh's strict checking; accept-new injects StrictHostKeyChecking=accept-new and UpdateHostKeys=yes, both already vetted by the read-only fast-path allow-list so a fixed diagnostic still qualifies; accept-all injects StrictHostKeyChecking=no and forfeits the deterministic fast path both because that value fails the allow-list and via an explicit guard, so giving up host authentication always goes through the evaluator. Since the daemon spawns ssh, the systemd unit now pins HOME to the state directory and pre-creates .ssh for accept-new to record into. Covered by tests for per-mode injection, the non-ssh no-op, fast-path reconciliation, and the MCP argument and schema.