linuxserver
Implement StrictHostKeyChecking for SFTP
When I first started writing davos (it was originally a redo of auto-ftp), I envisaged it as a pet project to help home my skills in various libraries and frameworks. I liked Spring; Java is my language of choice, and we toyed with file transfers a fair bit at work. I wanted to see if I could incorporate these into a single app.
However, I cut some corners during the initial coding and hard coded the StrictHostKeyChecking to "no", just so I could minimise the amount of effort required to get SFTP up and running.
Since davos appears to have kicked off a little bit, I should really take this as a priority to change as it leaves users vulnerable to Man-in-the-middle attacks.
My proposed solution is to make use of an app-specific known_hosts file in /config and save the host keys there. Verification will take place on the Edit Host screen and new hosts will require this verification to take place by the user (via a confirm box).
I am trying to work out the best way for existing users to do this so if anyone has any ideas, I'm all ears.
