Replace WarningPolicy with interactive TOFU SSH host key verification

Author: JE-Chen

CLAUDE.md

@@ -113,7 +113,7 @@ All code must follow secure-by-default principles. Review every change against t
 
 ### Network requests (TLS / SSH)
 - All HTTPS requests must use default TLS verification — never set `verify=False`
-- SSH connections: `paramiko.AutoAddPolicy()` accepts any host key and is vulnerable to MITM. Document it as a known limitation in the SSH GUI. Prefer `paramiko.RejectPolicy()` or `paramiko.WarningPolicy()` when non-interactive verification is possible; at minimum, warn the user on first connection to an unknown host
+- SSH connections: never use `paramiko.AutoAddPolicy()` or `paramiko.WarningPolicy()` — both silently accept unknown host keys and are vulnerable to MITM. Use `InteractiveHostKeyPolicy` from `pybreeze.pybreeze_ui.connect_gui.ssh.ssh_host_key_policy` (via `apply_host_key_policy(client, parent_widget)`), which prompts the user with the SHA256 fingerprint on first connection and persists confirmed keys to `~/.pybreeze/ssh_known_hosts`
 
 ### Subprocess execution
 - Always pass argument lists to `subprocess.Popen` / `subprocess.run` — never `shell=True`

pybreeze/extend_multi_language/extend_english.py

@@ -101,6 +101,13 @@
     "test_pioneer_create_template_label": "Create TestPioneer Yaml template",
     "test_pioneer_run_yaml": "Execute Test Pioneer Yaml",
     "test_pioneer_not_choose_yaml": "Please choose a Yaml file",
+    # SSH host key verification
+    "ssh_host_key_policy_dialog_title_verify_host": "Verify SSH host key",
+    "ssh_host_key_policy_dialog_message_verify_host": (
+        "The authenticity of host '{host}' cannot be established.\n"
+        "{key_type} key fingerprint is {fingerprint}.\n\n"
+        "Do you want to trust this host and continue connecting?"
+    ),
     # SSH command widget
     "ssh_command_widget_window_title_ssh_command_widget": "SSH Command Widget",
     "ssh_command_widget_button_label_send_command": "Send",

pybreeze/extend_multi_language/extend_traditional_chinese.py

@@ -101,6 +101,13 @@
     "test_pioneer_create_template_label": "建立 TestPioneer Yaml 模板",
     "test_pioneer_run_yaml": "執行 Test Pioneer Yaml",
     "test_pioneer_not_choose_yaml": "請選擇 Yaml 檔案",
+    # SSH host key verification
+    "ssh_host_key_policy_dialog_title_verify_host": "驗證 SSH 主機金鑰",
+    "ssh_host_key_policy_dialog_message_verify_host": (
+        "無法驗證主機 '{host}' 的真實性。\n"
+        "{key_type} 金鑰指紋為 {fingerprint}。\n\n"
+        "是否信任此主機並繼續連線？"
+    ),
     # SSH command widget
     "ssh_command_widget_window_title_ssh_command_widget": "SSH 指令介面",
     "ssh_command_widget_button_label_send_command": "送出",

pybreeze/pybreeze_ui/connect_gui/ssh/ssh_command_widget.py

@@ -12,6 +12,7 @@
 )
 from je_editor import language_wrapper
 
+from pybreeze.pybreeze_ui.connect_gui.ssh.ssh_host_key_policy import apply_host_key_policy
 from pybreeze.pybreeze_ui.connect_gui.ssh.ssh_login_widget import LoginWidget
 from pybreeze.utils.logging.logger import pybreeze_logger
 
@@ -139,11 +140,8 @@ def connect_ssh(self):
 
         try:
             self.ssh_client = paramiko.SSHClient()
-            self.ssh_client.load_system_host_keys()
-            self.ssh_client.set_missing_host_key_policy(paramiko.WarningPolicy())
-            pybreeze_logger.warning(
-                f"SSH connecting to {host}:{port} — host key will be accepted without verification"
-            )
+            apply_host_key_policy(self.ssh_client, self)
+            pybreeze_logger.info("SSH connecting to %s:%s", host, port)
 
             if use_key:
                 if not os.path.exists(key_path):

pybreeze/pybreeze_ui/connect_gui/ssh/ssh_file_viewer_widget.py

@@ -12,6 +12,7 @@
 )
 from je_editor import language_wrapper
 
+from pybreeze.pybreeze_ui.connect_gui.ssh.ssh_host_key_policy import apply_host_key_policy
 from pybreeze.pybreeze_ui.connect_gui.ssh.ssh_login_widget import LoginWidget
 from pybreeze.utils.logging.logger import pybreeze_logger
 
