Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add ssh.github.com to SSH known hosts #13592

Merged
merged 3 commits into from
May 27, 2023
Merged

feat: add ssh.github.com to SSH known hosts #13592

merged 3 commits into from
May 27, 2023

Conversation

tksm
Copy link
Contributor

@tksm tksm commented May 15, 2023

Closes #13591

This PR adds ssh.github.com:443 key entries to SSH known hosts.

Most firewall rules typically allow traffic on the HTTPS port, so GitHub allows users to use SSH over the HTTPS port on ssh.github.com:443. For detailed information, please refer to the documentation on "Using SSH over the HTTPS port"

Added key entries are the same as github.com, which can be verified at "GitHub's SSH key fingerprints".

It is safe to answer "yes" to this question, assuming that the SSH fingerprint matches one of GitHub's published fingerprints.
https://docs.github.com/en/authentication/troubleshooting-ssh/using-ssh-over-the-https-port#updating-known-hosts

I found the following files also include the list of known hosts, but it seems unused and obsolete, so I did not add the keys to these files.

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • Optional. My organization is added to USERS.md.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.

Please see Contribution FAQs if you have questions about your pull-request.

@tksm
feat: add ssh.github.com to SSH known hosts
6bd0483 
Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>
@codecov
Copy link

codecov bot commented May 15, 2023
edited

Codecov Report

Patch and project coverage have no change.

Comparison is base (7825821) 49.22% compared to head (40fb5e2) 49.22%.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #13592   +/-   ##
=======================================
  Coverage   49.22%   49.22%           
=======================================
  Files         248      248           
  Lines       42830    42830           
=======================================
  Hits        21084    21084           
  Misses      19648    19648           
  Partials     2098     2098

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

terrytangyuan
terrytangyuan reviewed May 16, 2023
View reviewed changes
Copy link
Member

@terrytangyuan terrytangyuan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just ran ./hack/update-ssh-known-hosts.sh and here's the diff. So looks like more entries need to be updated/added?

--- a/hack/ssh_known_hosts
+++ b/hack/ssh_known_hosts
@@ -1,5 +1,9 @@
 # This file was automatically generated. DO NOT EDIT
+bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE=
+bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO
 bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
 github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
 gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
 gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf

@tksm
Copy link
Contributor Author

tksm commented May 16, 2023

Do I need to update /hack/update-ssh-known-hosts.sh and hack/ssh_known_hosts as well?

It seems that these files have not been used since #1807, which removed the copying of hack/ssh_known_hosts. Additionally, they were not properly updated in previous PRs such as #12995 and #7722.

@tksm
Copy link
Contributor Author

tksm commented May 16, 2023

If necessary, we can update "hack/update-ssh-known-hosts.sh" as follows.

diff --git a/hack/update-ssh-known-hosts.sh b/hack/update-ssh-known-hosts.sh
index ede8802e6..cca8983d2 100755
--- a/hack/update-ssh-known-hosts.sh
+++ b/hack/update-ssh-known-hosts.sh
@@ -5,17 +5,28 @@ set -e
 KNOWN_HOSTS_FILE=$(dirname "$0")/ssh_known_hosts
 HEADER="# This file was automatically generated. DO NOT EDIT"
 echo "$HEADER" > $KNOWN_HOSTS_FILE
-ssh-keyscan github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com | sort -u >> $KNOWN_HOSTS_FILE
+{ \
+  ssh-keyscan github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com && \
+  ssh-keyscan -p 443 ssh.github.com ; \
+} | sort -u >> $KNOWN_HOSTS_FILE
 chmod 0644 $KNOWN_HOSTS_FILE
 
 # Public SSH keys can be verified at the following URLs:
 # - github.com: https://help.github.com/articles/github-s-ssh-key-fingerprints/
+# - ssh.github.com: https://docs.github.com/en/authentication/troubleshooting-ssh/using-ssh-over-the-https-port#updating-known-hosts
 # - gitlab.com: https://docs.gitlab.com/ee/user/gitlab_com/#ssh-host-keys-fingerprints
 # - bitbucket.org: https://confluence.atlassian.com/bitbucket/ssh-keys-935365775.html
 # - ssh.dev.azure.com, vs-ssh.visualstudio.com: https://docs.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops
 diff - <(ssh-keygen -l -f $KNOWN_HOSTS_FILE | sort -k 3) <<EOF
+256 SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM [ssh.github.com]:443 (ECDSA)
+256 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU [ssh.github.com]:443 (ED25519)
+3072 SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s [ssh.github.com]:443 (RSA)
+256 SHA256:FC73VB6C4OQLSCrjEayhMp9UMxS97caD/Yyi2bhW/J0 bitbucket.org (ECDSA)
+256 SHA256:ybgmFkzwOSotHTHLJgHO0QN8L0xErw6vd0VhFA9m3SM bitbucket.org (ED25519)
 2048 SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A bitbucket.org (RSA)
-2048 SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s github.com (RSA)
+256 SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM github.com (ECDSA)
+256 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU github.com (ED25519)
+3072 SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s github.com (RSA)
 256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw gitlab.com (ECDSA)
 256 SHA256:eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8 gitlab.com (ED25519)
 2048 SHA256:ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ gitlab.com (RSA)

tksm added 2 commits May 17, 2023 08:29
@tksm
fix: update hack/ssh_known_hosts
e7f6c98 
Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>
@tksm
fix: sync known hosts ConfigMap with hack/ssh_known_hosts
40fb5e2 
Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>
@tksm
Copy link
Contributor Author

tksm commented May 16, 2023

I updated hack/update-ssh-known-hosts.sh and hack/ssh_known_hosts and synced known hosts ConfigMap with hack/ssh_known_hosts.

