diff options
| author | David Pursell <dpursell@chromium.org> | 2015-06-03 13:41:02 -0700 |
|---|---|---|
| committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2015-06-07 19:08:53 +0000 |
| commit | a7cd8659cddbb20b5c2072d590df79573809cbc6 (patch) | |
| tree | b99c9f3a73088ea1d02be03e6a8ea3145c3e56f1 /cli/cros/cros_shell.py | |
| parent | 4f3fe0952154703d2e0ebd6099fc63b545b2f514 (diff) | |
| download | chromite-a7cd8659cddbb20b5c2072d590df79573809cbc6.tar.gz | |
cros shell: Disable known_hosts for USB connections.
known_hosts isn't necessary for the USB link since there's no real risk
of a man-in-the-middle attack. Additionally, our USB connection reuses
the same IP address for each device so it triggers a false warning
whenever switching devices.
This CL adds support to remote_access for indicating when a device is
attached over USB, and disables known_hosts automatically in cros shell
in this case.
BUG=brillo:1170
TEST=cbuildbot/run_tests
TEST=`brillo shell --debug` to confirm known_hosts isn't used
TEST=cros shell <ip>
# modify ~/.ssh/known_hosts to corrupt identity
cros shell <ip> # still gives known_hosts warning as expected
Change-Id: If8c95ce2a25d829954bc4a68788d2d4b1511a4d1
Reviewed-on: https://chromium-review.googlesource.com/275355
Trybot-Ready: David Pursell <dpursell@chromium.org>
Reviewed-by: Yiming Chen <yimingc@chromium.org>
Commit-Queue: David Pursell <dpursell@chromium.org>
Tested-by: David Pursell <dpursell@chromium.org>
Diffstat (limited to 'cli/cros/cros_shell.py')
| -rw-r--r-- | cli/cros/cros_shell.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/cli/cros/cros_shell.py b/cli/cros/cros_shell.py index ed2a3f0d5..b5c29f22e 100644 --- a/cli/cros/cros_shell.py +++ b/cli/cros/cros_shell.py @@ -81,7 +81,8 @@ Quoting can be tricky; the rules are the same as with ssh: help='SSH identify file (private key).') parser.add_argument( '--no-known-hosts', action='store_false', dest='known_hosts', - default=True, help='Do not use a known_hosts file.') + default=True, help='Do not use a known_hosts file; always set' + ' for USB connections.') parser.add_argument( 'command', nargs=argparse.REMAINDER, help='(optional) Command to execute on the device.') @@ -105,7 +106,10 @@ Quoting can be tricky; the rules are the same as with ssh: def _ConnectSettings(self): """Generates the correct SSH connect settings based on our state.""" kwargs = {'NumberOfPasswordPrompts': 2} - if self.known_hosts: + # USB has no risk of a man-in-the-middle attack so we can turn off + # known_hosts for any USB connection. + if (self.known_hosts and + self.device.connection_type != remote_access.CONNECTION_TYPE_USB): # Use the default known_hosts and our current key check setting. kwargs['UserKnownHostsFile'] = None kwargs['StrictHostKeyChecking'] = self.host_key_checking |