core/cli
8
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions 1
cli/mkdocs.yml
Snider 9f4007c409 Remove StrictHostKeyChecking=no from SSH commands (#315) 
* Remove StrictHostKeyChecking=no and implement proper host key verification

This commit addresses security concerns from the OWASP audit by enforcing
strict host key verification for all SSH and SCP commands.

Key changes:
- Replaced StrictHostKeyChecking=accept-new with yes in pkg/container and pkg/devops.
- Removed insecure host key verification from pkg/ansible SSH client.
- Implemented a synchronous host key discovery mechanism during VM boot
  using ssh-keyscan to populate ~/.core/known_hosts.
- Updated the devops Boot lifecycle to wait until the host key is verified.
- Ensured pkg/ansible correctly handles missing known_hosts files.
- Refactored hardcoded SSH port 2222 to a package constant DefaultSSHPort.
- Added CORE_SKIP_SSH_SCAN environment variable for test environments.

* Remove StrictHostKeyChecking=no and implement proper host key verification

Addresses security concerns from OWASP audit by enforcing strict host key
verification.

Changes:
- Replaced StrictHostKeyChecking=accept-new with yes in pkg/container and devops.
- Removed insecure host key verification from pkg/ansible.
- Added synchronous host key discovery using ssh-keyscan during VM boot.
- Updated Boot lifecycle to wait for host key verification.
- Handled missing known_hosts file in pkg/ansible.
- Refactored hardcoded SSH port to DefaultSSHPort constant.
- Fixed formatting issues identified by QA check.

* Secure SSH commands and fix auto-merge CI failure

Addresses OWASP security audit by enforcing strict host key verification
and fixes a CI failure in the auto-merge workflow.

Key changes:
- Replaced StrictHostKeyChecking=accept-new with yes in pkg/container and pkg/devops.
- Removed insecure host key verification from pkg/ansible.
- Implemented synchronous host key discovery using ssh-keyscan during VM boot.
- Handled missing known_hosts file in pkg/ansible.
- Refactored hardcoded SSH port to DefaultSSHPort constant.
- Added pkg/ansible/ssh_test.go to verify SSH client initialization.
- Fixed formatting in pkg/io/local/client.go.
- Fixed auto-merge.yml by inlining the script and providing repository context
  to 'gh' command, resolving the "not a git repository" error in CI.

* Secure SSH, fix CI auto-merge, and resolve merge conflicts

This commit addresses the OWASP security audit by enforcing strict host key
verification and resolves persistent CI issues.

Security Changes:
- Replaced StrictHostKeyChecking=accept-new with yes in pkg/container and devops.
- Removed insecure host key verification from pkg/ansible.
- Implemented synchronous host key discovery using ssh-keyscan during VM boot.
- Updated Boot lifecycle to wait for host key verification.
- Handled missing known_hosts file in pkg/ansible.
- Refactored hardcoded SSH port to DefaultSSHPort constant.

CI and Maintenance:
- Fixed auto-merge.yml by inlining the script and adding repository context
  to 'gh' command, resolving the "not a git repository" error in CI.
- Resolved merge conflicts in .github/workflows/auto-merge.yml with dev branch.
- Added pkg/ansible/ssh_test.go for SSH client verification.
- Fixed formatting in pkg/io/local/client.go to pass QA checks.

* Secure SSH and TLS connections, and fix CI issues

Addresses security concerns from OWASP audit and CodeQL by enforcing strict
host key verification and TLS certificate verification.

Security Changes:
- Enforced strict SSH host key checking in pkg/container and devops.
- Removed insecure SSH host key verification from pkg/ansible.
- Added synchronous host key discovery during VM boot using ssh-keyscan.
- Updated UniFi client to enforce TLS certificate verification by default.
- Added --insecure flag and config option for UniFi to allow opt-in to
  skipping TLS verification for self-signed certificates.

CI and Maintenance:
- Fixed auto-merge workflow by providing repository context to 'gh' command.
- Resolved merge conflicts in .github/workflows/auto-merge.yml.
- Added unit tests for secured Ansible SSH client.
- Fixed formatting issues identified by QA checks.

