guettli/sharedinbox
1
0
Fork 0
Code Issues 21 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

security: pin SSH host key instead of StrictHostKeyChecking=no in Deployer #161

New Issue
Closed
opened 2026-05-23 08:55:31 +00:00 by guettlibot · 15 comments
guettlibot commented 2026-05-23 08:55:31 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Problem

All SSH and rsync operations in the deploy pipeline use `-o StrictHostKeyChecking=no`:

  • `Deployer()` (ci/main.go ~line 325): sets `RSYNC_RSH` env var with `StrictHostKeyChecking=no`
  • `DeployApk` and `DeployLinux` (lines ~603, 604, 642, 643): explicit `-o StrictHostKeyChecking=no` on `ssh` and `scp` calls

This disables host key verification entirely. A network-level attacker on the same segment as the CI runner (ARP spoofing, DNS poisoning of `SSH_HOST`) could intercept the connection and receive deployed artifacts or SSH auth challenges.

Fix

  1. Run `ssh-keyscan ` on a trusted network and store the output as a new Codeberg secret, e.g. `SSH_KNOWN_HOSTS`.

  2. *Add a `knownHosts dagger.Secret` parameter to `Deployer()` and mount it:

```go
func (m *Ci) Deployer(sshKey *dagger.Secret, knownHosts *dagger.Secret) *dagger.Container {
return dag.Container().
From("alpine:3.21").
WithExec([]string{"apk", "--no-cache", "add", "rsync", "openssh-client", "python3", "tar"}).
WithMountedSecret("/root/.ssh/id_ed25519", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
WithMountedSecret("/root/.ssh/known_hosts", knownHosts, dagger.ContainerWithMountedSecretOpts{Mode: 0644}).
WithEnvVariable("RSYNC_RSH", "ssh -i /root/.ssh/id_ed25519") // no StrictHostKeyChecking=no
}
```

  1. Remove all `-o StrictHostKeyChecking=no` from individual `ssh`/`scp` calls.

  2. Pass `SSH_KNOWN_HOSTS` as a secret through the Taskfile and workflow YAML.

Note

`ssh-keyscan` itself is TOFU (Trust On First Use) — run it manually on a machine you already trust to have a legitimate route to the server, capture the output, and store it as the secret. Rotate it if the server's host key changes.

## Problem All SSH and rsync operations in the deploy pipeline use \`-o StrictHostKeyChecking=no\`: - \`Deployer()\` (ci/main.go ~line 325): sets \`RSYNC_RSH\` env var with \`StrictHostKeyChecking=no\` - \`DeployApk\` and \`DeployLinux\` (lines ~603, 604, 642, 643): explicit \`-o StrictHostKeyChecking=no\` on \`ssh\` and \`scp\` calls This disables host key verification entirely. A network-level attacker on the same segment as the CI runner (ARP spoofing, DNS poisoning of \`SSH_HOST\`) could intercept the connection and receive deployed artifacts or SSH auth challenges. ## Fix 1. **Run \`ssh-keyscan <deploy-host>\` on a trusted network** and store the output as a new Codeberg secret, e.g. \`SSH_KNOWN_HOSTS\`. 2. **Add a \`knownHosts *dagger.Secret\` parameter to \`Deployer()\`** and mount it: \`\`\`go func (m *Ci) Deployer(sshKey *dagger.Secret, knownHosts *dagger.Secret) *dagger.Container { return dag.Container(). From("alpine:3.21"). WithExec([]string{"apk", "--no-cache", "add", "rsync", "openssh-client", "python3", "tar"}). WithMountedSecret("/root/.ssh/id_ed25519", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}). WithMountedSecret("/root/.ssh/known_hosts", knownHosts, dagger.ContainerWithMountedSecretOpts{Mode: 0644}). WithEnvVariable("RSYNC_RSH", "ssh -i /root/.ssh/id_ed25519") // no StrictHostKeyChecking=no } \`\`\` 3. **Remove all \`-o StrictHostKeyChecking=no\`** from individual \`ssh\`/\`scp\` calls. 4. **Pass \`SSH_KNOWN_HOSTS\` as a secret** through the Taskfile and workflow YAML. ## Note \`ssh-keyscan\` itself is TOFU (Trust On First Use) — run it manually on a machine you already trust to have a legitimate route to the server, capture the output, and store it as the secret. Rotate it if the server's host key changes.
guettlibot commented 2026-05-23 15:55:07 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Agent opened PR #181 but no CI run appeared on branch issue-161-fix after 74 min. The agent may not have pushed any commits. Please investigate and resume manually.

Agent opened PR #181 but no CI run appeared on branch `issue-161-fix` after 74 min. The agent may not have pushed any commits. Please investigate and resume manually.
guettlibot commented 2026-05-24 08:50:13 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-24 09:10:17 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-24 09:15:15 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-24 09:20:19 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-24 09:25:12 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-24 09:30:24 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-24 09:35:13 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-24 09:40:19 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-24 09:45:20 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-24 10:00:35 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-24 10:10:18 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-24 10:15:14 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-24 10:20:14 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-24 10:25:16 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #181 failed (PR is still open after the merge command). Please merge manually.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
NeedSupervisor
Issue escalated to a human supervisor; agentloop will skip it until cleared.
 State/InProgress
State/Later
State/Planned
automerge
Eligible for automatic merge by CI
 ci-failure
Issue opened by agentloop to track a failing CI workflow; used for deduplication.
 do-not-merge
Plan PR — review only, do not merge.
 loop/code
Add to run the built-in "code" prompt; override at prompts/code.md.
 loop/code-ci-pending
Prompt "code" finished; waiting for the PR's CI to pass before advancing.
 loop/code-done
Prompt "code" finished successfully.
 loop/code-in-process
Agent for the "code" prompt is currently running on this issue.
 loop/merge
Managed by agentloop
 loop/merge-done
Managed by agentloop
 loop/merge-in-process
Managed by agentloop
 loop/plan
Add to run the built-in "plan" prompt; override at prompts/plan.md.
 loop/plan-done
Prompt "plan" finished successfully.
 loop/plan-in-process
Agent for the "plan" prompt is currently running on this issue.
No labels
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Assignees
Clear assignees
guettlibot guettli
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: guettli/sharedinbox#161