  • e7f6c98 fix: update hack/ssh_known_hosts
  • 40fb5e2 fix: sync known hosts ConfigMap with hack/ssh_known_hosts

Added fingerprints can be verified here.

@tksm tksm requested a review from terrytangyuan May 17, 2023 04:48
@tksm
Copy link
Contributor Author

tksm commented May 18, 2023

@terrytangyuan I've updated the PR. Could you take another look?

@terrytangyuan
Copy link
Member

I am not familiar with what the required changes are so let's wait for others to review. There is also another PR #13627

@tksm tksm mentioned this pull request May 22, 2023
Closed
13 tasks
crenshaw-dev
crenshaw-dev approved these changes May 27, 2023
View reviewed changes
Copy link
Collaborator

@crenshaw-dev crenshaw-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @tksm!

@crenshaw-dev crenshaw-dev merged commit 04964c9 into argoproj:master May 27, 2023
24 checks passed
@crenshaw-dev
Copy link
Collaborator

/cherry-pick release-2.7

@crenshaw-dev
Copy link
Collaborator

/cherry-pick release-2.6

@gcp-cherry-pick-bot gcp-cherry-pick-bot bot mentioned this pull request May 27, 2023
Merged
gcp-cherry-pick-bot bot pushed a commit that referenced this pull request May 27, 2023
@tksm
feat: add ssh.github.com to SSH known hosts (#13592)
7025f4c 
* feat: add ssh.github.com to SSH known hosts

Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>

* fix: update hack/ssh_known_hosts

Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>

* fix: sync known hosts ConfigMap with hack/ssh_known_hosts

Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>

---------

Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>
@gcp-cherry-pick-bot
Copy link

Cherry-pick failed with Merge error 04964c908c6b091d7392e88a01c011192418f198 into temp-cherry-pick-4f9c8e-release-2.6

@crenshaw-dev
Copy link
Collaborator

/cherry-pick release-2.5

@gcp-cherry-pick-bot
Copy link

Cherry-pick failed with Merge error 04964c908c6b091d7392e88a01c011192418f198 into temp-cherry-pick-4f9c8e-release-2.5

crenshaw-dev pushed a commit that referenced this pull request May 27, 2023
@gcp-cherry-pick-bot @tksm
feat: add ssh.github.com to SSH known hosts (#13592) (#13765)
ed828e9 
* feat: add ssh.github.com to SSH known hosts



* fix: update hack/ssh_known_hosts



* fix: sync known hosts ConfigMap with hack/ssh_known_hosts



---------

Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>
Co-authored-by: Takashi Kusumi <tkusumi@zlab.co.jp>
@tksm tksm deleted the ssh-github-com branch May 28, 2023 12:40
schakrad pushed a commit to schakrad/argo-cd that referenced this pull request Jul 24, 2023
@gcp-cherry-pick-bot @tksm @schakrad
feat: add ssh.github.com to SSH known hosts (argoproj#13592) (argopro…
a94a3ad 
…j#13765)

* feat: add ssh.github.com to SSH known hosts

* fix: update hack/ssh_known_hosts

* fix: sync known hosts ConfigMap with hack/ssh_known_hosts

---------

Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>
Co-authored-by: Takashi Kusumi <tkusumi@zlab.co.jp>
Signed-off-by: schakrad <58915923+schakrad@users.noreply.github.com>
yyzxw pushed a commit to yyzxw/argo-cd that referenced this pull request Aug 9, 2023
@tksm
feat: add ssh.github.com to SSH known hosts (argoproj#13592)
959b3b8 
* feat: add ssh.github.com to SSH known hosts

Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>

* fix: update hack/ssh_known_hosts

Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>

* fix: sync known hosts ConfigMap with hack/ssh_known_hosts

Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>

---------

Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>
tesla59 pushed a commit to tesla59/argo-cd that referenced this pull request Dec 16, 2023
@tksm @tesla59
feat: add ssh.github.com to SSH known hosts (argoproj#13592)
c95a4da 
* feat: add ssh.github.com to SSH known hosts

Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>

* fix: update hack/ssh_known_hosts

Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>

* fix: sync known hosts ConfigMap with hack/ssh_known_hosts

Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>

---------

Signed-off-by: Takashi Kusumi <tkusumi@zlab.co.jp>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crenshaw-dev crenshaw-dev crenshaw-dev approved these changes

@terrytangyuan terrytangyuan Awaiting requested review from terrytangyuan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add ssh.github.com to SSH known hosts
3 participants
@tksm @terrytangyuan @crenshaw-dev