v4.3.18: Read IdentityFile from SSH config + configurable host key policy

SSH tunnel now reads IdentityFile directives from ~/.ssh/config and passes
them as key_filename to paramiko.SSHClient.connect(). Host-specific keys
are tried first, then wildcard entries. Non-existent files are skipped.
look_for_keys=False is maintained to prevent blind scanning of ~/.ssh/.
Auth order: key_filename (specific->wildcard) -> agent -> password.

New host_key_policy setting in [ssh tunnels] config section:
- auto-add (default): accept unknown keys and add to known_hosts (TOFU)
- warn: accept unknown keys but log a warning
- reject: only connect to hosts already in ~/.ssh/known_hosts

Made with ❤️ and 🤖 Claude

Author: DiegoDAF

pgcli/main.py

@@ -309,6 +309,7 @@ def __init__(
             dsn_ssh_tunnel_config=c.get("dsn ssh tunnels"),
             logger=self.logger,
             allow_agent=str(ssh_tunnels_config.get("allow_agent", "True")).lower() == "true",
+            host_key_policy=str(ssh_tunnels_config.get("host_key_policy", "auto-add")).lower(),
         )
         self.ssh_tunnel = None
 

pgcli/pgclirc

@@ -311,6 +311,11 @@ float = ""
 # Use SSH agent for key authentication (default: True)
 # Set to False if you want to use only keys specified in ~/.ssh/config
 allow_agent = True
+# SSH host key verification policy (default: auto-add)
+# auto-add = accept unknown host keys and add to known_hosts (TOFU)
+# warn     = accept unknown host keys but log a warning
+# reject   = only connect to hosts already in ~/.ssh/known_hosts
+host_key_policy = auto-add
 
 # ^example.*\.host$ = myuser:mypasswd@my.tunnel.com:4000
 # .*\.net = another.tunnel.com

pgcli/ssh_tunnel.py

@@ -79,6 +79,12 @@ class _NativeSSHTunnel:
     Binds a local TCP port and forwards connections through an SSH channel.
     """
 
+    HOST_KEY_POLICIES = {
+        "auto-add": paramiko.AutoAddPolicy,
+        "warn": paramiko.WarningPolicy,
+        "reject": paramiko.RejectPolicy,
+    }
+
     def __init__(
         self,
         ssh_hostname: str,
@@ -89,6 +95,8 @@ def __init__(
         ssh_password: Optional[str] = None,
         ssh_proxy: Optional[Any] = None,
         allow_agent: bool = True,
+        key_filenames: Optional[list] = None,
+        host_key_policy: str = "auto-add",
         logger: Optional[logging.Logger] = None,
     ):
         self.ssh_hostname = ssh_hostname
@@ -99,6 +107,8 @@ def __init__(
         self.ssh_password = ssh_password
         self.ssh_proxy = ssh_proxy
         self.allow_agent = allow_agent
+        self.key_filenames = key_filenames
+        self.host_key_policy = host_key_policy
         self.logger = logger or logging.getLogger(__name__)
 
         self._ssh_client: Optional[paramiko.SSHClient] = None
@@ -120,7 +130,8 @@ def start(self):
         """Start SSH connection and local forwarding server."""
         self._ssh_client = paramiko.SSHClient()
         self._ssh_client.load_system_host_keys()
-        self._ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+        policy_cls = self.HOST_KEY_POLICIES.get(self.host_key_policy, paramiko.AutoAddPolicy)
+        self._ssh_client.set_missing_host_key_policy(policy_cls())
 
         connect_kwargs: dict[str, Any] = {
             "hostname": self.ssh_hostname,
@@ -131,6 +142,8 @@ def start(self):
             "compress": False,
             "timeout": 10,
         }
+        if self.key_filenames:
+            connect_kwargs["key_filename"] = self.key_filenames
         if self.ssh_password:
             connect_kwargs["password"] = self.ssh_password
         if self.ssh_proxy:
@@ -189,6 +202,7 @@ def __init__(
         dsn_ssh_tunnel_config: Optional[dict] = None,
         logger: Optional[logging.Logger] = None,
         allow_agent: bool = True,
+        host_key_policy: str = "auto-add",
     ):
         """
         Initialize SSH tunnel manager.
@@ -199,13 +213,15 @@ def __init__(
             dsn_ssh_tunnel_config: Dict of dsn_regex -> tunnel_url mappings
             logger: Logger instance for debug output
             allow_agent: Whether to allow SSH agent for key authentication (default True)
+            host_key_policy: SSH host key policy: 'auto-add', 'warn', or 'reject' (default 'auto-add')
         """
         self.ssh_tunnel_url = ssh_tunnel_url
         self.ssh_tunnel_config = ssh_tunnel_config or {}
         self.dsn_ssh_tunnel_config = dsn_ssh_tunnel_config or {}
         self.logger = logger or logging.getLogger(__name__)
         self.tunnel: Optional[_NativeSSHTunnel] = None
         self.allow_agent = allow_agent
+        self.host_key_policy = host_key_policy
 
