GitOps for k8s
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

known_hosts.sh 2.4KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768
  1. #!/bin/sh
  2. set -eu
  3. known_hosts_file=${1}
  4. known_hosts_file=${known_hosts_file:-/etc/ssh/ssh_known_hosts}
  5. hosts="github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com"
  6. hosts_2022="source.developers.google.com"
  7. # The heredoc below was generated by constructing a known_hosts using
  8. #
  9. # ssh-keyscan github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com > ./known_hosts
  10. #
  11. # then generating the sorted fingerprints with
  12. #
  13. # ssh-keygen -l -f ./known_hosts | LC_ALL=C sort
  14. #
  15. # then checking against the published fingerprints from:
  16. # - github.com: https://help.github.com/articles/github-s-ssh-key-fingerprints/
  17. # - gitlab.com: https://docs.gitlab.com/ee/user/gitlab_com/#ssh-host-keys-fingerprints
  18. # - bitbucket.org: https://confluence.atlassian.com/bitbucket/ssh-keys-935365775.html
  19. # - ssh.dev.azure.com & vs-ssh.visualstudio.com: sign in, then go to User settings -> SSH Public Keys
  20. # (this is where the public key fingerprint is shown; it's not a setting)
  21. # - source.developers.google.com: https://cloud.google.com/source-repositories/docs/cloning-repositories
  22. fingerprints=$(mktemp -t)
  23. cleanup() {
  24. rm -f "$fingerprints"
  25. }
  26. trap cleanup EXIT
  27. # make sure sorting is in the same locale as the heredoc
  28. export LC_ALL=C
  29. generate() {
  30. ssh-keyscan ${hosts} > ${known_hosts_file}
  31. ssh-keyscan -p 2022 ${hosts_2022} >> ${known_hosts_file}
  32. }
  33. validate() {
  34. ssh-keygen -l -f ${known_hosts_file} | sort > "$fingerprints"
  35. diff - "$fingerprints" <<EOF
  36. 2048 SHA256:ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ gitlab.com (RSA)
  37. 2048 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 github.com (RSA)
  38. 2048 SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og ssh.dev.azure.com (RSA)
  39. 2048 SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og vs-ssh.visualstudio.com (RSA)
  40. 2048 SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A bitbucket.org (RSA)
  41. 256 SHA256:AGvEpqYNMqsRNIviwyk4J4HM0lEylomDBKOWZsBn434 [source.developers.google.com]:2022 (ECDSA)
  42. 256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw gitlab.com (ECDSA)
  43. 256 SHA256:eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8 gitlab.com (ED25519)
  44. EOF
  45. }
  46. retries=10
  47. count=0
  48. ok=false
  49. wait=2
  50. until ${ok}; do
  51. generate && validate && ok=true || ok=false
  52. count=$(($count + 1))
  53. if [[ ${count} -eq ${retries} ]]; then
  54. echo "ssh-keyscan failed, no more retries left"
  55. exit 1
  56. fi
  57. sleep ${wait}
  58. done