Feature/no known hosts (#181)

* add "if_key_exists"

* add test

* fix flag

* fix SSH connection commands

* add test for if_key_exists=ignore

* add test for if_key_exists=fail

* add tests to Windows / macOS

* update CHANGELOG

* update badges

* update README

* fix README

* update README

* test no_known_hosts parameter

* implement

* ignore known_hosts if no_known_hosts is true

* refactor

* no_known_hosts is false

* Revert "no_known_hosts is false"

This reverts commit 206d310c5c.

* test on Windows / macOS

* test on Docker containers

* add tests for Docker containers

* test no_known_hosts parameter

* implement

* ignore known_hosts if no_known_hosts is true

* refactor

* no_known_hosts is false

* Revert "no_known_hosts is false"

This reverts commit 206d310c5c.

* test on Windows / macOS

* test on Docker containers

* use `known_hosts: no` instead of `no_known_hosts: true`

* update README

* update README

* "known_hosts: no" -> "known_hosts: unnecessary"

* update README

* update README

* update CHANGELOG

.github/workflows/verify-on-container-alpine.yml

@@ -301,3 +301,32 @@ jobs:
       run: ls -l /root/.ssh
     - name: git clone through SSH
       run: git clone git@github.com:shimataro/ssh-key-action.git tmp
+
+  known_hosts-unnecessary:
+    name: without known_hosts file
+    runs-on: ${{ matrix.os }}
+    container: ${{ matrix.container }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+        - ubuntu-16.04
+        - ubuntu-18.04
+        - ubuntu-20.04
+        container:
+        - alpine:3.10
+        - alpine:3.11
+        - alpine:3.12
+        - alpine:3.13
+    steps:
+    - name: Install packages
+      run: apk add openssh-client git
+    - name: Checkout source codes
+      uses: actions/checkout@v2
+    - name: Install SSH key
+      uses: ./.
+      with:
+        key: ${{ secrets.SSH_KEY_PEM }}
+        known_hosts: unnecessary
+    - name: print created files
+      run: ls -l /root/.ssh

.github/workflows/verify-on-container-centos.yml

@@ -292,3 +292,31 @@ jobs:
       run: ls -l /root/.ssh
     - name: git clone through SSH
       run: git clone git@github.com:shimataro/ssh-key-action.git tmp
+
+  known_hosts-unnecessary:
+    name: without known_hosts file
+    runs-on: ${{ matrix.os }}
+    container: ${{ matrix.container }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+        - ubuntu-16.04
+        - ubuntu-18.04
+        - ubuntu-20.04
+        container:
+        - centos:7
+        - centos:8
+    steps:
+    - name: Install packages
+      run: |
+        yum install -y git openssh-clients
+    - name: Checkout source codes
+      uses: actions/checkout@v2
+    - name: Install SSH key
+      uses: ./.
+      with:
+        key: ${{ secrets.SSH_KEY_PEM }}
+        known_hosts: unnecessary
+    - name: print created files
+      run: ls -l /root/.ssh

.github/workflows/verify-on-container-ubuntu.yml

@@ -310,3 +310,33 @@ jobs:
       run: ls -l /root/.ssh
     - name: git clone through SSH
       run: git clone git@github.com:shimataro/ssh-key-action.git tmp
+
+  known_hosts-unnecessary:
+    name: without known_hosts file
+    runs-on: ${{ matrix.os }}
+    container: ${{ matrix.container }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+        - ubuntu-16.04
+        - ubuntu-18.04
+        - ubuntu-20.04
+        container:
+        - ubuntu:16.04
+        - ubuntu:18.04
+        - ubuntu:20.04
+    steps:
+    - name: Install packages
+      run: |
+        apt update
+        apt -y install openssh-client git
+    - name: Checkout source codes
+      uses: actions/checkout@v2
+    - name: Install SSH key
+      uses: ./.
+      with:
+        key: ${{ secrets.SSH_KEY_PEM }}
+        known_hosts: unnecessary
+    - name: print created files
+      run: ls -l /root/.ssh

.github/workflows/verify-on-macos.yml

@@ -237,3 +237,24 @@ jobs:
       run: ls -l ~/.ssh
     - name: git clone through SSH
       run: git clone git@github.com:shimataro/ssh-key-action.git tmp
+
+  known_hosts-unnecessary:
+    name: without known_hosts file
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+        - ubuntu-16.04
+        - ubuntu-18.04
+        - ubuntu-20.04
+    steps:
+    - name: Checkout source codes
+      uses: actions/checkout@v2
+    - name: Install SSH key
+      uses: ./.
+      with:
+        key: ${{ secrets.SSH_KEY_PEM }}
+        known_hosts: unnecessary
+    - name: print created files
+      run: ls -l ~/.ssh

.github/workflows/verify-on-ubuntu.yml

@@ -257,3 +257,24 @@ jobs:
       run: ls -l ~/.ssh
     - name: git clone through SSH
       run: git clone git@github.com:shimataro/ssh-key-action.git tmp
+
+  known_hosts-unnecessary:
+    name: without known_hosts file
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+        - ubuntu-16.04
+        - ubuntu-18.04
+        - ubuntu-20.04
+    steps:
+    - name: Checkout source codes
+      uses: actions/checkout@v2
+    - name: Install SSH key
+      uses: ./.
+      with:
+        key: ${{ secrets.SSH_KEY_PEM }}
+        known_hosts: unnecessary
+    - name: print created files
+      run: ls -l ~/.ssh

