fix(sshutil): add mutex to TOFU known_hosts to prevent race condition (#644)

ArangoGutierrez · web-flow · commit 38c2b4bd35b7 · 2026-02-13T18:46:11.000+01:00
Concurrent SSH connections (during cluster provisioning) could race on the known_hosts file read-then-write, causing duplicate entries or inconsistent state. Add a package-level mutex around the callback. Audit finding #13 (MEDIUM). Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>
diff --git a/pkg/sshutil/tofu.go b/pkg/sshutil/tofu.go
@@ -22,10 +22,16 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 
 	"golang.org/x/crypto/ssh"
 )
 
+// tofuMu serialises access to the known_hosts file so that concurrent SSH
+// connections (e.g. during multi-node cluster provisioning) do not race on the
+// read-then-write.
+var tofuMu sync.Mutex
+
 // TOFUHostKeyCallback returns an ssh.HostKeyCallback implementing a
 // Trust-On-First-Use (TOFU) pattern for SSH host key verification. On first
 // connection to a host, the key is recorded in a holodeck-specific known_hosts
@@ -34,6 +40,9 @@ import (
 // a potential MITM attack — is rejected with an error.
 func TOFUHostKeyCallback() ssh.HostKeyCallback {
 	return func(hostname string, remote net.Addr, key ssh.PublicKey) error {
+		tofuMu.Lock()
+		defer tofuMu.Unlock()
+
 		cacheBase, err := os.UserCacheDir()
 		if err != nil {
 			return fmt.Errorf("cannot determine cache directory for TOFU host keys: %w", err)
