New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
git storage fail due to knownhosts: key mismatch
#517
Comments
I guess cerbos should allow setting |
Thanks for reporting the issue and digging into it. Even though introducing the ability to turn off host key verification is the easy fix here, I want to explore the options and understand the problem a bit more to see if we can avoid introducing an insecure setting. |
I could swear that cloning via SSH used to work before because I personally tested it myself. I think this issue is caused by a recent change that GitHub did a couple of months ago: https://github.blog/2021-09-01-improving-git-protocol-security-github/. The git command seems to prefer the ED25519 key and only adds that to the ssh-keygen -F github.com
# Host github.com found: line 25
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl However, There's an issue open for this in So, the quick fix right now is to run Although I would prefer not to do so, I'll add the option to switch off host key verification from Cerbos config if this problem does not get fixed upstream before the next release. |
@charithe ssh-keyscan github.com >> ~/.ssh/known_hosts this will out of scope in pod right? |
I would do something like create a ConfigMap with the output of |
Come to think of it, in production, you probably don't want to distribute your SSH private key with the application anyway. Wouldn't it be easier to use HTTPS with a GitHub token instead? |
We thought about but for managing deploy key per repo easier as developer come and go it seem rather hard for us to work consistently with GITHUB token. |
I'm testing that |
I see. It's a shame GitHub token system is user-based. If I am not mistaken, deploy keys have admin rights don't they? Is creating an account for the system user in GitHub and generating a PAT with fewer privileges out of the question? |
This worked
But then it's extra headache IMO |
Closing this issue, @charithe thanks for help |
Thanks for this ticket ! Both of you saved me so much time on this issue. After updating my primary SSH key (and cleaned up my |
Is there an existing issue for this?
Current Behavior
Following is my configuration file
Is there an option to set ignore
hostkey
check?.I tried cloning the repo using the above private key and it work. No issue there.
Expected Behavior
It should clone the repo
Steps To Reproduce
Set the
config.yaml
to use git storageStart
cerbos
using the above configEnvironment
Anything else?
No response
The text was updated successfully, but these errors were encountered: