Make explicit disabling of strict-host-key-checking mandatory by default (!3418) · Merge requests · GitLab.org / gitlab-runner

Romuald Atchadé requested to merge ssh-strict-host-key-checking-enable-by-default into main Apr 27, 2022

What does this MR do?

Enable strict host key checking by default unless explicitly disabled through the runners.ssh.disable_strict_host_key_checking parameter

Why was this MR needed?

To deprecate the previous behaviour where disable_strict_host_key_checking

What's the best way to test this MR?

gitlab-ci

job:
 script:
 - 'for i in $(seq 1 10); do echo $(date); sleep 1; done'
 - echo "done"

Launch a job using the gitlab-ci above and the following config.toml

config.toml

[[runners]]
  name = "kubernetes"
  url = "https://gitlab.com/"
  token = "__TOKEN__"
  executor = "ssh"
  [runners.ssh]
    host = "__HOST__"
    port = "22"
    user = "__USERNAME__"
    password = "__PASSWORD__"

The job fails.

Notes: The assumption here is that the localhost hasn't been trusted already. It is the case, it needs to be removed from the known_host because the test is done.

Launch a job using the gitlab-ci above and the following config.toml (Strict Host Hey checking explicitly disabled)

config.toml

[[runners]]
  name = "kubernetes"
  url = "https://gitlab.com/"
  token = "__TOKEN__"
  executor = "ssh"
  [runners.ssh]
    host = "__HOST__"
    port = "22"
    user = "__USERNAME__"
    password = "__PASSWORD__"
    disable_strict_host_key_checking = true

The job succeeds

What are the relevant issue numbers?

close #28192 (closed)

Edited May 04, 2022 by Romuald Atchadé

Make explicit disabling of strict-host-key-checking mandatory by default

What does this MR do?

Why was this MR needed?

What's the best way to test this MR?

What are the relevant issue numbers?

Merge request reports