diff --git a/.docker/Dockerfile.debian b/.docker/Dockerfile.debian index eeb158fa..c9a5d6a9 100644 --- a/.docker/Dockerfile.debian +++ b/.docker/Dockerfile.debian @@ -33,7 +33,7 @@ RUN set -ex && \ WORKDIR /usr/src/node-red # Setup SSH known_hosts file -COPY .docker/known_hosts.sh . +COPY .docker/known_hosts-debian.sh ./known_hosts.sh RUN ./known_hosts.sh /etc/ssh/ssh_known_hosts && rm /usr/src/node-red/known_hosts.sh RUN echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> /etc/ssh/ssh_config diff --git a/.docker/known_hosts-debian.sh b/.docker/known_hosts-debian.sh new file mode 120000 index 00000000..81a29849 --- /dev/null +++ b/.docker/known_hosts-debian.sh @@ -0,0 +1 @@ +../docker-custom/known_hosts-debian.sh \ No newline at end of file diff --git a/docker-custom/Dockerfile.debian b/docker-custom/Dockerfile.debian index ed77552c..63fe12b2 100644 --- a/docker-custom/Dockerfile.debian +++ b/docker-custom/Dockerfile.debian @@ -33,7 +33,7 @@ RUN set -ex && \ WORKDIR /usr/src/node-red # Setup SSH known_hosts file -COPY known_hosts.sh . +COPY ./known_hosts-debian.sh ./known_hosts.sh RUN ./known_hosts.sh /etc/ssh/ssh_known_hosts && rm /usr/src/node-red/known_hosts.sh RUN echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> /etc/ssh/ssh_config diff --git a/docker-custom/known_hosts-debian.sh b/docker-custom/known_hosts-debian.sh new file mode 100755 index 00000000..79d4b295 --- /dev/null +++ b/docker-custom/known_hosts-debian.sh @@ -0,0 +1,77 @@ +#!/bin/bash + +# Originally taken from the Flux project (https://github.com/fluxcd/flux/tree/master/docker) where is under an +# Apache-2.0 license + +set -eu + +known_hosts_file=${1} +known_hosts_file=${known_hosts_file:-/etc/ssh/ssh_known_hosts} +hosts="github.com gitlab.com bitbucket.org" +hosts_2022="source.developers.google.com" + +# The heredoc below was generated by constructing a known_hosts using +# +# ssh-keyscan github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com > ./known_hosts +# +# then generating the sorted fingerprints with +# +# ssh-keygen -l -f ./known_hosts | LC_ALL=C sort +# +# then checking against the published fingerprints from: +# - github.com: https://help.github.com/articles/github-s-ssh-key-fingerprints/ +# - gitlab.com: https://docs.gitlab.com/ee/user/gitlab_com/#ssh-host-keys-fingerprints +# - bitbucket.org: https://confluence.atlassian.com/bitbucket/ssh-keys-935365775.html +# - ssh.dev.azure.com & vs-ssh.visualstudio.com: sign in, then go to User settings -> SSH Public Keys +# (this is where the public key fingerprint is shown; it's not a setting) +# - source.developers.google.com: https://cloud.google.com/source-repositories/docs/cloning-repositories + +fingerprints=$(mktemp -t) +cleanup() { + rm -f "$fingerprints" +} +trap cleanup EXIT + +# make sure sorting is in the same locale as the heredoc +export LC_ALL=C + +generate() { + ssh-keyscan ${hosts} > ${known_hosts_file} + ssh-keyscan -p 2022 ${hosts_2022} >> ${known_hosts_file} + echo "ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H" >> ${known_hosts_file} + echo "vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H" >> ${known_hosts_file} +} + +validate() { +ssh-keygen -l -f ${known_hosts_file} | sort > "$fingerprints" + +diff - "$fingerprints" <