Comments (28)
v2.3.0 has been released, now known_hosts: unnecessary
is available!
closing.
from ssh-key-action.
@till I do the same thing and choose to use webfactory/ssh-agent which works fine.
- name: Install SSH key
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.DIGITALOCEAN_SSH_KEY }}
from ssh-key-action.
@till
Thank you for your proposal, insecure
option may be a good idea.
Let me think about it.
from ssh-key-action.
Author can do as he pleases. This is their open source. Best is to fork if you really don't like it. Or use the alternative ☝🏼
from ssh-key-action.
Of course, I'd just like to point out that the reasoning is rather flawed.
from ssh-key-action.
@muesli is king
from ssh-key-action.
@kurtwheeler
It might be valid case, but known_hosts
will be necessary in many case for security reason.
If you have no way to know server key/address and are sure there are no security risk (such as MITM attack), please set dummy server key as workaround.
- name: Install SSH key
uses: shimataro/ssh-key-action@v2
with:
key: ${{ secrets.SSH_KEY }}
known_hosts: github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
from ssh-key-action.
@shimataro What if I only need the SSH key locally during the test? I'm not even trying to connect to anything, but use it to test software that depends on a valid SSH key being installed / available.
from ssh-key-action.
Hi, @muesli. Sorry for the late reply.
You can use dummy server key, such as github.com
.
If you want to check whether SSH key is valid or not, try SSH to github.com
.
Please refer #143 (comment).
from ssh-key-action.
@shimataro Yeah, I use that as a hacky workaround. Why not solve this properly tho?
from ssh-key-action.
@muesli
It's for security reason.
(and I didn't expect your case, no need to connect to anywhere)
Direct connection without known_hosts
is dangerous. Therefore this action enforces to specify it.
If you don't have the way to know server key or IP address in advance, please use multistage SSH via "bastion server".
[GitHub] <-- Internet --> [bastion] <-- LAN --> [target]
If LAN is secure enough, it only needs to specify the key of bastion server to known_hosts
.
from ssh-key-action.
Maybe I'm overlooking something, but what's the danger of not having a known_hosts
file?
from ssh-key-action.
@muesli
SSH without known_hosts
allows MITM attack.
Of course, there are no risks if you don't connect to anywhere.
from ssh-key-action.
@shimataro I'm still a bit puzzled by that. Which MITM attack are you referring to? Not having a known_hosts
file is only really a problem if you disable StrictHostKeyChecking
, which would be a bad idea in the first place.
from ssh-key-action.
@muesli
Missing known_hosts
means that SSH cannot verify server.
That is, it allows MITM attack.
SSH with CA can verify server without known_hosts
, but it isn't a popular method.
from ssh-key-action.
I think you're mistaken here. A missing known_hosts
file would intercept any connection, asking you if you trust the remote host before proceeding, unless you have disabled StrictHostKeyChecking
.
As such it would be absolutely fine to make this feature optional. There's no MITM-scenario and no security issue I can see.
from ssh-key-action.
A missing
known_hosts
file would intercept any connection, asking you if you trust the remote host before proceeding,
Yes, you are right.
But if asked during CI process, the process will stop and fail at the point.
In addition, when you decide whether or not to trust a server, what would you base on?
The only way is to check the fingerprint of host key, and it's identical to use known_hosts
. known_hosts
is to check host key.
from ssh-key-action.
But if asked during CI process, the process will stop and fail at the point.
Correct, just like it is the case when you try to connect to any host that you have forgot to add to known_hosts
.
In addition, when you decide whether or not to trust a server, what would you base on?
known_hosts
is the right place. But remember my original point: there are situations where you don't connect to any host with your SSH key and instead have a different usecase for it. In such cases known_hosts
should be optional. There's no security issue as we've elaborated.
from ssh-key-action.
Sorry for late response.
But remember my original point: there are situations where you don't connect to any host with your SSH key and instead have a different usecase for it.
Yes I remember, but it is not an expected usage.
This action is for SSH connection; therefore I made known_hosts
required parameter.
from ssh-key-action.
I wanted to use this action to do the following:
- setup my keys
- create a server (in the cloud)
- run my ansible
- verify it all worked
The known_host
parameter is a bit odd in this case. With an elastic environment, known_hosts
seems to be a bit less useful anyway? I understand that for deployments and what not, I can use a static bastion host, but even then, I would probably use SSHFP
records?
