Commit df05cd5b authored by Rémy Coutable's avatar Rémy Coutable

Merge branch 'patch-1' into 'master'

Suggest a more secure way of handling SSH host keys in docker builds [ci skip]

See merge request !2797
parents 279585c5 5852e0e0
...@@ -38,6 +38,15 @@ following **Settings > Variables**. As **Key** add the name `SSH_PRIVATE_KEY` ...@@ -38,6 +38,15 @@ following **Settings > Variables**. As **Key** add the name `SSH_PRIVATE_KEY`
and in the **Value** field paste the content of your _private_ key that you and in the **Value** field paste the content of your _private_ key that you
created earlier. created earlier.
It is also good practice to check the server's own public key to make sure you
are not being targeted by a man-in-the-middle attack. To do this, add another
variable named `SSH_SERVER_HOSTKEYS`. To find out the hostkeys of your server, run
the `ssh-keyscan YOUR_SERVER` command from a trusted network (ideally, from the
server itself), and paste its output into the `SSH_SERVER_HOSTKEY` variable. If
you need to connect to multiple servers, concatenate all the server public keys
that you collected into the **Value** of the variable. There must be one key per
line.
Next you need to modify your `.gitlab-ci.yml` with a `before_script` action. Next you need to modify your `.gitlab-ci.yml` with a `before_script` action.
Add it to the top: Add it to the top:
...@@ -59,6 +68,11 @@ before_script: ...@@ -59,6 +68,11 @@ before_script:
# you will overwrite your user's SSH config. # you will overwrite your user's SSH config.
- mkdir -p ~/.ssh - mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config' - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
# In order to properly check the server's host key, assuming you created the
# SSH_SERVER_HOSTKEYS variable previously, uncomment the following two lines
# instead.
# - mkdir -p ~/.ssh
# - '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts'
``` ```
As a final step, add the _public_ key from the one you created earlier to the As a final step, add the _public_ key from the one you created earlier to the
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment