Add CheckHostIP=no to SSH auth options for mirroring (!3312) · Merge requests · GitLab.org / gitaly

Nick Thomas requested to merge make-known-hosts-file-writable into master Mar 29, 2021

When SSH pull mirroring is broken, we frequently get reports that the known_hosts integration is broken, due to messages like this in the log output:

2:fetch remote: "
Failed to add the RSA host key for IP address 'xxx.yyy.zzz.www' to the list of known hosts (/tmp/123456/gitlab-shell-known-hosts).
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
"

exit status 128.

With CheckHostIP=yes (the default), the SSH client will proactively convert a hostname to an IP, and try to add that IP to the known_hosts file if it isn't already present. Since our UserKnownHostsFile is read-only, that fails with this harmless (but confusing) warning message.

Adding CheckHostIP=no removes that warning message. It also means that we no longer try to protect against DNS spoofing, but since ssh will automatically (try to) add the fingerprint of unknown IPs to the known_hosts file at present, the value of that is effectively nil.

Edited Mar 31, 2021 by Nick Thomas

Add CheckHostIP=no to SSH auth options for mirroring

Merge request reports