Skip to content

/ backup-utils

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default SSH config creates errors for missing "known_hosts" #454

Open
nkadel opened this issue Nov 13, 2018 · 3 comments
Open

Default SSH config creates errors for missing "known_hosts" #454

nkadel opened this issue Nov 13, 2018 · 3 comments

Comments

@nkadel
Copy link

@nkadel nkadel commented Nov 13, 2018

There is a classic problem for automatic tasks and the default ssh_config options, one that causes failures when a Github Enterprise has never had an SSH connection on port 122 done by a new user in an automatic or cron job task, because the SSH hostkey is not already stored in $HOME/.ssh/known_hosts. The simplest workaround is to simply disable the use of known_hosts. This is usually done by using these SSH command line options.

-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null -oLogLevel=ERRO
@lildude
Copy link
Member

@lildude lildude commented Nov 14, 2018

I'm not keen on making this the default as it implies a level of trust on the destination server without review which may contravene some company security policies. It also hides any changes in the event there is some malicious change on the destination host.

If you wish to use this for your own env, you can add these options to the GHE_EXTRA_SSH_OPTS setting:

backup-utils/backup.config-example

Lines 31 to 35 in e3d5053

# Any extra options passed to the SSH command.
# In a single instance environment, nothing is required by default.
# In a clustering environment, "-i abs-path-to-ssh-private-key" is required.
#
#GHE_EXTRA_SSH_OPTS=""

@nkadel
Copy link
Author

@nkadel nkadel commented Nov 14, 2018

One can. modify it in a local copy of GHE_EXTRA_SSH_OPTS, yes. That's what I've done for some automated setups, especially setups where the user doing the backup does not have write permission to their home directory for a service user, but only has permission to write to the "data" directory. I do think that at least tossing in a commented out GHE_EXTRA_SSH_OPTS with these options would be useful, and I'd be happy to submit a pull request for it.

The confusing behavior of ".ssh/known_hosts" has been an issue and a source of unreliable behavior since SSH was first created in the 1990's.
@lildude
Copy link
Member

@lildude lildude commented Nov 14, 2018
edited

I do think that at least tossing in a commented out GHE_EXTRA_SSH_OPTS with these options would be useful, and I'd be happy to submit a pull request for it.

I think this is something better suited to the documentation, possibly as a note on https://github.com/github/backup-utils/blob/master/docs/scheduling-backups.md or a new FAQ.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@lildude @nkadel
You can’t perform that action at this time.