     def find_tunnel_url(
         self,
@@ -289,10 +305,14 @@ def start_tunnel(
         ssh_username = tunnel_info.username
         ssh_proxy = None
 
-        # Read SSH config manually to get username/port/proxycommand
-        # but NOT IdentityFile (which would cause passphrase prompts).
-        # We rely on ssh-agent for key authentication instead.
+        # Read SSH config for username/port/proxycommand/identityfile.
+        # IdentityFile entries are read in order (host-specific first, wildcard after)
+        # and passed as key_filename to paramiko. Paramiko tries each key in order,
+        # skipping any that fail (e.g. passphrase-protected without agent).
+        # look_for_keys remains False to prevent blind scanning of ~/.ssh/.
+        # Auth order: key_filename (specific->wildcard) -> agent -> password
         ssh_config_path = os.path.expanduser("~/.ssh/config")
+        key_filenames = []
         if ssh_hostname and os.path.isfile(ssh_config_path):
             try:
                 ssh_config = paramiko.SSHConfig()
@@ -307,16 +327,21 @@ def start_tunnel(
                 proxycommand = host_config.get("proxycommand")
                 if proxycommand:
                     ssh_proxy = paramiko.ProxyCommand(proxycommand)
+                identity_files = host_config.get("identityfile", [])
+                key_filenames = [os.path.expanduser(f) for f in identity_files
+                                 if os.path.isfile(os.path.expanduser(f))]
+                if key_filenames:
+                    self.logger.debug("SSH identity files from config: %s", key_filenames)
             except Exception as e:
                 self.logger.warning("Could not read SSH config: %s", e)
 
         if not ssh_username:
             ssh_username = getpass.getuser()
 
         self.logger.debug(
-            "Creating SSH tunnel: %s@%s:%d -> %s:%d (allow_agent=%s)",
+            "Creating SSH tunnel: %s@%s:%d -> %s:%d (allow_agent=%s, key_files=%d)",
             ssh_username, ssh_hostname, ssh_port, host, int(port),
-            self.allow_agent,
+            self.allow_agent, len(key_filenames),
         )
 
         try:
@@ -329,6 +354,8 @@ def start_tunnel(
                 ssh_password=tunnel_info.password,
                 ssh_proxy=ssh_proxy,
                 allow_agent=self.allow_agent,
+                key_filenames=key_filenames or None,
+                host_key_policy=self.host_key_policy,
                 logger=self.logger,
             )
             tunnel.start()
@@ -377,11 +404,13 @@ def get_tunnel_manager_from_config(
     # Extract allow_agent from ssh tunnels config (default True)
     ssh_tunnels_config = config.get("ssh tunnels", {})
     allow_agent = str(ssh_tunnels_config.get("allow_agent", "True")).lower() == "true"
+    host_key_policy = str(ssh_tunnels_config.get("host_key_policy", "auto-add")).lower()
 
     return SSHTunnelManager(
         ssh_tunnel_url=ssh_tunnel_url,
         ssh_tunnel_config=ssh_tunnels_config,
         dsn_ssh_tunnel_config=config.get("dsn ssh tunnels"),
         logger=logger,
         allow_agent=allow_agent,
+        host_key_policy=host_key_policy,
     )

tests/test_ssh_tunnel.py

@@ -1,7 +1,8 @@
 import logging
 import os
-from unittest.mock import patch, MagicMock, ANY, call
+from unittest.mock import patch, MagicMock, ANY, call, mock_open
 
+import paramiko
 import pytest
 from configobj import ConfigObj
 from click.testing import CliRunner
@@ -544,6 +545,176 @@ def test_proxy_command_passed(self, mock_native_tunnel):
         connect_kwargs = mock_native_tunnel["client"].connect.call_args[1]
         assert connect_kwargs["sock"] is mock_proxy
 
