Non interactive git clone (ssh fingerprint prompt) [duplicate]

git ssh

I want to clone a repo in a non-interactive way. When cloning, git asks to confirm host's fingerprint:

The authenticity of host 'bitbucket.org (207.223.240.182)' can't be established.
RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40.
Are you sure you want to continue connecting (yes/no)? no

How do I force "yes" every time this questions pops up? I tried using yes yes | git clone ..., but it doesn't work.

EDIT: Here's a solution: Can I automatically add a new host to known_hosts? (adds entires to known_hosts with ssh-keyscan).


Neither "StrictHostKeyChecking no" nor "ssh-keyscan" options are secure. you need a manual fingerprint validation at some point to avoid MiTM attack if you stick with ssh.

Actually, you have 2 options:

Use https protocol instead of git

It won't ask you for a fingerprint, because ssh is not involved, https is used instead. For a security standpoint you are trusting root certificates installod on your OS. If you're using a minimalist image or Docker, you might need to install the ca-certificates package.

If you really want git+ssh protocol

Do you really need to add the key at runtime? This is not secure because you didn't check the fingerprint and that leaves you open to MiTM attacks. This is not just theoretical, and it has been proven to work.

Before running your script, get the key from github (on your local machine):

ssh-keyscan github.com >> githubKey

Generate the fingerprint:

ssh-keygen -lf githubKey

And check it manually against those listed in this page (ok, there you trust https certificates and OpenSSL to bring you the original github website, but it's still a lot better than blindly accepting a public key).

Alternatively (trusting the same https and OpenSSL) you can fetch it from https://api.github.com/meta like this: curl -s https://api.github.com/meta | jq ."ssh_key_fingerprints" | grep RSA. (Thanks @willscripted for this one)

Then, you hardcode it in your script by adding in it:

echo '<copy paste the content of 'cat githubKey' on your machine>'  >> ~/.ssh/known_hosts

before the git clone.

The GitHub public key will only change if they believe it was compromised (or not secure enough). If this is ever the case, you want your script to fail anyway.


I don't think that is the best solution, but it was a solution for me.

ANSWER:

Adding the domainnames to the known_hosts file using the ssh-keyscan command solved the issue:

ssh-keyscan <enter_domainname_e.g._github.com> >> ~/.ssh/known_hosts


Adding the key to .ssh/known_hosts appears to be the right thing to do.

Though when you automate the task you want to make sure the key is not already contained and added on each clone/pull tasks.

This snippet will only add the fingerprint if not already found:

if [ ! -n "$(grep "^bitbucket.org " ~/.ssh/known_hosts)" ]; then ssh-keyscan bitbucket.org >> ~/.ssh/known_hosts 2>/dev/null; fi

Related

Difference between KVM and QEMU
What port does SFTP use?
SSH use only my password, Ignore my ssh key, don't prompt me for a passphrase
How do I view the details of a digital certificate .cer file?
ssh-agent forwarding and sudo to another user
how to disable SSH login with password for some users?
How do you restart php-fpm?
Good tools that fit on a thumb drive [closed]
How to create a UUID in bash?
How to reconnect to a disconnected ssh session
Why couldn't MAC addresses be used instead of IPv4|6 for networking? [closed]
What is a challenge password?