?!

2025-06-13 21:54:13 +08:00 · 2023-01-16 12:52:33 +08:00 · 2023-01-16 12:52:33 +08:00 · 28a4e7d020
commit 28a4e7d020
parent 51f8d36daf
4 changed files with 35 additions and 22 deletions
--- a/docs/configuration/outbound/ssh.md
+++ b/docs/configuration/outbound/ssh.md
@ -12,9 +12,11 @@
  "private_key": "",
  "private_key_path": "$HOME/.ssh/id_rsa",
  "private_key_passphrase": "",
+  "host_key": [
+    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH..."
+  ],
  "host_key_algorithms": [],
  "client_version": "SSH-2.0-OpenSSH_7.4p1",
-  "host_key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH...",

  ... // Dial Fields
 }
@ -52,6 +54,10 @@ Private key path.

 Private key passphrase.

+#### host_key
+
+Host key. Accept any if empty.
+
 #### host_key_algorithms

 Host key algorithms.
@ -60,10 +66,6 @@ Host key algorithms.

 Client version. Random version will be used if empty.

-#### host_key
-
-Remote SSH host key. Accept any host key if empty.
-
 ### Dial Fields

 See [Dial Fields](/configuration/shared/dial) for details.
--- a/docs/configuration/outbound/ssh.zh.md
+++ b/docs/configuration/outbound/ssh.zh.md
@ -12,9 +12,11 @@
  "private_key": "",
  "private_key_path": "$HOME/.ssh/id_rsa",
  "private_key_passphrase": "",
+  "host_key": [
+    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH..."
+  ],
  "host_key_algorithms": [],
  "client_version": "SSH-2.0-OpenSSH_7.4p1",
-  "host_key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH...",

  ... // 拨号字段
 }
@ -52,6 +54,10 @@ SSH 用户, 默认使用 root。

 密钥密码。

+#### host_key
+
+主机密钥，留空接受所有。
+
 #### host_key_algorithms

 主机密钥算法。
@ -60,10 +66,6 @@ SSH 用户, 默认使用 root。

 客户端版本，默认使用随机值。

-#### host_key
-
-指定主机密钥，留空接受所有主机密钥.
-
 ### 拨号字段

 参阅 [拨号字段](/zh/configuration/shared/dial/)。
--- a/option/ssh.go
+++ b/option/ssh.go
@ -8,7 +8,7 @@ type SSHOutboundOptions struct {
 	PrivateKey           string           `json:"private_key,omitempty"`
 	PrivateKeyPath       string           `json:"private_key_path,omitempty"`
 	PrivateKeyPassphrase string           `json:"private_key_passphrase,omitempty"`
+	HostKey              Listable[string] `json:"host_key,omitempty"`
 	HostKeyAlgorithms    Listable[string] `json:"host_key_algorithms,omitempty"`
 	ClientVersion        string           `json:"client_version,omitempty"`
-	HostKey              string           `json:"host_key,omitempty"` 
 }
--- a/outbound/ssh.go
+++ b/outbound/ssh.go
@ -1,10 +1,10 @@
 package outbound

 import (
+	"bytes"
 	"context"
 	"encoding/base64"
 	"math/rand"
-	"errors"
 	"net"
 	"os"
 	"strconv"
@ -34,13 +34,13 @@ type SSH struct {
 	dialer            N.Dialer
 	serverAddr        M.Socksaddr
 	user              string
+	hostKey           []ssh.PublicKey
 	hostKeyAlgorithms []string
 	clientVersion     string
 	authMethod        []ssh.AuthMethod
 	clientAccess      sync.Mutex
 	clientConn        net.Conn
 	client            *ssh.Client
-	hostKey           string
 }

 func NewSSH(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.SSHOutboundOptions) (*SSH, error) {
@ -58,7 +58,6 @@ func NewSSH(ctx context.Context, router adapter.Router, logger log.ContextLogger
 		user:              options.User,
 		hostKeyAlgorithms: options.HostKeyAlgorithms,
 		clientVersion:     options.ClientVersion,
-		hostKey:           options.HostKey,
 	}
 	if outbound.serverAddr.Port == 0 {
 		outbound.serverAddr.Port = 22
@ -95,6 +94,15 @@ func NewSSH(ctx context.Context, router adapter.Router, logger log.ContextLogger
 		}
 		outbound.authMethod = append(outbound.authMethod, ssh.PublicKeys(signer))
 	}
+	if len(options.HostKey) > 0 {
+		for _, hostKey := range options.HostKey {
+			key, _, _, _, err := ssh.ParseAuthorizedKey([]byte(hostKey))
+			if err != nil {
+				return nil, E.New("parse host key ", key)
+			}
+			outbound.hostKey = append(outbound.hostKey, key)
+		}
+	}
 	return outbound, nil
 }

@ -108,11 +116,6 @@ func randomVersion() string {
 	return version
 }

-func keyString(k ssh.PublicKey) string {
-	// e.g. "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTY...."
-    return k.Type() + " " + base64.StdEncoding.EncodeToString(k.Marshal())
-}
-
 func (s *SSH) connect() (*ssh.Client, error) {
 	if s.client != nil {
 		return s.client, nil
@ -135,10 +138,16 @@ func (s *SSH) connect() (*ssh.Client, error) {
 		ClientVersion:     s.clientVersion,
 		HostKeyAlgorithms: s.hostKeyAlgorithms,
 		HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
-			if s.hostKey != "" && s.hostKey != keyString(key) {
-				return errors.New("SSH Host key mismatch, expected: " + keyString(key) + " got: " + s.hostKey)
+			if len(s.hostKey) == 0 {
+				return nil
 			}
-			return nil
+			serverKey := key.Marshal()
+			for _, hostKey := range s.hostKey {
+				if bytes.Equal(serverKey, hostKey.Marshal()) {
+					return nil
+				}
+			}
+			return E.New("host key mismatch, server send ", key.Type(), " ", base64.StdEncoding.EncodeToString(serverKey))
 		},
 	}
 	clientConn, chans, reqs, err := ssh.NewClientConn(conn, s.serverAddr.Addr.String(), config)