Add SSH host key pinning support

Add GenerateHostKeyPair for in-memory ECDSA P-256 host key generation,
WithHostKey client option for ssh.FixedHostKey verification, and
HostKey field on sshd.Config for injected host keys. The guest boot
sequence loads a host key from disk, deletes the file, and passes
the signer to the SSH server. All changes are backward-compatible
with nil/zero-value fallbacks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: JAORMX

guest/boot/boot.go

@@ -86,6 +86,23 @@ func Run(logger *slog.Logger, opts ...Option) (shutdown func(), err error) {
 		return nil, fmt.Errorf("parsing authorized keys: %w", err)
 	}
 
+	// 7b. Load injected host key (if present). The key is deleted from
+	// disk after loading into memory so it cannot be read by the sandbox
+	// user. If the file does not exist, hostKeySigner remains nil and the
+	// SSH server will generate an ephemeral key.
+	var hostKeySigner ssh.Signer
+	if hostKeyPEM, readErr := os.ReadFile(cfg.sshHostKeyPath); readErr == nil {
+		signer, parseErr := ssh.ParsePrivateKey(hostKeyPEM)
+		if parseErr != nil {
+			logger.Warn("failed to parse injected host key, falling back to ephemeral",
+				"path", cfg.sshHostKeyPath, "error", parseErr)
+		} else {
+			hostKeySigner = signer
+			logger.Info("loaded injected SSH host key", "path", cfg.sshHostKeyPath)
+		}
+		_ = os.Remove(cfg.sshHostKeyPath)
+	}
+
 	// 8. Drop unneeded capabilities from the bounding set.
 	logger.Info("dropping unnecessary capabilities")
 	if err := harden.DropBoundingCaps(
@@ -113,6 +130,7 @@ func Run(logger *slog.Logger, opts ...Option) (shutdown func(), err error) {
 		DefaultShell:    cfg.userShell,
 		DefaultWorkDir:  cfg.workspaceMountPoint,
 		AgentForwarding: cfg.sshAgentForwarding,
+		HostKey:         hostKeySigner,
 		Logger:          logger,
 	}
 	srv, err := sshd.New(sshdCfg)

guest/boot/options.go

@@ -23,6 +23,7 @@ type config struct {
 	mountRetries        int
 	sshPort             int
 	sshKeysPath         string
+	sshHostKeyPath      string
 	envFilePath         string
 	userName            string
 	userHome            string
@@ -42,6 +43,7 @@ func defaultConfig() *config {
 		mountRetries:        5,
 		sshPort:             22,
 		sshKeysPath:         "/home/sandbox/.ssh/authorized_keys",
+		sshHostKeyPath:      "/etc/ssh/ssh_host_ecdsa_key",
 		envFilePath:         "/etc/sandbox-env",
 		userName:            "sandbox",
 		userHome:            "/home/sandbox",
@@ -98,6 +100,14 @@ func WithLockdownRoot(enabled bool) Option {
 	return optionFunc(func(c *config) { c.lockdownRoot = enabled })
 }
 
+// WithSSHHostKeyPath sets the path to a PEM-encoded host private key
+// injected into the guest rootfs. If the file exists at boot, the key
+// is loaded into memory, the file is deleted, and the key is used as
+// the SSH server's host key (enabling client-side pinning).
+func WithSSHHostKeyPath(path string) Option {
+	return optionFunc(func(c *config) { c.sshHostKeyPath = path })
+}
+
 // WithSSHAgentForwarding controls whether the SSH server supports
 // agent forwarding. When enabled and the client requests it, the
 // server creates a Unix socket and sets SSH_AUTH_SOCK for the session.

guest/sshd/server.go

@@ -66,6 +66,11 @@ type Config struct {
 	// per-session agent sockets.
 	AgentForwarding bool
 
+	// HostKey is an optional pre-generated host key signer. When non-nil,
+	// the server uses this key instead of generating an ephemeral one.
+	// This enables host key pinning by the client.
+	HostKey ssh.Signer
+
 	// Logger is the structured logger. If nil, slog.Default() is used.
 	Logger *slog.Logger
 }
@@ -112,18 +117,23 @@ func New(cfg Config) (*Server, error) {
 		},
 	}
 