.github/workflows/verify-on-windows.yml

@@ -237,3 +237,24 @@ jobs:
       run: ls -l ~/.ssh
     - name: git clone through SSH
       run: git clone git@github.com:shimataro/ssh-key-action.git tmp
+
+  known_hosts-unnecessary:
+    name: without known_hosts file
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+        - ubuntu-16.04
+        - ubuntu-18.04
+        - ubuntu-20.04
+    steps:
+    - name: Checkout source codes
+      uses: actions/checkout@v2
+    - name: Install SSH key
+      uses: ./.
+      with:
+        key: ${{ secrets.SSH_KEY_PEM }}
+        known_hosts: unnecessary
+    - name: print created files
+      run: ls -l ~/.ssh

CHANGELOG.md

@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
 
 * `if_key_exists` parameter
+* `known_hosts: unnecessary`
 * Support Alpine Linux Docker container
 
 ## [2.2.0] - 2021-02-27

README.md

@@ -50,7 +50,7 @@ See [Workflow syntax for GitHub Actions](https://help.github.com/en/articles/wor
 If you want to install multiple keys, call this action multiple times.
 It is useful for port forwarding.
 
-**NOTE:**  When this action is called multiple times, **the contents of `known_hosts` and `config` will be appended**. `key` must be saved as different name, by using `name` option.
+**NOTE:** When this action is called multiple times, **the contents of `known_hosts` and `config` will be appended**. `key` must be saved as different name, by using `name` option.
 
 ```yaml
 runs-on: ubuntu-latest
@@ -133,6 +133,18 @@ It has some advantages over other methods:
         * And will be updated continuously.
     * if security incident ―e.g., private key leaked― occurs, it's OK just to remove `authorized_keys` on bastion.
 
+### I want to omit `known_hosts`.
+
+First of all, you have to understand that it is NOT secure to SSH with no `known_hosts` and using `StrictHostKeyChecking=no` option.
+
+Why do you want to omit it?
+If the reason is **"I'm not understanding about the function of `known_hosts`"** or **"It's bother to fetch server key"**, you should not omit.
+If **"It is hard to prefetch server key because the server will be created dynamically"**, you can use bastion server.
+
+**"`known_hosts` is unnecessary because I'm using secure method for SSH, such as SSHFP and signed server key."** — OK, here is a special value to omit `known_hosts`.
+You should use it ONLY IF you are using secure methods...
+It is `known_hosts: unnecessary`.
+
 ## License
 
 The scripts and documentation in this project are released under the [MIT License](LICENSE)

lib/index.js

@@ -445,24 +445,7 @@ function main() {
             mode: 0o700,
         });
         // files to be created
-        const files = [
+        const files = [];
-            {
-                name: "known_hosts",
-                contents: insertLf(knownHosts, true, true),
-                options: {
-                    mode: 0o644,
-                    flag: "a",
-                },
-            },
-            {
-                name: "config",
-                contents: insertLf(config, true, true),
-                options: {
-                    mode: 0o644,
-                    flag: "a",
-                },
-            },
-        ];
         if (shouldCreateKeyFile(path_1.default.join(dirName, name), ifKeyExists)) {
             files.push({
                 name: name,
@@ -473,6 +456,26 @@ function main() {
                 },
             });
         }
+        if (knownHosts !== "unnecessary") {
+            files.push({
+                name: "known_hosts",
+                contents: insertLf(knownHosts, true, true),
+                options: {
+                    mode: 0o644,
+                    flag: "a",
+                },
+            });
+        }
+        if (config !== "") {
+            files.push({
+                name: "config",
+                contents: insertLf(config, true, true),
+                options: {
+                    mode: 0o644,
+                    flag: "a",
+                },
+            });
+        }
         // create files
         for (const file of files) {
             const fileName = path_1.default.join(dirName, file.name);

src/main.ts

@@ -37,24 +37,7 @@ function main(): void
 		});
 
 		// files to be created
-		const files: FileInfo[] = [
+		const files: FileInfo[] = [];
-			{
-				name: "known_hosts",
-				contents: insertLf(knownHosts, true, true),
-				options: {
-					mode: 0o644,
-					flag: "a",
-				},
-			},
-			{
-				name: "config",
-				contents: insertLf(config, true, true),
-				options: {
-					mode: 0o644,
-					flag: "a",
-				},
-			},
-		];
 		if(shouldCreateKeyFile(path.join(dirName, name), ifKeyExists))
 		{
 			files.push({
@@ -66,6 +49,28 @@ function main(): void
 				},
 			});
 		}
+		if(knownHosts !== "unnecessary")
+		{
+			files.push({
+				name: "known_hosts",
+				contents: insertLf(knownHosts, true, true),
+				options: {
+					mode: 0o644,
+					flag: "a",
+				},
+			});
+		}
+		if(config !== "")
+		{
+			files.push({
+				name: "config",
+				contents: insertLf(config, true, true),
+				options: {
+					mode: 0o644,
+					flag: "a",
+				},
+			});
+		}
 
 		// create files
 		for(const file of files)