@@ -29,18 +30,16 @@ def __init__(self):
         self.root_path: str = "/"
 
     def connect(self, host: str, port: int, username: str, password: str,
-                use_key: bool = False, key_path: str = ""):
+                use_key: bool = False, key_path: str = "",
+                parent_widget: QWidget | None = None):
         """
         Establish SSH + SFTP connection.
         建立 SSH + SFTP 連線。
         """
         self.close()
         self._ssh = paramiko.SSHClient()
-        self._ssh.load_system_host_keys()
-        self._ssh.set_missing_host_key_policy(paramiko.WarningPolicy())
-        pybreeze_logger.warning(
-            f"SFTP connecting to {host}:{port} — host key will be accepted without verification"
-        )
+        apply_host_key_policy(self._ssh, parent_widget)
+        pybreeze_logger.info("SFTP connecting to %s:%s", host, port)
         if use_key and key_path:
             pkey = None
             for KeyType in (paramiko.RSAKey, paramiko.Ed25519Key, paramiko.ECDSAKey):
@@ -216,7 +215,7 @@ def _connect(self):
                 self.word_dict.get("ssh_file_viewer_dialog_message_missing_input"))
             return
         try:
-            self.client.connect(host, port, user, pwd, use_key, key_path)
+            self.client.connect(host, port, user, pwd, use_key, key_path, parent_widget=self)
             self.load_root("/")
         except Exception as e:
             QMessageBox.critical(

pybreeze/pybreeze_ui/connect_gui/ssh/ssh_host_key_policy.py

@@ -0,0 +1,111 @@
+"""Interactive SSH host key policy with persistent trust-on-first-use (TOFU).
+
+Replaces the MITM-prone ``paramiko.AutoAddPolicy`` / ``paramiko.WarningPolicy``:
+unknown host keys are shown to the user via a Qt dialog with their SHA256
+fingerprint, and only accepted on explicit confirmation. Confirmed hosts are
+persisted to ``~/.pybreeze/ssh_known_hosts`` so subsequent connections verify
+automatically.
+"""
+from __future__ import annotations
+
+import base64
+import hashlib
+from pathlib import Path
+from typing import TYPE_CHECKING
+
+import paramiko
+from je_editor import language_wrapper
+from PySide6.QtWidgets import QMessageBox
+
+from pybreeze.utils.logging.logger import pybreeze_logger
+
+if TYPE_CHECKING:
+    from PySide6.QtWidgets import QWidget
+
+
+def _known_hosts_path() -> Path:
+    """Return the PyBreeze-managed known_hosts file path, ensuring the parent dir exists."""
+    home_dir = Path.home() / ".pybreeze"
+    home_dir.mkdir(parents=True, exist_ok=True)
+    return home_dir / "ssh_known_hosts"
+
+
+def _fingerprint_sha256(key: paramiko.PKey) -> str:
+    """Return an OpenSSH-style SHA256 fingerprint (``SHA256:base64`` without padding)."""
+    digest = hashlib.sha256(key.asbytes()).digest()
+    return "SHA256:" + base64.b64encode(digest).rstrip(b"=").decode("ascii")
+
+
+class InteractiveHostKeyPolicy(paramiko.MissingHostKeyPolicy):
+    """Policy that prompts the user to verify unknown host keys.
+
+    Accepted keys are persisted so later connections pass through ``RejectPolicy``-like
+    strictness automatically. Declined keys abort the connection with ``SSHException``.
+    """
+
+    def __init__(self, parent: QWidget | None = None) -> None:
+        super().__init__()
+        self._parent = parent
+        self._word_dict = language_wrapper.language_word_dict
+
+    def missing_host_key(
+        self,
+        client: paramiko.SSHClient,
+        hostname: str,
+        key: paramiko.PKey,
+    ) -> None:
+        fingerprint = _fingerprint_sha256(key)
+        key_type = key.get_name()
+
+        title = self._word_dict.get(
+            "ssh_host_key_policy_dialog_title_verify_host",
+            "Verify SSH host key",
+        )
+        message_template = self._word_dict.get(
+            "ssh_host_key_policy_dialog_message_verify_host",
+            "The authenticity of host '{host}' cannot be established.\n"
+            "{key_type} key fingerprint is {fingerprint}.\n\n"
+            "Do you want to trust this host and continue connecting?",
+        )
+        message = message_template.format(
+            host=hostname, key_type=key_type, fingerprint=fingerprint
+        )
+
+        box = QMessageBox(self._parent)
+        box.setIcon(QMessageBox.Icon.Warning)
+        box.setWindowTitle(title)
+        box.setText(message)
+        box.setStandardButtons(QMessageBox.StandardButton.Yes | QMessageBox.StandardButton.No)
+        box.setDefaultButton(QMessageBox.StandardButton.No)
+        response = box.exec()
+
+        if response != QMessageBox.StandardButton.Yes:
+            pybreeze_logger.warning(
+                "SSH host key for %s rejected by user (%s)", hostname, fingerprint
+            )
+            raise paramiko.SSHException(
+                f"Host key for {hostname} rejected by user."
+            )
+
+        client.get_host_keys().add(hostname, key_type, key)
+        try:
+            client.save_host_keys(str(_known_hosts_path()))
+        except OSError as err:
+            pybreeze_logger.warning(
+                "Failed to persist SSH host key for %s: %s", hostname, err
+            )
+        pybreeze_logger.info(
+            "SSH host key for %s accepted and stored (%s)", hostname, fingerprint
+        )
+
+
+def apply_host_key_policy(client: paramiko.SSHClient, parent: QWidget | None) -> None:
+    """Load known hosts and attach the interactive TOFU policy to *client*."""
+    client.load_system_host_keys()
+    known_hosts = _known_hosts_path()
+    if known_hosts.is_file():
+        try:
+            client.load_host_keys(str(known_hosts))
+        except OSError as err:
+            pybreeze_logger.warning("Failed to load PyBreeze known_hosts: %s", err)
+    client.set_missing_host_key_policy(InteractiveHostKeyPolicy(parent))