-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add ssh.github.com to SSH known hosts #13592
Conversation
Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>
Codecov ReportPatch and project coverage have no change.
Additional details and impacted files@@ Coverage Diff @@
## master #13592 +/- ##
=======================================
Coverage 49.22% 49.22%
=======================================
Files 248 248
Lines 42830 42830
=======================================
Hits 21084 21084
Misses 19648 19648
Partials 2098 2098 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just ran ./hack/update-ssh-known-hosts.sh
and here's the diff. So looks like more entries need to be updated/added?
--- a/hack/ssh_known_hosts
+++ b/hack/ssh_known_hosts
@@ -1,5 +1,9 @@
# This file was automatically generated. DO NOT EDIT
+bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE=
+bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO
bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
Do I need to update It seems that these files have not been used since #1807, which removed the copying of |
If necessary, we can update "hack/update-ssh-known-hosts.sh" as follows. diff --git a/hack/update-ssh-known-hosts.sh b/hack/update-ssh-known-hosts.sh
index ede8802e6..cca8983d2 100755
--- a/hack/update-ssh-known-hosts.sh
+++ b/hack/update-ssh-known-hosts.sh
@@ -5,17 +5,28 @@ set -e
KNOWN_HOSTS_FILE=$(dirname "$0")/ssh_known_hosts
HEADER="# This file was automatically generated. DO NOT EDIT"
echo "$HEADER" > $KNOWN_HOSTS_FILE
-ssh-keyscan github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com | sort -u >> $KNOWN_HOSTS_FILE
+{ \
+ ssh-keyscan github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com && \
+ ssh-keyscan -p 443 ssh.github.com ; \
+} | sort -u >> $KNOWN_HOSTS_FILE
chmod 0644 $KNOWN_HOSTS_FILE
# Public SSH keys can be verified at the following URLs:
# - github.com: https://help.github.com/articles/github-s-ssh-key-fingerprints/
+# - ssh.github.com: https://docs.github.com/en/authentication/troubleshooting-ssh/using-ssh-over-the-https-port#updating-known-hosts
# - gitlab.com: https://docs.gitlab.com/ee/user/gitlab_com/#ssh-host-keys-fingerprints
# - bitbucket.org: https://confluence.atlassian.com/bitbucket/ssh-keys-935365775.html
# - ssh.dev.azure.com, vs-ssh.visualstudio.com: https://docs.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops
diff - <(ssh-keygen -l -f $KNOWN_HOSTS_FILE | sort -k 3) <<EOF
+256 SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM [ssh.github.com]:443 (ECDSA)
+256 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU [ssh.github.com]:443 (ED25519)
+3072 SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s [ssh.github.com]:443 (RSA)
+256 SHA256:FC73VB6C4OQLSCrjEayhMp9UMxS97caD/Yyi2bhW/J0 bitbucket.org (ECDSA)
+256 SHA256:ybgmFkzwOSotHTHLJgHO0QN8L0xErw6vd0VhFA9m3SM bitbucket.org (ED25519)
2048 SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A bitbucket.org (RSA)
-2048 SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s github.com (RSA)
+256 SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM github.com (ECDSA)
+256 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU github.com (ED25519)
+3072 SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s github.com (RSA)
256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw gitlab.com (ECDSA)
256 SHA256:eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8 gitlab.com (ED25519)
2048 SHA256:ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ gitlab.com (RSA) |
Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>
Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>
I updated
Added fingerprints can be verified here.
|
@terrytangyuan I've updated the PR. Could you take another look? |
I am not familiar with what the required changes are so let's wait for others to review. There is also another PR #13627 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @tksm!
/cherry-pick release-2.7 |
/cherry-pick release-2.6 |
* feat: add ssh.github.com to SSH known hosts Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp> * fix: update hack/ssh_known_hosts Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp> * fix: sync known hosts ConfigMap with hack/ssh_known_hosts Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp> --------- Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>
Cherry-pick failed with |
/cherry-pick release-2.5 |
Cherry-pick failed with |
* feat: add ssh.github.com to SSH known hosts * fix: update hack/ssh_known_hosts * fix: sync known hosts ConfigMap with hack/ssh_known_hosts --------- Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp> Co-authored-by: Takashi Kusumi <tkusumi@zlab.co.jp>
…j#13765) * feat: add ssh.github.com to SSH known hosts * fix: update hack/ssh_known_hosts * fix: sync known hosts ConfigMap with hack/ssh_known_hosts --------- Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp> Co-authored-by: Takashi Kusumi <tkusumi@zlab.co.jp> Signed-off-by: schakrad <58915923+schakrad@users.noreply.github.com>
* feat: add ssh.github.com to SSH known hosts Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp> * fix: update hack/ssh_known_hosts Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp> * fix: sync known hosts ConfigMap with hack/ssh_known_hosts Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp> --------- Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>
* feat: add ssh.github.com to SSH known hosts Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp> * fix: update hack/ssh_known_hosts Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp> * fix: sync known hosts ConfigMap with hack/ssh_known_hosts Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp> --------- Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>
Closes #13591
This PR adds
ssh.github.com:443
key entries to SSH known hosts.Most firewall rules typically allow traffic on the HTTPS port, so GitHub allows users to use SSH over the HTTPS port on ssh.github.com:443. For detailed information, please refer to the documentation on "Using SSH over the HTTPS port"
Added key entries are the same as github.com, which can be verified at "GitHub's SSH key fingerprints".
I found the following files also include the list of known hosts, but it seems unused and obsolete, so I did not add the keys to these files.
Note on DCO:
If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.
Checklist:
Please see Contribution FAQs if you have questions about your pull-request.