* fix: gofmt alignment in cmd_config.go

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Secure connections, fix CI auto-merge, and resolve formatting

Addresses OWASP security audit and CodeQL security alerts by enforcing
secure defaults for SSH and TLS connections.

Key changes:
- Enforced strict SSH host key checking (StrictHostKeyChecking=yes).
- Implemented synchronous host key verification during VM boot using ssh-keyscan.
- Updated UniFi client to enforce TLS certificate verification by default.
- Added --insecure flag and config option for UniFi to allow opt-in to
  skipping TLS verification.
- Fixed auto-merge workflow by providing repository context to 'gh' command.
- Resolved merge conflicts in .github/workflows/auto-merge.yml.
- Fixed formatting in internal/cmd/unifi/cmd_config.go and pkg/io/local/client.go.
- Added unit tests for secured Ansible SSH client.

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Claude <developers@lethean.io>
2026-02-05 07:09:34 +00:00

104 lines
2.8 KiB
YAML
Raw Blame History

site_name: Core Framework
site_url: https://core.help
site_description: 'A Web3 Framework for building Go desktop applications with Wails v3'
site_author: 'Snider'
repo_url: 'https://github.com/host-uk/core'
repo_name: 'host-uk/core'
theme:
name: material
palette:
- scheme: default
primary: deep purple
accent: purple
toggle:
icon: material/brightness-7
name: Switch to dark mode
- scheme: slate
primary: deep purple
accent: purple
toggle:
icon: material/brightness-4
name: Switch to light mode
features:
- navigation.tabs
- navigation.sections
- navigation.expand
- navigation.top
- search.suggest
- search.highlight
- content.tabs.link
- content.code.copy
markdown_extensions:
- pymdownx.highlight:
anchor_linenums: true
- pymdownx.superfences
- pymdownx.tabbed:
alternate_style: true
- admonition
- pymdownx.details
- attr_list
- md_in_html
nav:
- Home: index.md
- User Documentation:
- User Guide: user-guide.md
- FAQ: faq.md
- Troubleshooting: troubleshooting.md
- Workflows: workflows.md
- CLI Reference:
- Overview: cmd/index.md
- AI: cmd/ai/index.md
- Build: cmd/build/index.md
- CI: cmd/ci/index.md
- Dev: cmd/dev/index.md
- Go: cmd/go/index.md
- PHP: cmd/php/index.md
- SDK: cmd/sdk/index.md
- Setup: cmd/setup/index.md
- Doctor: cmd/doctor/index.md
- Test: cmd/test/index.md
- VM: cmd/vm/index.md
- Pkg: cmd/pkg/index.md
- Docs: cmd/docs/index.md
- Getting Started:
- Installation: getting-started/installation.md
- Quick Start: getting-started/quickstart.md
- Architecture: getting-started/architecture.md
- Core Framework:
- Overview: core/overview.md
- Services: core/services.md
- Lifecycle: core/lifecycle.md
- IPC & Actions: core/ipc.md
- Services:
- Config: services/config.md
- Display: services/display.md
- WebView: services/webview.md
- MCP: services/mcp.md
- Crypt: services/crypt.md
- I18n: services/i18n.md
- IO: services/io.md
- Workspace: services/workspace.md
- Help: services/help.md
- Extensions:
- Plugin System: extensions/plugins.md
- Module System: extensions/modules.md
- GUI Application:
- Overview: gui/overview.md
- MCP Bridge: gui/mcp-bridge.md
- API Reference:
- Core: api/core.md
- Display: api/display.md
- Development:
- Package Standards: pkg/PACKAGE_STANDARDS.md
- Internationalization:
- Overview: pkg/i18n/README.md
- Grammar: pkg/i18n/GRAMMAR.md
- Extending: pkg/i18n/EXTENDING.md
- Claude Skill: skill/index.md
- Reference:
- Configuration: configuration.md
- Migration: migration.md
- Glossary: glossary.md
Reference in a new issue View git blame Copy permalink