diff --git a/Dockerfile b/Dockerfile index 5661153..1c0ca69 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,6 +18,7 @@ ENV CONFD_OPTS '--backend=env --onetime' # This contains the repo for docker COPY root / +RUN mkdir -p /root/.ssh RUN apt-get -y install \ apt-transport-https \ @@ -81,6 +82,9 @@ RUN install-plugins.sh \ workflow-multibranch:2.14 \ ws-cleanup:0.32 +# Designate the default domains to limit strict key checking. +ENV OUTRIGGER_STRICT_HOST_CHECKING_DISABLED 'github.com bitbucket.org' + # Run the s6-based init. ENTRYPOINT ["/init"] diff --git a/README.md b/README.md index 8fad10c..5c7bd12 100644 --- a/README.md +++ b/README.md @@ -93,6 +93,27 @@ configurations offered by this image. You can pass this as an environment variable to container and it will customize the `admin` user password. If this is not set, the `admin` user will have a blank password. +### OUTRIGGER_STRICT_HOST_CHECKING_DISABLED + +Specify a domain for an SSH config file Host entry. This domain will have the SSH +settig `StrictHostKeyChecking` disabled. As a result, ssh or git commands from +the Jenkins container will not be challenged for a hosts key entry. + +In keeping with SSH configuration syntax, you can use a single wildcard in your +host name and may also specify multiple host names delimited by a single space. + +As long as you are using key-based authentication this represents a minimal risk +of exposure to Man-in-the-Middle attacks, for more details see: +http://www.gremwell.com/ssh-mitm-public-key-authentication + +#### Default Value & Example + +``` +OUTRIGGER_STRICT_HOST_CHECKING_DISABLED="github.com bitbucket.org" +``` + +If you do not wish Github and Bitbucket to have StrictHostKeyChecking disabled, +set this environment variable to an empty string. ## Customization diff --git a/root/etc/confd/conf.d/ssh-config.toml b/root/etc/confd/conf.d/ssh-config.toml new file mode 100644 index 0000000..e18ebf9 --- /dev/null +++ b/root/etc/confd/conf.d/ssh-config.toml @@ -0,0 +1,6 @@ +[template] +src="ssh_config.tmpl" +dest="/root/.ssh/config" +keys=[ + "/", +] diff --git a/root/etc/confd/templates/ssh_config.tmpl b/root/etc/confd/templates/ssh_config.tmpl new file mode 100644 index 0000000..cfa9a47 --- /dev/null +++ b/root/etc/confd/templates/ssh_config.tmpl @@ -0,0 +1,4 @@ +{{if getenv "OUTRIGGER_STRICT_HOST_CHECKING_DISABLED"}} +Host {{getenv "OUTRIGGER_STRICT_HOST_CHECKING_DISABLED"}} + StrictHostKeyChecking no +{{end}} diff --git a/root/etc/cont-init.d/20-outrigger-private-key b/root/etc/cont-init.d/20-outrigger-private-key index cdd0357..696d64b 100644 --- a/root/etc/cont-init.d/20-outrigger-private-key +++ b/root/etc/cont-init.d/20-outrigger-private-key @@ -3,10 +3,9 @@ KEY_BASE=/root/.ssh KEY_FILE=$KEY_BASE/outrigger.key -if [ -e $KEY_FILE ]; then - +if [ -e $KEY_FILE ] && [ ! -d $KEY_FILE ] +then echo "KEY_FILE found. Setting up key..." - else echo "##############################################################" @@ -34,7 +33,3 @@ fi cp $KEY_FILE $PRIVATE_KEY chown root:root $PRIVATE_KEY chmod 600 $PRIVATE_KEY - -# Make sure that commands don't need to prompt for host keys -ssh-keyscan -H bitbucket.org >> $KEY_BASE/known_hosts -ssh-keyscan -H github.com >> $KEY_BASE/known_hosts diff --git a/root/root/.ssh/config b/root/root/.ssh/config deleted file mode 100644 index e495d54..0000000 --- a/root/root/.ssh/config +++ /dev/null @@ -1,4 +0,0 @@ -Host bitbucket.org - StrictHostKeyChecking no -Host github.com - StrictHostKeyChecking no