Long story short, I wouldn't mind if you made known_hosts
optional and printed a fat warning that people are aware of it? Maybe another option like, insecure: yes
, which would be no
by default? So people can use this without workarounds like supplying a bogus known_hosts
?
from ssh-key-action.
While I'd still prefer an insecure
option over a fake known_hosts
file, I still don't see a reason to actually introduce that option. There's nothing insecure about not supplying any known hosts whatsoever.
from ssh-key-action.
There's nothing insecure about not supplying any known hosts whatsoever.
Could you tell me which one do you mean?
- Not providing
known_hosts
is secure enough in any case - Not providing
known_hosts
without thinking is insecure, but there are some methods to make SSH secure withoutknown_hosts
- Not providing
known_hosts
might be insecure, but We don't have to take care because attack is rare - or other meaning
I agree with you if 2 (but these methods are not so popular).
from ssh-key-action.
Definitely 1.
The worst thing that can happen if you don't specify any known hosts is ssh refusing to connect to a remote machine before you verify it and add it to the known hosts. There's no security issue here and no MITM attack if you don't have a known_hosts
file.
As such I don't understand why an option called insecure
would be helpful. If anything it's rather misleading.
from ssh-key-action.
The worst thing that can happen if you don't specify any known hosts is ssh refusing to connect to a remote machine before you verify it and add it to the known hosts. There's no security issue here and no MITM attack if you don't have a known_hosts file.
Yes, you are right, but I think CI will stop and fail at that point.
Or, I am misunderstanding something?
from ssh-key-action.
Yes, you are right, but I think CI will stop and fail at that point.
Just like it would if you try to connect to any host that you forgot to add to known_hosts
. This should be documented in the README accordingly. There is no security issue however, and no reason to enforce having a known_hosts
, when there are good reasons to use this without ever connecting to a remote host.
I hope you understand my reasoning, and I would greatly appreciate it if you could reconsider your decision ❤️
from ssh-key-action.
@muesli
I think I get what you mean. Is this OK?
- You DON'T mean that SSH connection without
known_hosts
(usingStrictHostKeyChecking=no
) is secure. - You want to install key but don't need SSH connection (so there are no security issues); #143 (comment)
Unfortunately, this action is designed for SSH connection. So known_hosts
is expected to exist, and not providing known_hosts
is insecure in many case.
But I'm considering a proposal #143 (comment).
Please wait for a decision!
from ssh-key-action.
No, that's not what I'm saying.
- SSH without a
known_hosts
is perfectly fine. - SSH with
StrictHostKeyChecking=no
is a problem and insecure. - Yes, I want to use this action without the need for a remote connection.
I get it you don't want to support that, I just don't understand your reasoning. At this point I think I'll just go ahead and fork this action since this seems to be the more constructive approach.
from ssh-key-action.
Hello everyone,
Since there are some secure methods that don't need known_hosts
, such as SSHFP and signed server key, I decided to provide a special value that enables known_hosts
to be omitted.
It is known_hosts: unnecessary
. known_hosts
parameter itself remains required and needs to be set to unnecessary
explicitly.
DO NOT use it with StrictHostKeyChecking=no
option, otherwise you might get MITM attack. Make sure that you are using secure methods.
HANDLE WITH CARE!!
It will be released in a few days or weeks.
Thank you for many discussion😆
from ssh-key-action.
Related Issues (20)
- Does the ssh key get left on the runner? HOT 8
- Feature Request: Allow multiple keys to be setup for a single remote host HOT 1
- Permission denied (publickey) for git clone HOT 1
- Error loading key "/home/runner/.ssh/deploy_key": invalid format while format is RSA HOT 1
- python2 error HOT 2
- Update Node.js warning HOT 6
- Node 12 is deprecated HOT 2
- Make known_hosts optional HOT 2
- Deleting .ssh directory on self hosted runner is terrible HOT 5
- Remove only specific ssh key after execution HOT 6
- Rsync fails Permission denied (publickey) HOT 2
- Github SSH key has not been updated HOT 1
- Feature Request: strip cr/lf endings from ssh key HOT 1
- panic: ssh tcp to server: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
- Cannot connect to SSH via Github action HOT 4
- Error on run `ssh-keyscan` HOT 1
- Syntax for known_hosts HOT 1
- Node.js 16 actions are deprecated HOT 1
- ssh-key-action step failing with GLIBC not found error HOT 2
- Host key verification failed. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ssh-key-action.