-	// Generate an ephemeral ECDSA P-256 host key.
-	hostKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, fmt.Errorf("generate host key: %w", err)
-	}
+	if cfg.HostKey != nil {
+		// Use the injected host key (enables client-side pinning).
+		sshCfg.AddHostKey(cfg.HostKey)
+	} else {
+		// Generate an ephemeral ECDSA P-256 host key.
+		hostKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		if err != nil {
+			return nil, fmt.Errorf("generate host key: %w", err)
+		}
 
-	signer, err := ssh.NewSignerFromKey(hostKey)
-	if err != nil {
-		return nil, fmt.Errorf("create host key signer: %w", err)
-	}
+		signer, err := ssh.NewSignerFromKey(hostKey)
+		if err != nil {
+			return nil, fmt.Errorf("create host key signer: %w", err)
+		}
 
-	sshCfg.AddHostKey(signer)
+		sshCfg.AddHostKey(signer)
+	}
 
 	return &Server{
 		cfg:      cfg,

ssh/client.go

@@ -45,6 +45,17 @@ func (s *sshSessionAdapter) SetStderr(w io.Writer) { s.sess.Stderr = w }
 func (s *sshSessionAdapter) SetStdin(r io.Reader)  { s.sess.Stdin = r }
 func (s *sshSessionAdapter) Close() error          { return s.sess.Close() }
 
+// ClientOption configures optional Client behavior.
+type ClientOption func(*Client)
+
+// WithHostKey pins the expected SSH host key. When set, the client uses
+// ssh.FixedHostKey for host key verification instead of accepting any key.
+func WithHostKey(pubKey ssh.PublicKey) ClientOption {
+	return func(c *Client) {
+		c.expectedHostKey = pubKey
+	}
+}
+
 // Client provides a high-level SSH interface for communicating with a
 // microVM guest.
 type Client struct {
@@ -53,6 +64,11 @@ type Client struct {
 	user    string
 	keyPath string
 
+	// expectedHostKey, when non-nil, enables host key pinning via
+	// ssh.FixedHostKey. When nil, InsecureIgnoreHostKey is used for
+	// backward compatibility.
+	expectedHostKey ssh.PublicKey
+
 	// readFile reads a file from disk. Defaults to os.ReadFile.
 	// Injected for testability.
 	readFile func(string) ([]byte, error)
@@ -68,7 +84,8 @@ type Client struct {
 
 // NewClient creates a new SSH Client configured to connect to the given
 // host and port using the specified user and private key file.
-func NewClient(host string, port uint16, user, keyPath string) *Client {
+// Options are applied after defaults to allow host key pinning, etc.
+func NewClient(host string, port uint16, user, keyPath string, opts ...ClientOption) *Client {
 	c := &Client{
 		host:      host,
 		port:      port,
@@ -77,6 +94,9 @@ func NewClient(host string, port uint16, user, keyPath string) *Client {
 		readFile:  os.ReadFile,
 		writeFile: os.WriteFile,
 	}
+	for _, o := range opts {
+		o(c)
+	}
 	c.createSession = func(ctx context.Context) (remoteSession, func(), error) {
 		sess, client, err := c.newSession(ctx)
 		if err != nil {
@@ -278,13 +298,20 @@ func (c *Client) sshConfig() (*ssh.ClientConfig, error) {
 		return nil, fmt.Errorf("parse SSH key %s: %w", c.keyPath, err)
 	}
 
