Unable to initialize git store when using ssh protocol

[aku]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

If I use 'ssh' protocol for git store in config file

storage:
  driver: "git"
  git:
    branch: master
    checkoutDir: ${HOME}/tmp/cerbos/work
    protocol: ssh
    ssh:
      password: ${GIT_TOKEN_PASSWORD}
      privateKeyFile: ${HOME}/.ssh/id_rsa
    url: ${GIT_REPO_URL}

and start start Cerbos in Docker container

docker run  \
  --name cerbos \
  -p 3592:3592 \
  -p 3593:3593 \
  -v $(pwd)/certs/id_cerbos:/.ssh/id_rsa \
  -v $(pwd)/config/config.yaml:/config/conf.yaml \
  --env GIT_TOKEN_PASSWORD=[REDACTED] \
  --env GIT_REPO_URL=ssh://git@[REDACTED] \
  ghcr.io/cerbos/cerbos:0.28.0 server --config=/config/conf.yaml

the server will crash with following error:

{"log.level":"info","@timestamp":"2023-07-12T19:14:20.500Z","log.logger":"cerbos.git.store","message":"Cloning git repo from ssh://git@[REDACTED]","dir":"//tmp/cerbos/work"}
{"log.level":"error","@timestamp":"2023-07-12T19:14:20.501Z","log.logger":"cerbos.git.store","message":"Failed to initialize git store","dir":"//tmp/cerbos/work","error":"failed to clone from ssh://git@[REDACTED] to //tmp/cerbos/work: unable to find any valid known_hosts file, set SSH_KNOWN_HOSTS env variable"}

I've tried to provide SSH_KNOWN_HOSTS value via env variable:

--env SSH_KNOWN_HOSTS="$(ssh-keyscan [REDACTED] 2>/dev/null)"

Unfortunately, it didn't fix the issue.

The only working solution I found is to mount known_hosts file to /.ssh/known_hosts in the container

-v $(pwd)/ssh/known_hosts:/.ssh/known_hosts

Expected Behavior

Cerbos should support SSH_KNOWN_HOSTS env variable

Alternatively, it would be nice to set disableHostKeyChecking flag in git storage config to disable hosts validation similar to StrictHostKeyChecking no command in ssh_config

storage:
  driver: "git"
  git:
    protocol: ssh
    ssh:
      disableHostKeyChecking: true

Have a look at similar issue issue in GitLab

Steps To Reproduce

1 Configure git storage to use ssh protocol
2 Run Cerbos docker image

Environment

- OS: MacOS 13.2
- Cerbos version: 0.28.0
- Docker version: 24.0.2
- Go version:

Anything else?

No response

[charithe]

I believe that the SSH_KNOWN_HOSTS environment variable is meant to contain a list of file paths to read the known hosts files. So, you'd still have to mount the output of ssh-keyscan as a volume and set SSH_KNOWN_HOSTS to point to that path.

Disabling strict host key checks has serious security implications and we are reluctant to support that in Cerbos. While it might be a bit inconvenient to generate the known hosts file, it's probably preferable over having an insecure configuration.

[aku]

Usually this env var contains content of known_hosts file. It simplifies devops as you don't need to maintain and mount a known_hosts file. If in your case it is meant to contain paths it should documented somewhere.

It would be nice to improve error message and update documentation to provide clear instructions on how to setup "ssh" protocol properly.

As for "insecure" flag it could be useful in trusted or test environment. If you have a load balancer in front of your git host it might be problematic to get fingerprints of all hosts.

Disabling strict check is a core feature of SSH client. You can add some WARN message if "insecure" mode is enabled via config file

If you insist that known_hosts is mandatory then you should add a new config variable to specify known_hosts file path explicitly