feat(provider): add ssh provider for protocol-level health checks (#151)

Adds a new SSH provider that performs protocol-level handshakes to
capture host key fingerprints for security verification, enabling
MITM detection and algorithm compliance checks using CEL expressions.

Author: isometry

README.md

@@ -14,6 +14,7 @@ Probes use a compile-time [provider plugin system](pkg/provider) that supports e
 
 * [`system`](pkg/provider/system): Hierarchical grouping of related health checks with status aggregation
 * [`satellite`](pkg/provider/satellite): A separate satellite instance of the Platform Health server
+* [`ssh`](pkg/provider/ssh): SSH protocol handshake with host key verification
 * [`tcp`](pkg/provider/tcp): TCP connectivity checks
 * [`tls`](pkg/provider/tls): TLS handshake and certificate verification
 * [`http`](pkg/provider/http): HTTP(S) health checks with CEL-based response validation, full REST/GraphQL API support, and TLS details
@@ -256,6 +257,7 @@ Several providers support CEL (Common Expression Language) expressions for custo
 
 - [`http`](pkg/provider/http): HTTP request and response details with JSON parsing for REST/GraphQL API validation
 - [`tls`](pkg/provider/tls): TLS connection and certificate details
+- [`ssh`](pkg/provider/ssh): SSH host key and connection details
 - [`kubernetes`](pkg/provider/kubernetes): Full resource(s), including metadata, spec, status, etc.
 - [`helm`](pkg/provider/helm): Release info, chart metadata, values and manifests
 

cmd/ph/main.go

@@ -13,6 +13,7 @@ import (
 	_ "github.com/isometry/platform-health/pkg/provider/http"
 	_ "github.com/isometry/platform-health/pkg/provider/kubernetes"
 	_ "github.com/isometry/platform-health/pkg/provider/satellite"
+	_ "github.com/isometry/platform-health/pkg/provider/ssh"
 	_ "github.com/isometry/platform-health/pkg/provider/system"
 	_ "github.com/isometry/platform-health/pkg/provider/tcp"
 	_ "github.com/isometry/platform-health/pkg/provider/tls"

cmd/phs/main.go

@@ -13,6 +13,7 @@ import (
 	_ "github.com/isometry/platform-health/pkg/provider/http"
 	_ "github.com/isometry/platform-health/pkg/provider/kubernetes"
 	_ "github.com/isometry/platform-health/pkg/provider/satellite"
+	_ "github.com/isometry/platform-health/pkg/provider/ssh"
 	_ "github.com/isometry/platform-health/pkg/provider/system"
 	_ "github.com/isometry/platform-health/pkg/provider/tcp"
 	_ "github.com/isometry/platform-health/pkg/provider/tls"

go.mod

@@ -18,6 +18,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/veqryn/slog-context v0.9.0
 	go.yaml.in/yaml/v3 v3.0.4
+	golang.org/x/crypto v0.48.0
 	golang.org/x/sync v0.19.0
 	golang.org/x/term v0.40.0
 	google.golang.org/grpc v1.79.1
@@ -135,7 +136,6 @@ require (
 	github.com/xlab/treeprint v1.2.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	golang.org/x/crypto v0.48.0 // indirect
 	golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa // indirect
 	golang.org/x/mod v0.33.0 // indirect
 	golang.org/x/net v0.50.0 // indirect
@@ -144,8 +144,8 @@ require (
 	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	golang.org/x/tools v0.42.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260217215200-42d3e9bedb6d // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260223185530-2f722ef697dc // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260223185530-2f722ef697dc // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -430,10 +430,10 @@ golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
 golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/api v0.0.0-20260217215200-42d3e9bedb6d h1:EocjzKLywydp5uZ5tJ79iP6Q0UjDnyiHkGRWxuPBP8s=
-google.golang.org/genproto/googleapis/api v0.0.0-20260217215200-42d3e9bedb6d/go.mod h1:48U2I+QQUYhsFrg2SY6r+nJzeOtjey7j//WBESw+qyQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d h1:t/LOSXPJ9R0B6fnZNyALBRfZBH0Uy0gT+uR+SJ6syqQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/genproto/googleapis/api v0.0.0-20260223185530-2f722ef697dc h1:ULD+ToGXUIU6Pkzr1ARxdyvwfHbelw+agoFDRbLg4TU=
+google.golang.org/genproto/googleapis/api v0.0.0-20260223185530-2f722ef697dc/go.mod h1:M5krXqk4GhBKvB596udGL3UyjL4I1+cTbK0orROM9ng=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260223185530-2f722ef697dc h1:51Wupg8spF+5FC6D+iMKbOddFjMckETnNnEiZ+HX37s=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260223185530-2f722ef697dc/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
 google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=

