diff --git a/.github/workflows/verify-on-container-alpine.yml b/.github/workflows/verify-on-container-alpine.yml index 1dab348..c3c2f80 100644 --- a/.github/workflows/verify-on-container-alpine.yml +++ b/.github/workflows/verify-on-container-alpine.yml @@ -301,3 +301,32 @@ jobs: run: ls -l /root/.ssh - name: git clone through SSH run: git clone git@github.com:shimataro/ssh-key-action.git tmp + + known_hosts-unnecessary: + name: without known_hosts file + runs-on: ${{ matrix.os }} + container: ${{ matrix.container }} + strategy: + fail-fast: false + matrix: + os: + - ubuntu-16.04 + - ubuntu-18.04 + - ubuntu-20.04 + container: + - alpine:3.10 + - alpine:3.11 + - alpine:3.12 + - alpine:3.13 + steps: + - name: Install packages + run: apk add openssh-client git + - name: Checkout source codes + uses: actions/checkout@v2 + - name: Install SSH key + uses: ./. + with: + key: ${{ secrets.SSH_KEY_PEM }} + known_hosts: unnecessary + - name: print created files + run: ls -l /root/.ssh diff --git a/.github/workflows/verify-on-container-centos.yml b/.github/workflows/verify-on-container-centos.yml index d008cb8..384740c 100644 --- a/.github/workflows/verify-on-container-centos.yml +++ b/.github/workflows/verify-on-container-centos.yml @@ -292,3 +292,31 @@ jobs: run: ls -l /root/.ssh - name: git clone through SSH run: git clone git@github.com:shimataro/ssh-key-action.git tmp + + known_hosts-unnecessary: + name: without known_hosts file + runs-on: ${{ matrix.os }} + container: ${{ matrix.container }} + strategy: + fail-fast: false + matrix: + os: + - ubuntu-16.04 + - ubuntu-18.04 + - ubuntu-20.04 + container: + - centos:7 + - centos:8 + steps: + - name: Install packages + run: | + yum install -y git openssh-clients + - name: Checkout source codes + uses: actions/checkout@v2 + - name: Install SSH key + uses: ./. + with: + key: ${{ secrets.SSH_KEY_PEM }} + known_hosts: unnecessary + - name: print created files + run: ls -l /root/.ssh diff --git a/.github/workflows/verify-on-container-ubuntu.yml b/.github/workflows/verify-on-container-ubuntu.yml index 0cae861..4bbf5de 100644 --- a/.github/workflows/verify-on-container-ubuntu.yml +++ b/.github/workflows/verify-on-container-ubuntu.yml @@ -310,3 +310,33 @@ jobs: run: ls -l /root/.ssh - name: git clone through SSH run: git clone git@github.com:shimataro/ssh-key-action.git tmp + + known_hosts-unnecessary: + name: without known_hosts file + runs-on: ${{ matrix.os }} + container: ${{ matrix.container }} + strategy: + fail-fast: false + matrix: + os: + - ubuntu-16.04 + - ubuntu-18.04 + - ubuntu-20.04 + container: + - ubuntu:16.04 + - ubuntu:18.04 + - ubuntu:20.04 + steps: + - name: Install packages + run: | + apt update + apt -y install openssh-client git + - name: Checkout source codes + uses: actions/checkout@v2 + - name: Install SSH key + uses: ./. + with: + key: ${{ secrets.SSH_KEY_PEM }} + known_hosts: unnecessary + - name: print created files + run: ls -l /root/.ssh diff --git a/.github/workflows/verify-on-macos.yml b/.github/workflows/verify-on-macos.yml index 87b836f..7ae91c3 100644 --- a/.github/workflows/verify-on-macos.yml +++ b/.github/workflows/verify-on-macos.yml @@ -237,3 +237,24 @@ jobs: run: ls -l ~/.ssh - name: git clone through SSH run: git clone git@github.com:shimataro/ssh-key-action.git tmp + + known_hosts-unnecessary: + name: without known_hosts file + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: + - ubuntu-16.04 + - ubuntu-18.04 + - ubuntu-20.04 + steps: + - name: Checkout source codes + uses: actions/checkout@v2 + - name: Install SSH key + uses: ./. + with: + key: ${{ secrets.SSH_KEY_PEM }} + known_hosts: unnecessary + - name: print created files + run: ls -l ~/.ssh diff --git a/.github/workflows/verify-on-ubuntu.yml b/.github/workflows/verify-on-ubuntu.yml index 7117eaf..f07a231 100644 --- a/.github/workflows/verify-on-ubuntu.yml +++ b/.github/workflows/verify-on-ubuntu.yml @@ -257,3 +257,24 @@ jobs: run: ls -l ~/.ssh - name: git clone through SSH run: git clone git@github.com:shimataro/ssh-key-action.git tmp + + known_hosts-unnecessary: + name: without known_hosts file + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: + - ubuntu-16.04 + - ubuntu-18.04 + - ubuntu-20.04 + steps: + - name: Checkout source codes + uses: actions/checkout@v2 + - name: Install SSH key + uses: ./. + with: + key: ${{ secrets.SSH_KEY_PEM }} + known_hosts: unnecessary + - name: print created files + run: ls -l ~/.ssh diff --git a/.github/workflows/verify-on-windows.yml b/.github/workflows/verify-on-windows.yml index 9a155bb..32a4cdc 100644 --- a/.github/workflows/verify-on-windows.yml +++ b/.github/workflows/verify-on-windows.yml @@ -237,3 +237,24 @@ jobs: run: ls -l ~/.ssh - name: git clone through SSH run: git clone git@github.com:shimataro/ssh-key-action.git tmp + + known_hosts-unnecessary: + name: without known_hosts file + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: + - ubuntu-16.04 + - ubuntu-18.04 + - ubuntu-20.04 + steps: + - name: Checkout source codes + uses: actions/checkout@v2 + - name: Install SSH key + uses: ./. + with: + key: ${{ secrets.SSH_KEY_PEM }} + known_hosts: unnecessary + - name: print created files + run: ls -l ~/.ssh diff --git a/CHANGELOG.md b/CHANGELOG.md index d22faa0..a6cad21 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ### Added * `if_key_exists` parameter +* `known_hosts: unnecessary` * Support Alpine Linux Docker container ## [2.2.0] - 2021-02-27 diff --git a/README.md b/README.md index b5e019c..5f549c5 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ See [Workflow syntax for GitHub Actions](https://help.github.com/en/articles/wor If you want to install multiple keys, call this action multiple times. It is useful for port forwarding. -**NOTE:** When this action is called multiple times, **the contents of `known_hosts` and `config` will be appended**. `key` must be saved as different name, by using `name` option. +**NOTE:** When this action is called multiple times, **the contents of `known_hosts` and `config` will be appended**. `key` must be saved as different name, by using `name` option. ```yaml runs-on: ubuntu-latest @@ -133,6 +133,18 @@ It has some advantages over other methods: * And will be updated continuously. * if security incident ―e.g., private key leaked― occurs, it's OK just to remove `authorized_keys` on bastion. +### I want to omit `known_hosts`. + +First of all, you have to understand that it is NOT secure to SSH with no `known_hosts` and using `StrictHostKeyChecking=no` option. + +Why do you want to omit it? +If the reason is **"I'm not understanding about the function of `known_hosts`"** or **"It's bother to fetch server key"**, you should not omit. +If **"It is hard to prefetch server key because the server will be created dynamically"**, you can use bastion server. + +**"`known_hosts` is unnecessary because I'm using secure method for SSH, such as SSHFP and signed server key."** — OK, here is a special value to omit `known_hosts`. +You should use it ONLY IF you are using secure methods... +It is `known_hosts: unnecessary`. + ## License The scripts and documentation in this project are released under the [MIT License](LICENSE) diff --git a/lib/index.js b/lib/index.js index 8817986..11dbfc5 100644 --- a/lib/index.js +++ b/lib/index.js @@ -445,24 +445,7 @@ function main() { mode: 0o700, }); // files to be created - const files = [ - { - name: "known_hosts", - contents: insertLf(knownHosts, true, true), - options: { - mode: 0o644, - flag: "a", - }, - }, - { - name: "config", - contents: insertLf(config, true, true), - options: { - mode: 0o644, - flag: "a", - }, - }, - ]; + const files = []; if (shouldCreateKeyFile(path_1.default.join(dirName, name), ifKeyExists)) { files.push({ name: name, @@ -473,6 +456,26 @@ function main() { }, }); } + if (knownHosts !== "unnecessary") { + files.push({ + name: "known_hosts", + contents: insertLf(knownHosts, true, true), + options: { + mode: 0o644, + flag: "a", + }, + }); + } + if (config !== "") { + files.push({ + name: "config", + contents: insertLf(config, true, true), + options: { + mode: 0o644, + flag: "a", + }, + }); + } // create files for (const file of files) { const fileName = path_1.default.join(dirName, file.name); diff --git a/src/main.ts b/src/main.ts index 0764350..737ec57 100644 --- a/src/main.ts +++ b/src/main.ts @@ -37,24 +37,7 @@ function main(): void }); // files to be created - const files: FileInfo[] = [ - { - name: "known_hosts", - contents: insertLf(knownHosts, true, true), - options: { - mode: 0o644, - flag: "a", - }, - }, - { - name: "config", - contents: insertLf(config, true, true), - options: { - mode: 0o644, - flag: "a", - }, - }, - ]; + const files: FileInfo[] = []; if(shouldCreateKeyFile(path.join(dirName, name), ifKeyExists)) { files.push({ @@ -66,6 +49,28 @@ function main(): void }, }); } + if(knownHosts !== "unnecessary") + { + files.push({ + name: "known_hosts", + contents: insertLf(knownHosts, true, true), + options: { + mode: 0o644, + flag: "a", + }, + }); + } + if(config !== "") + { + files.push({ + name: "config", + contents: insertLf(config, true, true), + options: { + mode: 0o644, + flag: "a", + }, + }); + } // create files for(const file of files)