ssh-mount: StrictHostKeyChecking=no cannot be overridden by user

[raballew]

Summary

In jumpstarter_driver_ssh_mount/client.py, the _build_sshfs_args method hardcodes StrictHostKeyChecking=no and UserKnownHostsFile=/dev/null after user-supplied -o options. Since SSH uses last-wins semantics for duplicate options, users cannot override these defaults.

Current behavior

# user options added first (lines 323-325)
if extra_args:
    for arg in extra_args:
        sshfs_args.extend(["-o", arg])

# hardcoded insecure defaults added last (lines 327-337)
ssh_opts = [
    "StrictHostKeyChecking=no",
    "UserKnownHostsFile=/dev/null",
    "LogLevel=ERROR",
]

A user running j mount /local/mountpoint -o StrictHostKeyChecking=yes will silently have their option overridden by the hardcoded StrictHostKeyChecking=no appended later.

Impact

In --direct mode, SSH traffic traverses the real network. Without host key verification, this is vulnerable to man-in-the-middle attacks.

In tunneled mode (the default), traffic goes through the Jumpstarter service, so the practical risk is lower.

Question

Is this intentional? If so, it would be worth documenting that host key verification is always disabled. If not, possible fixes:

1. Swap ordering: put defaults before user options so -o flags can override them
2. Use safer defaults: StrictHostKeyChecking=accept-new with a real known hosts file, and add an --insecure flag for the current behavior