From 8e8f89cdc519ab0097c3d0b5cff44ae9d484340c Mon Sep 17 00:00:00 2001
From: Burnett01 <s-8@outlook.com>
Date: Mon, 1 Sep 2025 15:40:52 +0000
Subject: [PATCH] feat: add host key verification and handling for strict host
 key checking

---
 entrypoint.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/entrypoint.sh b/entrypoint.sh
index b24f0dc..4e0a2d0 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -28,6 +28,17 @@ fi
 STRICT_HOSTKEYS_CHECKING="-o StrictHostKeyChecking=no"
 if [ "${INPUT_STRICT_HOSTKEYS_CHECKING:-false}" = "true" ]; then
     STRICT_HOSTKEYS_CHECKING="-o StrictHostKeyChecking=yes"
+
+    key="$(ssh-keyscan -p "$INPUT_REMOTE_PORT" "$INPUT_REMOTE_HOST" 2>/dev/null)" || key=""
+    if [ -n "$key" ]; then
+        # fingerprint verification
+        echo "$key" | ssh-keygen -lf -
+        # add to known hosts
+        echo "$key" | while IFS= read -r line; do hosts-add "$line"; done
+    else
+        echo "Warning: failed to fetch host key for $INPUT_REMOTE_HOST" >&2
+        exit 1
+    fi
 fi
 
 RSH="ssh $STRICT_HOSTKEYS_CHECKING $LEGACY_RSA_HOSTKEYS -p $INPUT_REMOTE_PORT $INPUT_RSH"