在公司防火墙后面的dockerfile中添加gitlab ssh公钥到已知主机(没有端口22) &g

我试图在docker构建过程中获得known_hosts文件中识别的公钥，我正在使用的dockerfile的相关部分是:

RUN mkdir -p -m 0700 ~/.ssh
# Copy SSH host config to use port 443
COPY docker/config/gitlab_host.txt /root/.ssh/config
RUN cat ~/.ssh/config
# Download public key for gitlab.com
RUN ssh-keyscan -p443 gitlab.com >> ~/.ssh/known_hosts
RUN cat ~/.ssh/known_hosts

为了完成，ssh配置文件(docker/config/gitlab_host.txt):

Host gitlab.com
Hostname altssh.gitlab.com
User git
Port 443
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa

首先，我在公司防火墙后面，端口22没有出站流量。因此，我们将ssh配置配置为使用端口443，幸亏gitlab提供了这个选项。然而，ssh-keyscan似乎不尊重这个配置，指定这个端口似乎也不起作用，ssh-keyscan只是无声的失败。我已经尝试了命令的多种排列:

ssh-keyscan -p 443 gitlab.comssh-keyscan gitlab.com:443

一切都无济于事。为冗长提供-v标志也不会生成输出。

唯一的其他选择，我能想到的是复制在我自己的known_hosts文件，这工作，这是安全的吗?存储库的实际克隆是通过"传递"主机ssh来完成的。

RUN --mount=type=ssh,uid=1001 pip install git+ssh://git@gitlab.com/<private>.git
RUN --mount=type=ssh,uid=1001 pip install git+ssh://git@gitlab.com/<another_private>.git

我有什么选项可以让主机知道，以便我可以进行克隆?

我也注意到了这个问题。

当我尝试使用ssh-keyscan -p 443 altssh.gitlab.com获取公钥时，它只是静静地停止，-vv的详细模式也不会提供太多信息。

我甚至试图通过nmap获得公钥，但它似乎也不起作用:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-20 17:09 CEST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 17:09
Completed NSE at 17:09, 0.00s elapsed
Warning: Hostname altssh.gitlab.com resolves to 26 IPs. Using 172.65.251.182.
Initiating Ping Scan at 17:09
Scanning altssh.gitlab.com (172.65.251.182) [2 ports]
Completed Ping Scan at 17:09, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:09
Completed Parallel DNS resolution of 1 host. at 17:09, 1.01s elapsed
Initiating Connect Scan at 17:09
Scanning altssh.gitlab.com (172.65.251.182) [1 port]
Discovered open port 443/tcp on 172.65.251.182
Completed Connect Scan at 17:09, 0.00s elapsed (1 total ports)
NSE: Script scanning 172.65.251.182.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 17:09
Completed NSE at 17:09, 0.00s elapsed
Nmap scan report for altssh.gitlab.com (172.65.251.182)
Host is up, received syn-ack (0.0020s latency).
Other addresses for altssh.gitlab.com (not scanned): 172.64.33.173 173.245.59.173 108.162.193.173 173.245.58.77 108.162.192.77 172.64.32.77 173.245.59.173 108.162.193.173 172.64.33.173 108.162.192.77 172.64.32.77 173.245.58.77 2a06:98c1:50::ac40:21ad 2606:4700:58::adf5:3bad 2803:f800:50::6ca2:c1ad 2606:4700:50::adf5:3a4d 2803:f800:50::6ca2:c04d 2a06:98c1:50::ac40:204d 2606:4700:90:0:f0ff:e6a3:2ac:f7ef 2606:4700:58::adf5:3bad 2803:f800:50::6ca2:c1ad 2a06:98c1:50::ac40:21ad 2803:f800:50::6ca2:c04d 2a06:98c1:50::ac40:204d 2606:4700:50::adf5:3a4d
Scanned at 2021-10-20 17:09:01 CEST for 1s
PORT    STATE SERVICE REASON
443/tcp open  https   syn-ack
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 17:09
Completed NSE at 17:09, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds

此外，我做了我的known_hosts文件的备份，我通过SSH访问altssh.gitlab.com:443，以查看指纹是如何保存的，我的惊讶来自于主机，而不是被保存为altssh.gitlab.com存储为[altssh.gitlab.com]:

我可以找到它与ssh-keygen -H -F '[altssh.gitlab.com]:443'，但不作为ssh-keygen -H -F altssh.gitlab.com:443，这将是正常的方式。

我不知道这种行为的原因，但我知道OpenSSH 7.6包含了一个新的标志，用于在第一次尝试时添加新的主机密钥，所以我只做了一次:

ssh -oStrictHostKeyChecking=accept-new -p 443 git@altssh.gitlab.com

摘自man ssh_config的文档:

If this flag is set to “accept-new” then ssh will automatically
add new host keys to the user known hosts files, but will not
permit connections to hosts with changed host keys.

它将失败，它实际上不会执行连接，因为我没有提供任何身份验证方法，但是HostKey将存储在known_hosts中，从那时起，您将能够使用当前配置进行访问。

相关内容

最新更新

热门标签：