pkg/provider/ssh/README.md

@@ -0,0 +1,188 @@
+# SSH Provider
+
+The SSH Provider extends the platform-health server to enable monitoring of SSH services. It performs protocol-level handshake(s) to capture host key fingerprints for security verification, without requiring authentication credentials. This enables MITM detection through host key fingerprint pinning and algorithm compliance checks using CEL (Common Expression Language) expressions.
+
+When `algorithms` is specified, the provider polls each algorithm separately, collecting all fingerprints into a map for comprehensive verification.
+
+## Usage
+
+Once the SSH Provider is configured, any query to the platform health server will trigger validation of the configured SSH service(s). The server will attempt to establish SSH connection(s) to each instance, capture the host key(s) during the handshake, and report each instance as "healthy" if the handshake is successful and all CEL checks pass, or "unhealthy" if the connection fails or any check fails.
+
+### Ad-hoc Check
+
+```bash
+# Basic SSH check (server chooses algorithm)
+ph check ssh --host example.com --port 22
+
+# Check specific algorithm
+ph check ssh --host example.com --algorithms ssh-ed25519
+
+# Check multiple algorithms
+ph check ssh --host example.com --algorithms ssh-ed25519 --algorithms ecdsa-sha2-nistp256
+
+# Check with CEL expression
+ph check ssh --host example.com --check='"ssh-ed25519" in ssh.hostKey'
+```
+
+### Context Inspection
+
+Use `ph context` to inspect the available CEL variables before writing expressions:
+
+```bash
+# Default (server chooses algorithm)
+ph context ssh --host example.com
+
+# Specific algorithm
+ph context ssh --host example.com --algorithms ssh-ed25519
+
+# Multiple algorithms
+ph context ssh --host example.com --algorithms ssh-ed25519 --algorithms ecdsa-sha2-nistp256
+```
+
+## Configuration
+
+The SSH Provider is configured through the platform-health server's configuration file. Each instance is defined with its name as the YAML key under `components`.
+
+- `type` (required): Must be `ssh`.
+- `spec`: Provider-specific configuration:
+  - `host` (required): The hostname or IP address of the SSH service to monitor.
+  - `port` (default: `22`): The port number of the SSH service to monitor.
+  - `algorithms` (optional): List of host key algorithms to poll. If not specified, server chooses (single handshake). If specified, one handshake per algorithm.
+- `checks`: A list of CEL expressions to validate the SSH connection. Each check has:
+  - `check` (required): A CEL expression that must evaluate to `true` for the connection to be healthy.
+  - `message` (optional): Custom error message when the check fails.
+
+### Valid Algorithm Names
+
+- `ssh-ed25519`
+- `ecdsa-sha2-nistp256`
+- `ecdsa-sha2-nistp384`
+- `ecdsa-sha2-nistp521`
+- `ssh-rsa`
+- `rsa-sha2-256`
+- `rsa-sha2-512`
+
+## CEL Check Context
+
+The SSH provider exposes an `ssh` variable containing host key details:
+
+- `ssh.hostKey`: Map of algorithm name to SHA256 fingerprint (map[string]string)
+- `ssh.host`: Target hostname used for connection (string)
+- `ssh.port`: Target port used for connection (int)
+
+### Example Context Output
+
+Default (server chooses algorithm):
+```json
+{
+  "ssh": {
+    "hostKey": {
+      "ecdsa-sha2-nistp256": "SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM"
+    },
+    "host": "github.com",
+    "port": 22
+  }
+}
+```
+
+With multiple algorithms specified:
+```json
+{
+  "ssh": {
+    "hostKey": {
+      "ssh-ed25519": "SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU",
+      "ecdsa-sha2-nistp256": "SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM"
+    },
+    "host": "github.com",
+    "port": 22
+  }
+}
+```
+
+### Example CEL Expressions
+
+```cel
+// Check if server supports specific algorithm
+"ssh-ed25519" in ssh.hostKey
+
+// Verify known host key fingerprint for specific algorithm (MITM detection)
+ssh.hostKey["ssh-ed25519"] == "SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU"
+
+// Check at least one modern algorithm is available
+"ssh-ed25519" in ssh.hostKey || "ecdsa-sha2-nistp256" in ssh.hostKey
+
+// Ensure RSA is not the only option (when polling multiple)
+!("ssh-rsa" in ssh.hostKey) || size(ssh.hostKey) > 1
+```
+
+## Examples
+
+### Basic SSH Check
+
+```yaml
+components:
+  bastion:
+    type: ssh
+    spec:
+      host: bastion.example.com
+      port: 22
+```
+
+In this example, the SSH Provider will establish an SSH connection to `bastion.example.com` on port 22 and report the service as "healthy" if the handshake completes successfully. The server chooses which host key algorithm to present.
+
+### Host Key Verification (Single Algorithm)
+
+```yaml
+components:
+  production-ssh:
+    type: ssh
+    spec:
+      host: prod.example.com
+      port: 22
+      algorithms:
+        - ssh-ed25519
+    checks:
+      - check: 'ssh.hostKey["ssh-ed25519"] == "SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s"'
+        message: "Host key mismatch - possible MITM attack"
+```
+
+This configuration verifies that the SSH server presents the expected ED25519 host key, providing protection against man-in-the-middle attacks.
+
+### Multi-Algorithm Verification
+
+```yaml
+components:
+  secure-bastion:
+    type: ssh
+    spec:
+      host: bastion.example.com
+      algorithms:
+        - ssh-ed25519
+        - ecdsa-sha2-nistp256
+    checks:
+      - check: '"ssh-ed25519" in ssh.hostKey'
+        message: "Server must support ED25519"
+      - check: 'ssh.hostKey["ssh-ed25519"] == "SHA256:expected..."'
+        message: "ED25519 key mismatch"
+      - check: 'ssh.hostKey["ecdsa-sha2-nistp256"] == "SHA256:expected..."'
+        message: "ECDSA key mismatch"
+```
+
+This polls both ED25519 and ECDSA keys and verifies both fingerprints.
+
+### Algorithm Compliance Check
+
+```yaml
+components:
+  modern-ssh:
+    type: ssh
+    spec:
+      host: secure.example.com
+      algorithms:
+        - ssh-ed25519
+    checks:
+      - check: '"ssh-ed25519" in ssh.hostKey'
+        message: "ED25519 host key required"
+```
+
+This ensures the SSH server supports the modern ED25519 algorithm. The check will fail if the server doesn't support ED25519.