Merge branch 'patch-1' into 'master'
Suggest a more secure way of handling SSH host keys in docker builds [ci skip] See merge request !2797
This commit is contained in:
commit
df05cd5baf
|
@ -38,6 +38,15 @@ following **Settings > Variables**. As **Key** add the name `SSH_PRIVATE_KEY`
|
||||||
and in the **Value** field paste the content of your _private_ key that you
|
and in the **Value** field paste the content of your _private_ key that you
|
||||||
created earlier.
|
created earlier.
|
||||||
|
|
||||||
|
It is also good practice to check the server's own public key to make sure you
|
||||||
|
are not being targeted by a man-in-the-middle attack. To do this, add another
|
||||||
|
variable named `SSH_SERVER_HOSTKEYS`. To find out the hostkeys of your server, run
|
||||||
|
the `ssh-keyscan YOUR_SERVER` command from a trusted network (ideally, from the
|
||||||
|
server itself), and paste its output into the `SSH_SERVER_HOSTKEY` variable. If
|
||||||
|
you need to connect to multiple servers, concatenate all the server public keys
|
||||||
|
that you collected into the **Value** of the variable. There must be one key per
|
||||||
|
line.
|
||||||
|
|
||||||
Next you need to modify your `.gitlab-ci.yml` with a `before_script` action.
|
Next you need to modify your `.gitlab-ci.yml` with a `before_script` action.
|
||||||
Add it to the top:
|
Add it to the top:
|
||||||
|
|
||||||
|
@ -59,6 +68,11 @@ before_script:
|
||||||
# you will overwrite your user's SSH config.
|
# you will overwrite your user's SSH config.
|
||||||
- mkdir -p ~/.ssh
|
- mkdir -p ~/.ssh
|
||||||
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
|
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
|
||||||
|
# In order to properly check the server's host key, assuming you created the
|
||||||
|
# SSH_SERVER_HOSTKEYS variable previously, uncomment the following two lines
|
||||||
|
# instead.
|
||||||
|
# - mkdir -p ~/.ssh
|
||||||
|
# - '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts'
|
||||||
```
|
```
|
||||||
|
|
||||||
As a final step, add the _public_ key from the one you created earlier to the
|
As a final step, add the _public_ key from the one you created earlier to the
|
||||||
|
|
Loading…
Reference in New Issue