search

appveyor / ci

AppVeyor community support repository
https://www.appveyor.com
344 stars 65 forks source link

Broken known_hosts on macOS? #3792

Closed bpoldrack closed 2 years ago

bpoldrack commented 2 years ago

In datalad's CI builds, we call SSH (partially just to localhost to test correct invocation on our end). Currently we are seeing pretty much anything involving a SSH call reporting WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! in the macOS builds. Setup is here: https://github.com/datalad/datalad/blob/master/.appveyor.yml

SSH'ing into such a build, I see:

appveyor$ ssh localhost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:b7Q9hN2pEJGEvu/BlO2GUD/EV+H/xlmDqx7oCUosGbg.
Please contact your system administrator.
Add correct host key in /Users/appveyor/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/appveyor/.ssh/known_hosts:154
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Last login: Fri Apr  1 05:34:39 2022 from 127.0.0.1
Project:       datalad
Build Version: 1.0.7798
URL:           https://ci.appveyor.com/project/mih/datalad/build/job/w9nft5q9itmlsdke

The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.

The entry this is considering offending (154) is the same for other connections. Looking at known_hosts it is not modified by ourselves and contains the following entries (152, 153, 154):

> gitlab.com,* ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
> gitlab.com,* ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
> gitlab.com,* ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=

I assume two things at the moment:

  1. This is a known_hosts provided by AppVeyor as is by default.
  2. Those entries actually mean to match gitlab.com's IP-range, instead of just *

Is this correct?

FeodorFitsner commented 2 years ago

Yes, those entries are being added by AppVeyor during image baking process: https://docs.gitlab.com/ee/user/gitlab_com/ The problem with GitLab is that it's nearly impossible to specify all IPs for outgoing connections: https://docs.gitlab.com/ee/user/gitlab_com/#ip-range

You may want to just delete that file during the build or put your entries there.

bpoldrack commented 2 years ago

Ok. Thank you, @FeodorFitsner