You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{"log.level":"info","@timestamp":"2023-07-12T19:14:20.500Z","log.logger":"cerbos.git.store","message":"Cloning git repo from ssh://git@[REDACTED]","dir":"//tmp/cerbos/work"}
{"log.level":"error","@timestamp":"2023-07-12T19:14:20.501Z","log.logger":"cerbos.git.store","message":"Failed to initialize git store","dir":"//tmp/cerbos/work","error":"failed to clone from ssh://git@[REDACTED] to //tmp/cerbos/work: unable to find any valid known_hosts file, set SSH_KNOWN_HOSTS env variable"}
I've tried to provide SSH_KNOWN_HOSTS value via env variable:
The only working solution I found is to mount known_hosts file to /.ssh/known_hosts in the container
-v $(pwd)/ssh/known_hosts:/.ssh/known_hosts
Expected Behavior
Cerbos should support SSH_KNOWN_HOSTS env variable
Alternatively, it would be nice to set disableHostKeyChecking flag in git storage config to disable hosts validation similar to StrictHostKeyChecking no command in ssh_config
I believe that the SSH_KNOWN_HOSTS environment variable is meant to contain a list of file paths to read the known hosts files. So, you'd still have to mount the output of ssh-keyscan as a volume and set SSH_KNOWN_HOSTS to point to that path.
Disabling strict host key checks has serious security implications and we are reluctant to support that in Cerbos. While it might be a bit inconvenient to generate the known hosts file, it's probably preferable over having an insecure configuration.
Usually this env var contains content of known_hosts file. It simplifies devops as you don't need to maintain and mount a known_hosts file. If in your case it is meant to contain paths it should documented somewhere.
It would be nice to improve error message and update documentation to provide clear instructions on how to setup "ssh" protocol properly.
As for "insecure" flag it could be useful in trusted or test environment. If you have a load balancer in front of your git host it might be problematic to get fingerprints of all hosts.
Disabling strict check is a core feature of SSH client. You can add some WARN message if "insecure" mode is enabled via config file
If you insist that known_hosts is mandatory then you should add a new config variable to specify known_hosts file path explicitly
Is there an existing issue for this?
Current Behavior
If I use 'ssh' protocol for git store in config file
and start start Cerbos in Docker container
the server will crash with following error:
I've tried to provide SSH_KNOWN_HOSTS value via env variable:
Unfortunately, it didn't fix the issue.
The only working solution I found is to mount known_hosts file to /.ssh/known_hosts in the container
Expected Behavior
Cerbos should support SSH_KNOWN_HOSTS env variable
Alternatively, it would be nice to set disableHostKeyChecking flag in git storage config to disable hosts validation similar to StrictHostKeyChecking no command in ssh_config
Have a look at similar issue issue in GitLab
Steps To Reproduce
1 Configure git storage to use ssh protocol
2 Run Cerbos docker image
Environment
Anything else?
No response
The text was updated successfully, but these errors were encountered: