summaryrefslogtreecommitdiff
path: root/doc/ci/ssh_keys
diff options
context:
space:
mode:
authorRémy Coutable <remy@rymai.me>2017-03-16 18:08:23 +0000
committerRémy Coutable <remy@rymai.me>2017-03-16 18:08:23 +0000
commitdf05cd5baf39e19a9d7fabbfc96d7d7929d66052 (patch)
treec194abbdf5231a86066f52e49b5414605f18803e /doc/ci/ssh_keys
parent279585c57ba943a4abfff170cc610bf23f88fcba (diff)
parent5852e0e0605e90949aec817293f45fabf5b116ac (diff)
downloadgitlab-ce-df05cd5baf39e19a9d7fabbfc96d7d7929d66052.tar.gz
Merge branch 'patch-1' into 'master'
Suggest a more secure way of handling SSH host keys in docker builds [ci skip] See merge request !2797
Diffstat (limited to 'doc/ci/ssh_keys')
-rw-r--r--doc/ci/ssh_keys/README.md14
1 files changed, 14 insertions, 0 deletions
diff --git a/doc/ci/ssh_keys/README.md b/doc/ci/ssh_keys/README.md
index d00faaadc8b..befaa06e918 100644
--- a/doc/ci/ssh_keys/README.md
+++ b/doc/ci/ssh_keys/README.md
@@ -38,6 +38,15 @@ following **Settings > Variables**. As **Key** add the name `SSH_PRIVATE_KEY`
and in the **Value** field paste the content of your _private_ key that you
created earlier.
+It is also good practice to check the server's own public key to make sure you
+are not being targeted by a man-in-the-middle attack. To do this, add another
+variable named `SSH_SERVER_HOSTKEYS`. To find out the hostkeys of your server, run
+the `ssh-keyscan YOUR_SERVER` command from a trusted network (ideally, from the
+server itself), and paste its output into the `SSH_SERVER_HOSTKEY` variable. If
+you need to connect to multiple servers, concatenate all the server public keys
+that you collected into the **Value** of the variable. There must be one key per
+line.
+
Next you need to modify your `.gitlab-ci.yml` with a `before_script` action.
Add it to the top:
@@ -59,6 +68,11 @@ before_script:
# you will overwrite your user's SSH config.
- mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
+ # In order to properly check the server's host key, assuming you created the
+ # SSH_SERVER_HOSTKEYS variable previously, uncomment the following two lines
+ # instead.
+ # - mkdir -p ~/.ssh
+ # - '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts'
```
As a final step, add the _public_ key from the one you created earlier to the