SSH key not added to known_keys automatically?

ottoo · January 9, 2020, 11:23pm

Hi

I setup a deploy key on Gitlab for our project and add it in our config.yml with the following command

- add_ssh_keys:
      fingerprints:
        - "xx:xx:xx"

This used to work out of the box, but now for some reason the key is not added to known_hosts automatically. I can see that the IdentityFile is added in .ssh/config, but only after I ssh in to the build machine and run the following cmd the key is added to known_hosts.

ssh -T git@gitlab.com

The authenticity of host 'gitlab.com (35.231.145.151)' can't be established.
ECDSA key fingerprint is SHA256:xxx.
Are you sure you want to continue connecting (yes/no)? yes

Shouldn’t the add_ssh_keys command do this automatically or do I need to append the key manually to known_hosts or do something like "echo -e "Host gitlab.com\n\tStrictHostKeyChecking no\n" > ~/.ssh/config"?

levlaz · January 12, 2020, 9:56pm

add_ssh_key does not do this automatically. The first approach you describe would work great. The second approach would also work, but there is a security risk that you need to accept if you disable StrictHostKeyChecking.

We describe our recommended approaches here: https://circleci.com/docs/2.0/gh-bb-integration/#establishing-the-authenticity-of-an-ssh-host