Add strict host key checking to SSH config

John Cairequested to merge
jc-add-strict-host-checking into main

What does this MR do?

Adds two config values to the ssh config:

DisableStrictHostChecking - defaults to false KnowHostsFile - defaults to ~/.ssh/known_hosts for whichever user is running the GitLab Runner binary

This change enforces strict host checking unless explicitly told not to.

Other Changes

  • moved stub_ssh_server.go from the executors folder to the helpers/ssh folder as it seems to make more sense as a helper method, being used both in the executors/ssh package as well as the helpers/ssh package.

Why was this MR needed?

The ssh executor is susceptible to MITM attacks because of the missing StrictHostKeyChecking option.

What's the best way to test this MR?

  1. setup an ssh server
  2. ensure host is in known_hosts. If it's not, you can add it with the ssh-keyscan -p [port] >> ~/.ssh/known_hosts command
  3. setup runner config.yml with an ssh executor.
concurrent = 1

[[runners]]
  name = "ssh executor"
  url = "https://gitlab.com/"
  token = "_REDACTED_"
  executor = "ssh"
  [runners.ssh]
    host = "127.0.0.1"
    port = "22"
    user = "USERNAME"
    password = "_REDACTED_"
    disable_strict_host_checking = true
  1. set up .gitlab-ci.yml with a job that just prints something
variables:
  DURATION: 10

job:
  script:
  - 'for i in $(seq 1 $DURATION); do echo $(date); sleep 1; done'
  - echo "done"
  1. run the pipeline

repeat but remove the entry in known_hosts

repeat with the missing entry in known_hosts but set DisableStrictHostChecking to true

What are the relevant issue numbers?

https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4368

Edited by John Cai

Merge request reports