From 3d3e933f48a2bfeab7e7dcb4d9223a222a98325a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mi=C5=82osz=20Sm=C3=B3=C5=82ka?= <milosz.smolka@gmail.com>
Date: Tue, 29 Jan 2019 10:44:23 +0100
Subject: [PATCH] Add host key hash verify

---
 builder/hyperone/token_by_ssh.go | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/builder/hyperone/token_by_ssh.go b/builder/hyperone/token_by_ssh.go
index 158572cbd..ae1da04d2 100644
--- a/builder/hyperone/token_by_ssh.go
+++ b/builder/hyperone/token_by_ssh.go
@@ -1,6 +1,9 @@
 package hyperone
 
 import (
+	"crypto/sha1"
+	"encoding/hex"
+	"fmt"
 	"io/ioutil"
 	"net"
 	"os"
@@ -14,6 +17,7 @@ import (
 const (
 	sshAddress   = "api.hyperone.com:22"
 	sshSubsystem = "rbx-auth"
+	hostKeyHash  = "3e2aa423d42d7e8b14d50625512c8ac19db767ed"
 )
 
 type sshData struct {
@@ -33,7 +37,14 @@ func fetchTokenBySSH(user string) (string, error) {
 		Auth: []ssh.AuthMethod{
 			sshAgent(),
 		},
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
+			hash := sha1Sum(key)
+			if hash != hostKeyHash {
+				return fmt.Errorf("invalid host key hash: %s", hash)
+			}
+
+			return nil
+		},
 	}
 
 	client, err := ssh.Dial("tcp", sshAddress, sshConfig)
@@ -71,3 +82,8 @@ func fetchTokenBySSH(user string) (string, error) {
 
 	return data.ID, nil
 }
+
+func sha1Sum(pubKey ssh.PublicKey) string {
+	sum := sha1.Sum(pubKey.Marshal())
+	return hex.EncodeToString(sum[:])
+}