From 3b8bf0308c7f75859dcad47a3c22ad9771bea71f Mon Sep 17 00:00:00 2001 From: Pieter Lange Date: Fri, 21 Apr 2017 15:09:37 +0200 Subject: [PATCH 1/2] Use secure defaults (check hostkeys) --- cmd/git-sync/main.go | 3 ++- docs/ssh.md | 13 ++++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/cmd/git-sync/main.go b/cmd/git-sync/main.go index 7832b00..3a7d757 100644 --- a/cmd/git-sync/main.go +++ b/cmd/git-sync/main.go @@ -472,6 +472,7 @@ func setupGitSSH() error { log.V(1).Infof("setting up git SSH credentials") var pathToSSHSecret = "/etc/git-secret/ssh" + var pathToSSHKnownHosts = "/etc/git-secret/known_hosts" fileInfo, err := os.Stat(pathToSSHSecret) if err != nil { @@ -483,7 +484,7 @@ func setupGitSSH() error { } //set env variable GIT_SSH_COMMAND to force git use customized ssh command - err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i %s", pathToSSHSecret)) + err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=%s -i %s", pathToSSHKnownHosts, pathToSSHSecret)) if err != nil { return fmt.Errorf("Failed to set the GIT_SSH_COMMAND env var: %v", err) } diff --git a/docs/ssh.md b/docs/ssh.md index a97eff7..fca85bd 100644 --- a/docs/ssh.md +++ b/docs/ssh.md @@ -6,15 +6,21 @@ Git-sync supports using the SSH protocol for pulling git content. Create a Secret to store your SSH private key, with the Secret keyed as "ssh". This can be done one of two ways: ***Method 1:*** +Obtain the host keys for your git server: + +``` +ssh-keyscan $YOUR_GIT_HOST > /tmp/known_hosts +``` Use the ``kubectl create secret`` command and point to the file on your filesystem that stores the key. Ensure that the file is mapped to "ssh" as shown (the file can be located anywhere). + ``` -kubectl create secret generic git-creds --from-file=ssh=~/.ssh/id_rsa +kubectl create secret generic git-creds --from-file=ssh=~/.ssh/id_rsa --from-file=known_hosts=/tmp/known_hosts ``` ***Method 2:*** -Write a config file for a Secret that holds your SSH private key, with the key (pasted as plaintext) mapped to the "ssh" field. +Write a config file for a Secret that holds your SSH private key, with the key (pasted in base64 encoded plaintext) mapped to the "ssh" field. ``` { "kind": "Secret", @@ -23,7 +29,8 @@ Write a config file for a Secret that holds your SSH private key, with the key ( "name": "git-creds" }, "data": { - "ssh": + "ssh": + "known_hosts": } ``` From 899cf5974e20ce80460eeacfa8759bba9ffce460 Mon Sep 17 00:00:00 2001 From: Pieter Lange Date: Mon, 24 Apr 2017 10:11:44 +0200 Subject: [PATCH 2/2] Add feature flag to enable ssh host key verification. --- cmd/git-sync/main.go | 18 +++++++++++++++--- docs/ssh.md | 2 ++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/cmd/git-sync/main.go b/cmd/git-sync/main.go index 3a7d757..b13f9f2 100644 --- a/cmd/git-sync/main.go +++ b/cmd/git-sync/main.go @@ -66,6 +66,8 @@ var flPassword = flag.String("password", envString("GIT_SYNC_PASSWORD", ""), var flSSH = flag.Bool("ssh", envBool("GIT_SYNC_SSH", false), "use SSH for git operations") +var flSSHKnownHosts = flag.Bool("ssh-known-hosts", envBool("GIT_KNOWN_HOSTS", false), + "enable SSH known_hosts verification") var log = newLoggerOrDie() @@ -152,7 +154,7 @@ func main() { } if *flSSH { - if err := setupGitSSH(); err != nil { + if err := setupGitSSH(*flSSHKnownHosts); err != nil { fmt.Fprintf(os.Stderr, "ERROR: can't configure SSH: %v\n", err) os.Exit(1) } @@ -468,7 +470,7 @@ func setupGitAuth(username, password, gitURL string) error { return nil } -func setupGitSSH() error { +func setupGitSSH(setupKnownHosts bool) error { log.V(1).Infof("setting up git SSH credentials") var pathToSSHSecret = "/etc/git-secret/ssh" @@ -483,8 +485,18 @@ func setupGitSSH() error { return fmt.Errorf("Permissions %s for SSH key are too open. It is recommended to mount secret volume with `defaultMode: 256` (decimal number for octal 0400).", fileInfo.Mode()) } + if setupKnownHosts { + _, err := os.Stat(pathToSSHKnownHosts) + if err != nil { + return fmt.Errorf("error: could not find SSH known_hosts file: %v", err) + } + + err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=%s -i %s", pathToSSHKnownHosts, pathToSSHSecret)) + } else { + err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i %s", pathToSSHSecret)) + } + //set env variable GIT_SSH_COMMAND to force git use customized ssh command - err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=%s -i %s", pathToSSHKnownHosts, pathToSSHSecret)) if err != nil { return fmt.Errorf("Failed to set the GIT_SSH_COMMAND env var: %v", err) } diff --git a/docs/ssh.md b/docs/ssh.md index fca85bd..27de4ad 100644 --- a/docs/ssh.md +++ b/docs/ssh.md @@ -39,6 +39,8 @@ Create the Secret using ``kubectl create -f``. kubectl create -f /path/to/secret-config.json ``` +Invoke the `git-sync` binary with the `-ssh-known-hosts` parameter to enforce `known_hosts` checking. This will be enabled by default in a future release. + ## Step 2: Configure Pod/Deployment Volume In your Pod or Deployment configuration, specify a Volume for mounting the Secret. Ensure that secretName matches the name you used when creating the Secret (e.g. "git-creds" used in both above examples).