Setting KnownHosts for SSH

[domenkozar]

Hydra queue runner doesn't automatically accept new hosts (due to default behavior in OpenSSH which is to ask for accepting the new host).

There are two ways to do that automatically:

1. by setting sshPublicHostKey which should be base64 encoded fingerprint line (not documented, but see commit NixOS/hydra@2a7fbd5), I will push a commit to enable setting this in NixOS
2. by setting programs.ssh.extraConfig = "StrictHostKeyChecking no"; in hydra-master

I chose the latter because it's a very low security tradeoff. SSH will still bail out if there is host mismatch, but it will automatically accept new hosts.

If hosts/key is hacked on first connection I think you're in trouble anyway.

[zimbatm]

SSH also supports having a shared CA that can generate keys for all of your workers. Then you can configure the CA public key in your master an access all the workers automatically. It does add a step to generate the ssh keys and transmit them to the workers. I don't know how you start your new workers but if you use EC2 you could generate the key on your machine and then pass it to the cloud-init.

https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu

[domenkozar]

@peti I think we should note this in the tutorial. I'd go with 2) option, but either way is fine.

[expipiplus1]

It's possible to avoid setting StrictHostKeyChecking no by setting the known hosts system wide with
programs.ssh.knownHosts

Here is an example courtesy of @cleverca22 https://gist.github.com/cleverca22/e2f674c4f8dc0057879e25b1c6a3ef50