+    def test_key_filenames_passed_to_connect(self, mock_native_tunnel):
+        """Test that key_filenames are passed as key_filename to connect()."""
+        key_files = ["/home/user/.ssh/id_ed25519", "/home/user/.ssh/id_rsa"]
+        tunnel = _NativeSSHTunnel(
+            ssh_hostname="bastion",
+            ssh_port=22,
+            remote_host="db.internal",
+            remote_port=5432,
+            ssh_username="testuser",
+            key_filenames=key_files,
+        )
+        tunnel.start()
+
+        connect_kwargs = mock_native_tunnel["client"].connect.call_args[1]
+        assert connect_kwargs["key_filename"] == key_files
+        assert connect_kwargs["look_for_keys"] is False  # Still disabled
+
+    def test_no_key_filenames_omits_key_filename(self, mock_native_tunnel):
+        """Test that key_filename is NOT passed when key_filenames is None."""
+        tunnel = _NativeSSHTunnel(
+            ssh_hostname="bastion",
+            ssh_port=22,
+            remote_host="db.internal",
+            remote_port=5432,
+            ssh_username="testuser",
+        )
+        tunnel.start()
+
+        connect_kwargs = mock_native_tunnel["client"].connect.call_args[1]
+        assert "key_filename" not in connect_kwargs
+
+    def test_host_key_policy_auto_add(self, mock_native_tunnel):
+        """Test that auto-add policy sets AutoAddPolicy."""
+        tunnel = _NativeSSHTunnel(
+            ssh_hostname="bastion", ssh_port=22,
+            remote_host="db.internal", remote_port=5432,
+            host_key_policy="auto-add",
+        )
+        tunnel.start()
+        policy_arg = mock_native_tunnel["client"].set_missing_host_key_policy.call_args[0][0]
+        assert isinstance(policy_arg, paramiko.AutoAddPolicy)
+
+    def test_host_key_policy_warn(self, mock_native_tunnel):
+        """Test that warn policy sets WarningPolicy."""
+        tunnel = _NativeSSHTunnel(
+            ssh_hostname="bastion", ssh_port=22,
+            remote_host="db.internal", remote_port=5432,
+            host_key_policy="warn",
+        )
+        tunnel.start()
+        policy_arg = mock_native_tunnel["client"].set_missing_host_key_policy.call_args[0][0]
+        assert isinstance(policy_arg, paramiko.WarningPolicy)
+
+    def test_host_key_policy_reject(self, mock_native_tunnel):
+        """Test that reject policy sets RejectPolicy."""
+        tunnel = _NativeSSHTunnel(
+            ssh_hostname="bastion", ssh_port=22,
+            remote_host="db.internal", remote_port=5432,
+            host_key_policy="reject",
+        )
+        tunnel.start()
+        policy_arg = mock_native_tunnel["client"].set_missing_host_key_policy.call_args[0][0]
+        assert isinstance(policy_arg, paramiko.RejectPolicy)
+
+    def test_host_key_policy_default_is_auto_add(self, mock_native_tunnel):
+        """Test that default policy is auto-add."""
+        tunnel = _NativeSSHTunnel(
+            ssh_hostname="bastion", ssh_port=22,
+            remote_host="db.internal", remote_port=5432,
+        )
+        tunnel.start()
+        policy_arg = mock_native_tunnel["client"].set_missing_host_key_policy.call_args[0][0]
+        assert isinstance(policy_arg, paramiko.AutoAddPolicy)
+
+    def test_host_key_policy_invalid_falls_back_to_auto_add(self, mock_native_tunnel):
+        """Test that invalid policy name falls back to AutoAddPolicy."""
+        tunnel = _NativeSSHTunnel(
+            ssh_hostname="bastion", ssh_port=22,
+            remote_host="db.internal", remote_port=5432,
+            host_key_policy="nonsense",
+        )
+        tunnel.start()
+        policy_arg = mock_native_tunnel["client"].set_missing_host_key_policy.call_args[0][0]
+        assert isinstance(policy_arg, paramiko.AutoAddPolicy)
+
+
+class TestSSHTunnelIdentityFile:
+    """Tests for IdentityFile reading from SSH config."""
+
+    def _make_manager_with_ssh_config(self, mock_native_tunnel, host_config, tunnel_url="ssh://bastion.example.com"):
+        """Helper: create manager, mock SSH config lookup, run start_tunnel."""
+        mock_ssh_config = MagicMock()
+        mock_ssh_config.lookup.return_value = host_config
+
+        # Determine which identity files "exist" on disk
+        existing_files = set(host_config.get("_existing_files", host_config.get("identityfile", [])))
+        existing_files.add("~/.ssh/config")  # SSH config always exists
+
+        manager = SSHTunnelManager(
+            ssh_tunnel_url=tunnel_url,
+            logger=logging.getLogger("test"),
+        )
+
+        with patch("pgcli.ssh_tunnel.os.path.expanduser", side_effect=lambda p: p), \
+             patch("pgcli.ssh_tunnel.os.path.isfile", side_effect=lambda p: p in existing_files), \
+             patch("pgcli.ssh_tunnel.paramiko.SSHConfig") as mock_config_cls, \
+             patch("builtins.open", mock_open(read_data="")):
+            mock_config_cls.return_value = mock_ssh_config
+            host, port = manager.start_tunnel(host="db.internal", port=5432)
+
+        return mock_native_tunnel["client"].connect.call_args[1]
+
+    def test_start_tunnel_reads_identity_files(self, mock_native_tunnel):
+        """Test that start_tunnel reads IdentityFile from SSH config and passes to connect."""
+        host_config = {
+            "hostname": "bastion.example.com",
+            "user": "tunneluser",
+            "identityfile": ["/home/user/.ssh/id_ed25519_specific", "/home/user/.ssh/id_rsa_wildcard"],
+        }
+
+        connect_kwargs = self._make_manager_with_ssh_config(mock_native_tunnel, host_config)
+
+        assert "key_filename" in connect_kwargs
+        assert connect_kwargs["key_filename"] == [
+            "/home/user/.ssh/id_ed25519_specific",
+            "/home/user/.ssh/id_rsa_wildcard",
+        ]
+        assert connect_kwargs["look_for_keys"] is False
+
+    def test_start_tunnel_skips_nonexistent_identity_files(self, mock_native_tunnel):
+        """Test that nonexistent IdentityFile entries are filtered out."""
+        host_config = {
+            "hostname": "bastion.example.com",
+            "identityfile": ["/home/user/.ssh/id_ed25519_exists", "/home/user/.ssh/id_rsa_missing"],
+            "_existing_files": ["/home/user/.ssh/id_ed25519_exists"],  # only this one exists
+        }
+
+        connect_kwargs = self._make_manager_with_ssh_config(mock_native_tunnel, host_config)
+
+        assert "key_filename" in connect_kwargs
+        assert connect_kwargs["key_filename"] == ["/home/user/.ssh/id_ed25519_exists"]
+
+    def test_start_tunnel_no_identity_files_omits_key_filename(self, mock_native_tunnel):
+        """Test that key_filename is omitted when SSH config has no IdentityFile."""
+        host_config = {
+            "hostname": "bastion.example.com",
+            "user": "tunneluser",
+        }
+
+        connect_kwargs = self._make_manager_with_ssh_config(mock_native_tunnel, host_config)
+
+        assert "key_filename" not in connect_kwargs
+
+    def test_identity_file_order_preserved(self, mock_native_tunnel):
+        """Test that IdentityFile order is preserved (host-specific first, wildcard after)."""
+        host_config = {
+            "hostname": "bastion.example.com",
+            "identityfile": [
+                "/home/user/.ssh/id_ed25519_host",   # host-specific (first)
+                "/home/user/.ssh/id_ed25519_global",  # wildcard (second)
+            ],
+        }
+
+        connect_kwargs = self._make_manager_with_ssh_config(mock_native_tunnel, host_config)
+
+        assert connect_kwargs["key_filename"] == [
+            "/home/user/.ssh/id_ed25519_host",
+            "/home/user/.ssh/id_ed25519_global",
+        ]
+
 
 class TestGetTunnelManagerFromConfig:
     """Tests for get_tunnel_manager_from_config function."""
@@ -596,3 +767,14 @@ def test_allow_agent_from_config(self):
         config = {"ssh tunnels": {"allow_agent": "False"}}
         manager = get_tunnel_manager_from_config(config)
         assert manager.allow_agent is False
+
+    def test_host_key_policy_from_config(self):
+        """Test host_key_policy is read from config."""
+        config = {"ssh tunnels": {"host_key_policy": "reject"}}
+        manager = get_tunnel_manager_from_config(config)
+        assert manager.host_key_policy == "reject"
+
+    def test_host_key_policy_default(self):
+        """Test host_key_policy defaults to auto-add."""
+        manager = get_tunnel_manager_from_config({})
+        assert manager.host_key_policy == "auto-add"