From 2b534cc869fa571541e02a7df82e4a8b10682c84 Mon Sep 17 00:00:00 2001 From: Stephen Moloney Date: Sat, 11 Aug 2018 12:06:02 +0100 Subject: [PATCH] Verify known_host ssh keys during image build What does this commit/MR do? - Verifies the known_hosts match expectations after running a ssh-keyscan on the git hosts Why is this commit/MR needed? - To mitigate (albeit unlikely) man-in-middle attacks --- docker/Dockerfile.flux | 5 ++++ docker/Dockerfile.helm-operator | 4 +++ docker/verify_known_hosts | 47 +++++++++++++++++++++++++++++++++ 3 files changed, 56 insertions(+) create mode 100644 docker/verify_known_hosts diff --git a/docker/Dockerfile.flux b/docker/Dockerfile.flux index 3f42a7147e..3823e54eb2 100644 --- a/docker/Dockerfile.flux +++ b/docker/Dockerfile.flux @@ -7,6 +7,11 @@ RUN apk add --no-cache openssh ca-certificates tini 'git>=2.3.0' # Add git hosts to known hosts file so we can use # StrickHostKeyChecking with git+ssh RUN ssh-keyscan github.com gitlab.com bitbucket.org >> /etc/ssh/ssh_known_hosts + +# Verify newly added known_hosts (man-in-middle mitigation) +ADD ./verify_known_hosts /home/flux/verify_known_hosts +RUN sh /home/flux/verify_known_hosts && rm /home/flux/verify_known_hosts + # Add default SSH config, which points at the private key we'll mount COPY ./ssh_config /etc/ssh/ssh_config diff --git a/docker/Dockerfile.helm-operator b/docker/Dockerfile.helm-operator index efbb95fb02..43a5fa77b1 100644 --- a/docker/Dockerfile.helm-operator +++ b/docker/Dockerfile.helm-operator @@ -10,6 +10,10 @@ RUN ssh-keyscan github.com gitlab.com bitbucket.org >> /etc/ssh/ssh_known_hosts # Add default SSH config, which points at the private key we'll mount COPY ./ssh_config /etc/ssh/ssh_config +# Verify newly added known_hosts (man-in-middle mitigation) +ADD ./verify_known_hosts /home/flux/verify_known_hosts +RUN sh /home/flux/verify_known_hosts && rm /home/flux/verify_known_hosts + COPY ./kubectl /usr/local/bin/ # These are pretty static diff --git a/docker/verify_known_hosts b/docker/verify_known_hosts new file mode 100644 index 0000000000..b06041eac0 --- /dev/null +++ b/docker/verify_known_hosts @@ -0,0 +1,47 @@ +#!/usr/bin/env bash + +set -e + +known_hosts_file=${1} +known_hosts_file=${known_hosts_file:-/etc/ssh/ssh_known_hosts} + +# Verify github ssh keys +github_rsa_fingerprint=$(sed "1q;d" < "${known_hosts_file}" | ssh-keygen -l -f -| cut -d " " -f 2) + +if [[ "${github_rsa_fingerprint}" != "SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8" ]]; then + echo "The github ssh key fingerprint ${github_rsa_fingerprint} does not match expectations" && \ + echo "Aborting build" && \ + exit 1; +fi + +# Verify gitlab ssh keys +gitlab_rsa_fingerprint=$(sed "2q;d" < "${known_hosts_file}" | ssh-keygen -l -f -| cut -d " " -f 2) && \ +gitlab_ecdsa_fingerprint=$(sed "3q;d" < "${known_hosts_file}" | ssh-keygen -l -f -| cut -d " " -f 2) && \ +gitlab_ed25519_fingerprint=$(sed "4q;d" < "${known_hosts_file}" | ssh-keygen -l -f -| cut -d " " -f 2) + +if [[ "${gitlab_rsa_fingerprint}" != "SHA256:ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ" ]]; then + echo "The gitlab ssh key fingerprint ${gitlab_rsa_fingerprint} does not match expectations" && \ + echo "Aborting build" && \ + exit 1; +fi + +if [[ "${gitlab_ecdsa_fingerprint}" != "SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw" ]]; then + echo "The gitlab ssh key fingerprint ${gitlab_ecdsa_fingerprint} does not match expectations" && \ + echo "Aborting build" && \ + exit 1; +fi + +if [[ "${gitlab_ed25519_fingerprint}" != "SHA256:eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8" ]]; then + echo "The gitlab ssh key fingerprint ${gitlab_ed25519_fingerprint} does not match expectations" && \ + echo "Aborting build" && \ + exit 1; +fi + +# Verify bitbucket ssh keys +bitbucket_rsa_fingerprint=$(sed "5q;d" < "${known_hosts_file}" | ssh-keygen -l -f -| cut -d " " -f 2) + +if [[ "${bitbucket_rsa_fingerprint}" != "SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A" ]]; then + echo "The bitbucket ssh key fingerprint ${bitbucket_rsa_fingerprint} does not match expectations" && \ + echo "Aborting build" && \ + exit 1; +fi