#15708 add ssh bypass host verification option (#15721)

plugins/org.jkiss.dbeaver.net.ssh.jsch/src/org/jkiss/dbeaver/model/net/ssh/SSHImplementationJsch.java

@@ -102,7 +102,7 @@ public class SSHImplementationJsch extends SSHImplementationAbstract {
 
                 session.setUserInfo(userInfo);
 
-                if (DBWorkbench.getPlatform().getApplication().isHeadlessMode()) {
+                if (DBWorkbench.getPlatform().getApplication().isHeadlessMode() || configuration.getBooleanProperty(SSHConstants.PROP_BYPASS_HOST_VERIFICATION)) {
                     session.setConfig("StrictHostKeyChecking", "no");
                 } else {
                     File knownHosts = SSHUtils.getKnownSshHostsFileOrNull();

plugins/org.jkiss.dbeaver.net.ssh.sshj/src/org/jkiss/dbeaver/model/net/ssh/SSHImplementationSshj.java

@@ -66,7 +66,7 @@ public class SSHImplementationSshj extends SSHImplementationAbstract {
             sshClient = new SSHClient(clientConfig);
 
             try {
-                if (DBWorkbench.getPlatform().getApplication().isHeadlessMode()) {
+                if (DBWorkbench.getPlatform().getApplication().isHeadlessMode() || configuration.getBooleanProperty(SSHConstants.PROP_BYPASS_HOST_VERIFICATION)) {
                     sshClient.addHostKeyVerifier(new PromiscuousVerifier());
                 } else {
                     File knownHostsFile = SSHUtils.getKnownSshHostsFileOrDefault();

plugins/org.jkiss.dbeaver.net.ssh.ui/src/org/jkiss/dbeaver/ui/net/ssh/SSHTunnelConfiguratorUI.java

@@ -74,6 +74,7 @@ public class SSHTunnelConfiguratorUI implements IObjectPropertyConfigurator<DBWH
     private Button jumpServerEnabledCheck;
 
     private Combo tunnelImplCombo;
+    private Button fingerprintVerificationCheck;
     private Text localHostText;
     private Text localPortSpinner;
     private Text remoteHostText;
@@ -142,7 +143,6 @@ public class SSHTunnelConfiguratorUI implements IObjectPropertyConfigurator<DBWH
 
             tunnelImplCombo = UIUtils.createLabelCombo(client, SSHUIMessages.model_ssh_configurator_label_implementation, SWT.DROP_DOWN | SWT.READ_ONLY);
             GridData gd = new GridData(GridData.HORIZONTAL_ALIGN_BEGINNING);
-            gd.horizontalSpan = 3;
             tunnelImplCombo.setLayoutData(gd);
             tunnelImplCombo.addSelectionListener(new SelectionAdapter() {
                 @Override
@@ -154,6 +154,12 @@ public class SSHTunnelConfiguratorUI implements IObjectPropertyConfigurator<DBWH
                 tunnelImplCombo.add(it.getLabel());
             }
 
+            fingerprintVerificationCheck = UIUtils.createCheckbox(client, SSHUIMessages.model_ssh_configurator_label_bypass_verification, false);
+            GridData cgd = new GridData(GridData.FILL_HORIZONTAL);
+            cgd.horizontalSpan = 2;
+            fingerprintVerificationCheck.setLayoutData(cgd);
+            fingerprintVerificationCheck.setToolTipText(SSHUIMessages.model_ssh_configurator_label_bypass_verification_description);
+
             localHostText = UIUtils.createLabelText(client, SSHUIMessages.model_ssh_configurator_label_local_host, null, SWT.BORDER, new GridData(GridData.FILL_HORIZONTAL));
             localHostText.setToolTipText(SSHUIMessages.model_ssh_configurator_label_local_host_description);
             localHostText.setLayoutData(new GridData(GridData.FILL_HORIZONTAL));
@@ -305,7 +311,9 @@ public class SSHTunnelConfiguratorUI implements IObjectPropertyConfigurator<DBWH
                 tunnelImplCombo.select(0);
             }
         }
-
+        
+        fingerprintVerificationCheck.setSelection(configuration.getBooleanProperty(SSHConstants.PROP_BYPASS_HOST_VERIFICATION));
+        
         localHostText.setText(CommonUtils.notEmpty(configuration.getStringProperty(SSHConstants.PROP_LOCAL_HOST)));
         int lpValue = configuration.getIntProperty(SSHConstants.PROP_LOCAL_PORT);
         if (lpValue != 0) {
@@ -357,6 +365,8 @@ public class SSHTunnelConfiguratorUI implements IObjectPropertyConfigurator<DBWH
                 break;
             }
         }
+        
+        configuration.setProperty(SSHConstants.PROP_BYPASS_HOST_VERIFICATION, fingerprintVerificationCheck.getSelection());
 
         configuration.setProperty(SSHConstants.PROP_LOCAL_HOST, localHostText.getText().trim());
         int localPort = CommonUtils.toInt(localPortSpinner.getText());

plugins/org.jkiss.dbeaver.net.ssh.ui/src/org/jkiss/dbeaver/ui/net/ssh/SSHUIMessages.java

@@ -45,6 +45,8 @@ public class SSHUIMessages extends NLS {
 	public static String model_ssh_configurator_label_remote_port_description;
     public static String model_ssh_configurator_label_keep_alive;
 	public static String model_ssh_configurator_label_tunnel_timeout;
+	public static String model_ssh_configurator_label_bypass_verification;
+	public static String model_ssh_configurator_label_bypass_verification_description;
 	public static String model_ssh_configurator_button_test_tunnel;
 	public static String model_ssh_configurator_combo_agent;
 	public static String model_ssh_configurator_group_jump_server_settings_text;

plugins/org.jkiss.dbeaver.net.ssh.ui/src/org/jkiss/dbeaver/ui/net/ssh/SSHUIMessages.properties

@@ -51,6 +51,10 @@ model_ssh_configurator_label_tunnel_timeout = Tunnel connect timeout (ms)
 
 model_ssh_configurator_label_user_name = User Name
 
+model_ssh_configurator_label_bypass_verification = Bypass host verification (INSECURE)
+
+model_ssh_configurator_label_bypass_verification_description = Disable remote host fingerprint verification may lead to Man-In-The-Middle attack and compromise your data.
+
 model_ssh_configurator_group_jump_server_settings_text = Jump server settings
 
 model_ssh_configurator_group_jump_server_checkbox_label = Use jump server

plugins/org.jkiss.dbeaver.net.ssh.ui/src/org/jkiss/dbeaver/ui/net/ssh/SSHUIMessages_ru.properties

@@ -47,6 +47,10 @@ model_ssh_configurator_label_tunnel_timeout = \u0422\u0430\u0439\u043C-\u0430\u0
 
 model_ssh_configurator_label_user_name = \u0418\u043C\u044F \u043F\u043E\u043B\u044C\u0437-\u043B\u044F
 
+model_ssh_configurator_label_bypass_verification = \u041F\u0440\u043E\u043F\u0443\u0441\u0442\u0438\u0442\u044C \u0432\u0435\u0440\u0438\u0444\u0438\u043A\u0430\u0446\u0438\u044E \u0445\u043E\u0441\u0442\u0430 (\u041D\u0415\u0411\u0415\u0417\u041E\u041F\u0410\u0421\u041D\u041E)
+
+model_ssh_configurator_label_bypass_verification_description = \u041E\u0442\u043A\u043B\u044E\u0447\u0435\u043D\u0438\u0435 \u043F\u0440\u043E\u0432\u0435\u0440\u043A\u0438 \u0438\u0434\u0435\u043D\u0442\u0438\u0447\u043D\u043E\u0441\u0442\u0438 \u0443\u0434\u0430\u043B\u0435\u043D\u043D\u043E\u0433\u043E \u0445\u043E\u0441\u0442\u0430 \u043C\u043E\u0436\u0435\u0442 \u043F\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043A \u0430\u0442\u0430\u043A\u0435 Man-In-The-Middle \u0438 \u0441\u043A\u043E\u043C\u043F\u0440\u043E\u043C\u0435\u0442\u0438\u0440\u043E\u0432\u0430\u0442\u044C \u0432\u0430\u0448\u0438 \u0434\u0430\u043D\u043D\u044B\u0435.
+
 model_ssh_configurator_group_jump_server_settings_text = \u041D\u0430\u0441\u0442\u0440\u043E\u0439\u043A\u0438 jump \u0441\u0435\u0440\u0432\u0435\u0440\u0430
 
 model_ssh_configurator_group_jump_server_checkbox_label = \u0418\u0441\u043F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u0442\u044C jump \u0441\u0435\u0440\u0432\u0435\u0440

plugins/org.jkiss.dbeaver.net.ssh/src/org/jkiss/dbeaver/model/net/ssh/SSHConstants.java

@@ -38,6 +38,7 @@ public class SSHConstants {
     public static final String PROP_LOCAL_PORT = "localPort";
     public static final String PROP_REMOTE_HOST = "remoteHost";
     public static final String PROP_REMOTE_PORT = "remotePort";
+    public static final String PROP_BYPASS_HOST_VERIFICATION = "bypassHostVerification";
     //private static final int CONNECT_TIMEOUT = 10000;
 
     public enum AuthType {