Merge pull request #6 from DivineOmega/feature/fingerprint

SSH server fingerprinting

Author: DivineOmega

README.md

@@ -15,6 +15,8 @@ composer require divineomega/php-ssh-connection
 
 ## Usage
 
+See the following basic usage instructions.
+
 ```php
 $connection = (new SSHConnection())
             ->to('test.rebex.net')
@@ -32,3 +34,21 @@ $command->getError();   // ''
 $connection->upload($localPath, $remotePath);
 $connection->download($remotePath, $localPath);
 ```
+
+For security, you can fingerprint the remote server and verify the fingerprint remain the same 
+upon each subsequent connection.
+
+```php
+$fingerprint = $connection->fingerprint();
+
+if ($newConnection->fingerprint() != $fingerprint) {
+    throw new Exception('Fingerprint does not match!');
+}
+```
+
+If you wish, you can specify the type of fingerprint you wish to retrieve.
+
+```php
+$md5Fingerprint  = $connection->fingerprint(SSHConnection::FINGERPRINT_MD5); // default
+$sha1Fingerprint = $connection->fingerprint(SSHConnection::FINGERPRINT_SHA1);
+```

src/SSHConnection.php

@@ -10,6 +10,9 @@
 
 class SSHConnection
 {
+    const FINGERPRINT_MD5 = 'md5';
+    const FINGERPRINT_SHA1 = 'sha1';
+
     private $hostname;
     private $port = 22;
     private $username;
@@ -112,6 +115,25 @@ public function run(string $command): SSHCommand
         return new SSHCommand($this->ssh, $command);
     }
 
+    public function fingerprint(string $type = self::FINGERPRINT_MD5)
+    {
+        if (!$this->connected) {
+            throw new RuntimeException('Unable to get fingerprint when not connected.');
+        }
+
+        $hostKey = substr($this->ssh->getServerPublicHostKey(), 8);
+
+        switch ($type) {
+            case 'md5':
+                return strtoupper(md5($hostKey));
+
+            case 'sha1':
+                return strtoupper(sha1($hostKey));
+        }
+
+        throw new InvalidArgumentException('Invalid fingerprint type specified.');
+    }
+
     public function upload(string $localPath, string $remotePath): bool
     {
         if (!$this->connected) {

tests/Integration/SSHConnectionTest.php

@@ -72,4 +72,92 @@ public function testSSHConnectionWithPassword()
         $this->assertEquals('', $command->getError());
         $this->assertEquals('', $command->getRawError());
     }
+
+    public function testMd5Fingerprint()
+    {
+        $connection1 = (new SSHConnection())
+            ->to('localhost')
+            ->onPort(22)
+            ->as('travis')
+            ->withPrivateKey('/home/travis/.ssh/id_rsa')
+            ->connect();
+
+        $connection2 = (new SSHConnection())
+            ->to('localhost')
+            ->onPort(22)
+            ->as('travis')
+            ->withPrivateKey('/home/travis/.ssh/id_rsa')
+            ->connect();
+
+        $this->assertEquals(
+            $connection1->fingerprint(SSHConnection::FINGERPRINT_MD5),
+            $connection2->fingerprint(SSHConnection::FINGERPRINT_MD5)
+        );
+    }
+
+    public function testSha1Fingerprint()
+    {
+        $connection1 = (new SSHConnection())
+            ->to('localhost')
+            ->onPort(22)
+            ->as('travis')
+            ->withPrivateKey('/home/travis/.ssh/id_rsa')
+            ->connect();
+
+        $connection2 = (new SSHConnection())
+            ->to('localhost')
+            ->onPort(22)
+            ->as('travis')
+            ->withPrivateKey('/home/travis/.ssh/id_rsa')
+            ->connect();
+
+        $this->assertEquals(
+            $connection1->fingerprint(SSHConnection::FINGERPRINT_SHA1),
+            $connection2->fingerprint(SSHConnection::FINGERPRINT_SHA1)
+        );
+    }
+
+    public function testMd5FingerprintFailure()
+    {
+        $connection1 = (new SSHConnection())
+            ->to('localhost')
+            ->onPort(22)
+            ->as('travis')
+            ->withPrivateKey('/home/travis/.ssh/id_rsa')
+            ->connect();
+
+        $connection2 = (new SSHConnection())
+            ->to('test.rebex.net')
+            ->onPort(22)
+            ->as('demo')
+            ->withPassword('password')
+            ->connect();
+
+        $this->assertNotEquals(
+            $connection1->fingerprint(SSHConnection::FINGERPRINT_MD5),
+            $connection2->fingerprint(SSHConnection::FINGERPRINT_MD5)
+        );
+    }
+
+    public function testSha1FingerprintFailure()
+    {
+        $connection1 = (new SSHConnection())
+            ->to('localhost')
+            ->onPort(22)
+            ->as('travis')
+            ->withPrivateKey('/home/travis/.ssh/id_rsa')
+            ->connect();
+
+        $connection2 = (new SSHConnection())
+            ->to('test.rebex.net')
+            ->onPort(22)
+            ->as('demo')
+            ->withPassword('password')
+            ->connect();
+
+        $this->assertNotEquals(
+            $connection1->fingerprint(SSHConnection::FINGERPRINT_SHA1),
+            $connection2->fingerprint(SSHConnection::FINGERPRINT_SHA1)
+        );
+    }
 }