+	var hostKeyCallback ssh.HostKeyCallback
+	if c.expectedHostKey != nil {
+		hostKeyCallback = ssh.FixedHostKey(c.expectedHostKey)
+	} else {
+		//nolint:gosec // Backward compat when host key not available.
+		hostKeyCallback = ssh.InsecureIgnoreHostKey()
+	}
+
 	return &ssh.ClientConfig{
 		User: c.user,
 		Auth: []ssh.AuthMethod{
 			ssh.PublicKeys(signer),
 		},
-		//nolint:gosec // We trust the VM we just created; host key checking is unnecessary.
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		HostKeyCallback: hostKeyCallback,
 		Timeout:         defaultSSHTimeout,
 	}, nil
 }

ssh/client_test.go

@@ -491,3 +491,109 @@ func TestSSHConfig_ValidKeyParsing(t *testing.T) {
 	assert.Equal(t, "testuser", config.User)
 	assert.NotEmpty(t, config.Auth)
 }
+
+func TestWithHostKey_SetsExpectedHostKey(t *testing.T) {
+	t.Parallel()
+
+	_, pubKey, err := GenerateHostKeyPair()
+	require.NoError(t, err)
+
+	c := NewClient("127.0.0.1", 22, "user", "/tmp/key", WithHostKey(pubKey))
+	assert.NotNil(t, c.expectedHostKey)
+	assert.Equal(t, pubKey.Marshal(), c.expectedHostKey.Marshal())
+}
+
+func TestWithHostKey_NilFallback(t *testing.T) {
+	t.Parallel()
+
+	// No options → expectedHostKey should be nil.
+	c := NewClient("127.0.0.1", 22, "user", "/tmp/key")
+	assert.Nil(t, c.expectedHostKey)
+}
+
+func TestSSHConfig_WithHostKey_AcceptsMatchingKey(t *testing.T) {
+	t.Parallel()
+
+	keyDir := t.TempDir()
+	privKeyPath, _, err := GenerateKeyPair(keyDir)
+	require.NoError(t, err)
+
+	_, hostPubKey, err := GenerateHostKeyPair()
+	require.NoError(t, err)
+
+	c := &Client{
+		host:            "testhost",
+		port:            2222,
+		user:            "testuser",
+		keyPath:         privKeyPath,
+		readFile:        os.ReadFile,
+		expectedHostKey: hostPubKey,
+	}
+
+	config, err := c.sshConfig()
+	require.NoError(t, err)
+	require.NotNil(t, config.HostKeyCallback)
+
+	// Matching key should be accepted.
+	err = config.HostKeyCallback("testhost:2222", nil, hostPubKey)
+	assert.NoError(t, err, "matching host key should be accepted")
+}
+
+func TestSSHConfig_WithHostKey_RejectsMismatchedKey(t *testing.T) {
+	t.Parallel()
+
+	keyDir := t.TempDir()
+	privKeyPath, _, err := GenerateKeyPair(keyDir)
+	require.NoError(t, err)
+
+	_, hostPubKey, err := GenerateHostKeyPair()
+	require.NoError(t, err)
+
+	// Generate a different key to simulate an impersonator.
+	_, wrongPubKey, err := GenerateHostKeyPair()
+	require.NoError(t, err)
+
+	c := &Client{
+		host:            "testhost",
+		port:            2222,
+		user:            "testuser",
+		keyPath:         privKeyPath,
+		readFile:        os.ReadFile,
+		expectedHostKey: hostPubKey,
+	}
+
+	config, err := c.sshConfig()
+	require.NoError(t, err)
+	require.NotNil(t, config.HostKeyCallback)
+
+	// Mismatched key should be rejected.
+	err = config.HostKeyCallback("testhost:2222", nil, wrongPubKey)
+	assert.Error(t, err, "mismatched host key should be rejected")
+}
+
+func TestSSHConfig_WithoutHostKey_AcceptsAnyKey(t *testing.T) {
+	t.Parallel()
+
+	keyDir := t.TempDir()
+	privKeyPath, _, err := GenerateKeyPair(keyDir)
+	require.NoError(t, err)
+
+	c := &Client{
+		host:     "testhost",
+		port:     2222,
+		user:     "testuser",
+		keyPath:  privKeyPath,
+		readFile: os.ReadFile,
+	}
+
+	config, err := c.sshConfig()
+	require.NoError(t, err)
+	require.NotNil(t, config.HostKeyCallback)
+
+	// Without host key pinning, any key should be accepted.
+	_, anyPubKey, err := GenerateHostKeyPair()
+	require.NoError(t, err)
+
+	err = config.HostKeyCallback("testhost:2222", nil, anyPubKey)
+	assert.NoError(t, err, "insecure callback should accept any key")
+}

ssh/keygen.go

@@ -73,6 +73,33 @@ func GenerateKeyPair(keyDir string) (privateKeyPath, publicKeyPath string, err e
 	return privateKeyPath, publicKeyPath, nil
 }
 
