Merge pull request #58 from pieterlange/fix/check-hostkeys

Use secure defaults (check hostkeys)

Author: thockin

cmd/git-sync/main.go

@@ -66,6 +66,8 @@ var flPassword = flag.String("password", envString("GIT_SYNC_PASSWORD", ""),
 
 var flSSH = flag.Bool("ssh", envBool("GIT_SYNC_SSH", false),
 	"use SSH for git operations")
+var flSSHKnownHosts = flag.Bool("ssh-known-hosts", envBool("GIT_KNOWN_HOSTS", false),
+	"enable SSH known_hosts verification")
 
 var log = newLoggerOrDie()
 
@@ -152,7 +154,7 @@ func main() {
 	}
 
 	if *flSSH {
-		if err := setupGitSSH(); err != nil {
+		if err := setupGitSSH(*flSSHKnownHosts); err != nil {
 			fmt.Fprintf(os.Stderr, "ERROR: can't configure SSH: %v\n", err)
 			os.Exit(1)
 		}
@@ -468,10 +470,11 @@ func setupGitAuth(username, password, gitURL string) error {
 	return nil
 }
 
-func setupGitSSH() error {
+func setupGitSSH(setupKnownHosts bool) error {
 	log.V(1).Infof("setting up git SSH credentials")
 
 	var pathToSSHSecret = "/etc/git-secret/ssh"
+	var pathToSSHKnownHosts = "/etc/git-secret/known_hosts"
 
 	fileInfo, err := os.Stat(pathToSSHSecret)
 	if err != nil {
@@ -482,8 +485,18 @@ func setupGitSSH() error {
 		return fmt.Errorf("Permissions %s for SSH key are too open. It is recommended to mount secret volume with `defaultMode: 256` (decimal number for octal 0400).", fileInfo.Mode())
 	}
 
+	if setupKnownHosts {
+		_, err := os.Stat(pathToSSHKnownHosts)
+		if err != nil {
+			return fmt.Errorf("error: could not find SSH known_hosts file: %v", err)
+		}
+
+		err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=%s -i %s", pathToSSHKnownHosts, pathToSSHSecret))
+	} else {
+		err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i %s", pathToSSHSecret))
+	}
+
 	//set env variable GIT_SSH_COMMAND to force git use customized ssh command
-	err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i %s", pathToSSHSecret))
 	if err != nil {
 		return fmt.Errorf("Failed to set the GIT_SSH_COMMAND env var: %v", err)
 	}

docs/ssh.md

@@ -6,15 +6,21 @@ Git-sync supports using the SSH protocol for pulling git content.
 Create a Secret to store your SSH private key, with the Secret keyed as "ssh". This can be done one of two ways:
 
 ***Method 1:***
+Obtain the host keys for your git server:
+
+```
+ssh-keyscan $YOUR_GIT_HOST > /tmp/known_hosts
+```
 
 Use the ``kubectl create secret`` command and point to the file on your filesystem that stores the key. Ensure that the file is mapped to "ssh" as shown (the file can be located anywhere).
+
 ```
-kubectl create secret generic git-creds --from-file=ssh=~/.ssh/id_rsa
+kubectl create secret generic git-creds --from-file=ssh=~/.ssh/id_rsa --from-file=known_hosts=/tmp/known_hosts
 ```
 
 ***Method 2:***
 
-Write a config file for a Secret that holds your SSH private key, with the key (pasted as plaintext) mapped to the "ssh" field.
+Write a config file for a Secret that holds your SSH private key, with the key (pasted in base64 encoded plaintext) mapped to the "ssh" field.
 ```
 {
   "kind": "Secret",
@@ -23,7 +29,8 @@ Write a config file for a Secret that holds your SSH private key, with the key (
     "name": "git-creds"
   },
   "data": {
-    "ssh": <private-key>
+    "ssh": <base64 encoded private-key>
+    "known_hosts": <base64 encoded known_hosts>
 }
 ```
 
@@ -32,6 +39,8 @@ Create the Secret using ``kubectl create -f``.
 kubectl create -f /path/to/secret-config.json
 ```
 
+Invoke the `git-sync` binary with the `-ssh-known-hosts` parameter to enforce `known_hosts` checking. This will be enabled by default in a future release.
+
 ## Step 2: Configure Pod/Deployment Volume
 
 In your Pod or Deployment configuration, specify a Volume for mounting the Secret. Ensure that secretName matches the name you used when creating the Secret (e.g. "git-creds" used in both above examples).