add support for option to ignore unknown host warning

[grexe]

It's quite common that you connect to a server for the first time, and you get the "unknown host" warning:

The authenticity of host '1.2.3.4 can't be established. ... Are you sure you want to continue connecting (yes/no)?

This is a serious problem, because you get an interactive prompt that makes the jcabi library fail because it cannot establish a connection:

java.io.IOException: com.jcraft.jsch.JSchException: Algorithm negotiation fail

In ssh, you can bypass the host warning by passing the StrictHostKeyChecking option and another trick:

 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no

Some kind of support for this would be needed for jcabi imo.

[dmarkov]

@yegor256 please pay attention to this issue (par.21)

[yegor256]

@grexe we already solve this problem, see https://github.com/jcabi/jcabi-ssh/blob/1.5/src/main/java/com/jcabi/ssh/SSH.java#L260 and EasyRepo. I think that there is some other problem on your side.

[grexe]

I see - thanks for the info, I seem to have overlooked this, sorry.

[rbeede]

One downside to the change made in 1.5 is that it always ignores the remote host public key now. This opens up applications that use this library to a MitM attack.

Could this be changed as an optional setting so the default secure setting is retained?

Ideally $HOME/.ssh/known_hosts would be loaded as a default if it exists. If not it would be nice to show example code on how to load a known host public key as trusted versus disabling the check altogether and opening up the user for MitM attacks.

[rgl]

this issue is not really solved until there's a way to properly validate the server host key (e.g. by specifying a known_hosts file content or letting the client implement the jsch HostKeyRepository interface)