+// GenerateHostKeyPair generates an ECDSA P-256 host key pair in memory.
+// It returns the private key as PEM-encoded bytes and the corresponding
+// SSH public key. No files are written to disk.
+func GenerateHostKeyPair() (privateKeyPEM []byte, publicKey ssh.PublicKey, err error) {
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, nil, fmt.Errorf("generate host ECDSA key: %w", err)
+	}
+
+	derBytes, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		return nil, nil, fmt.Errorf("marshal host private key: %w", err)
+	}
+
+	pemBlock := &pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: derBytes,
+	}
+
+	pubKey, err := ssh.NewPublicKey(&key.PublicKey)
+	if err != nil {
+		return nil, nil, fmt.Errorf("convert to SSH public key: %w", err)
+	}
+
+	return pem.EncodeToMemory(pemBlock), pubKey, nil
+}
+
 // GetPublicKeyContent reads an SSH public key file and returns its content
 // as a string suitable for inclusion in authorized_keys.
 func GetPublicKeyContent(publicKeyPath string) (string, error) {

ssh/keygen_test.go

@@ -4,6 +4,7 @@
 package ssh
 
 import (
+	"encoding/pem"
 	"os"
 	"path/filepath"
 	"strings"
@@ -138,3 +139,53 @@ func TestGenerateKeyPair_CreatesKeyDirectory(t *testing.T) {
 	assert.FileExists(t, privPath)
 	assert.FileExists(t, pubPath)
 }
+
+func TestGenerateHostKeyPair_Success(t *testing.T) {
+	t.Parallel()
+
+	pemBytes, pubKey, err := GenerateHostKeyPair()
+	require.NoError(t, err)
+
+	// PEM should be parseable.
+	block, rest := pem.Decode(pemBytes)
+	require.NotNil(t, block, "PEM block should not be nil")
+	assert.Equal(t, "EC PRIVATE KEY", block.Type)
+	assert.Empty(t, rest, "no trailing data after PEM block")
+
+	// PEM should be parseable as an SSH private key.
+	signer, err := gossh.ParsePrivateKey(pemBytes)
+	require.NoError(t, err)
+	assert.NotNil(t, signer)
+
+	// Public key should be non-nil and ECDSA P-256.
+	require.NotNil(t, pubKey)
+	assert.Equal(t, "ecdsa-sha2-nistp256", pubKey.Type())
+}
+
+func TestGenerateHostKeyPair_Unique(t *testing.T) {
+	t.Parallel()
+
+	pem1, pub1, err := GenerateHostKeyPair()
+	require.NoError(t, err)
+
+	pem2, pub2, err := GenerateHostKeyPair()
+	require.NoError(t, err)
+
+	assert.NotEqual(t, pem1, pem2, "private keys should differ")
+	assert.NotEqual(t, pub1.Marshal(), pub2.Marshal(), "public keys should differ")
+}
+
+func TestGenerateHostKeyPair_RoundTrip(t *testing.T) {
+	t.Parallel()
+
+	pemBytes, pubKey, err := GenerateHostKeyPair()
+	require.NoError(t, err)
+
+	// Parse the PEM back and verify the public key matches.
+	signer, err := gossh.ParsePrivateKey(pemBytes)
+	require.NoError(t, err)
+
+	signerPub := signer.PublicKey()
+	assert.Equal(t, pubKey.Type(), signerPub.Type())
+	assert.Equal(t, pubKey.Marshal(), signerPub.Marshal())
+}