2

I have a docker container, and inside this docker container I have a shell script which performs a git clone from a private repo. The script is as follows:

eval $(ssh-agent) > /dev/null
# add the ssh key
ssh-add /root/.ssh/id_rsa

kill $SSH_AGENT_PID

git clone ssh://[email protected]/project/repo.git

but when docker is running it gives an error

Cloning into 'repo'...
Host key verification failed.

fatal: Could not read from remote repository.

When I test on my local machine, I can clone the repo without a failure, so I know there is nothing wrong with my ssh keys.

Improve this question

1 Answer 1

Reset to default
1

The problem is when you have a setup like this on your local machine you have an access to the terminal for SSH adding the key to the known_hosts asking

The authenticity of host 'server-name (***)' can't be established.
RSA key fingerprint is XXXXXXX.
Are you sure you want to continue connecting (yes/no)?

and you can basically interact, and type yes and ssh-agent add the connection to the known_hosts for you. However, in this case the things happen inside a docker container, and you basically cannot interect with this prompt. The solution for this is to add StrictHostKeyChecking no flag to ssh config, there are several ways to do it for git command, and you can check them here.

So basically, the following is the elegant way to solve this, just make .ssh/config file and add the ssh options we want.

eval $(ssh-agent) > /dev/null
# add the ssh key
ssh-add /root/.ssh/id_rsa

kill $SSH_AGENT_PID

echo "Host bitbucket.org" > /root/.ssh/config
echo "User git" >> /root/.ssh/config
echo "IdentityFile /root/.ssh/id_rsa" >> /root/.ssh/config
echo "StrictHostKeyChecking no" >> /root/.ssh/config

git clone ssh://[email protected]/project/repo.git

StrictHostKeyChecking no option just discards the prompt and directly adds the connection to the known_hosts, and basically afterwards can git clone.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Turning off host checking leaves you vulnerable to a person-in-the-middle attack.
Well, I'd love to hear better alternatives. Actually this is my work around, but I am not sure if it's a best practice though for me this container is in AWS ECR an its permission policy is strict, so should be okay, but when I try locally it may be open to vulnerabilities.
@PresidentJamesK.Polk any suggestions ?
no, other than verify the keys ahead of time and place them in known_hosts. Host keys should change very infrequently. Many users just click "Yes" to the prompt without checking, so setting StrictHostKeyChecking to no doesn't make things any worse. My comment is just to document a security fact.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.