debuggable

 
Contact Us
 

Disable strict host checking for git clone

Posted on 4/2/09 by Felix Geisendörfer

Hey folks,

while playing with automated machine configuration in EC2 for a few minutes this morning, I stumbled across a little hurdle. One of the items in my init script was the cloning of a git repository from GitHub.

This normally isn't a very difficult task to automate. However, it can become so if you see the following message:

$ git clone git@github.com:debuggable/secret-project.debuggable.com.git
Initialized empty Git repository in /var/git/secret-project.debuggable.com/.git/
The authenticity of host 'github.com (65.74.177.129)' can't be established.
RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
Are you sure you want to continue connecting (yes/no)?

Interactive questions like this can be really annoying when it comes to automation. Luckily there is an easy fix available.

$ echo -e "Host github.com\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config

This will add a configuration line to your ~/.ssh/config script that will silently ignore the authenticity of github.com.

-- Felix Geisendörfer aka the_undefined

PS: If the topic of passing ssh options to your git commands is interesting to you, make sure to also check out this git wiki page.

 

You can skip to the end and add a comment.

Dardo  said on Feb 04, 2009:

Hi Felix,

Don't you think that check is there for something?

Felix Geisendörfer said on Feb 04, 2009:

Dardo: Yeah, to protect me from connecting to the wrong machine due to DNS / man-in-the-middle attacks.

Which in this case doesn't matter. If somebody spoofs GitHub yet serves me a repository with the proper SHA1 HEAD, I call him a friend / load balancer ; ).

Dardosordi  said on Feb 04, 2009:

He/She could serve you a specially crafted response to exploit a git vulnerability...

Felix Geisendörfer said on Feb 04, 2009:

Dardosordi: Lol ... If this app ever gets hacked I hope it is by someone like you. I'd consider being target of such a sophisticated app a true honor.

Everybody: This setting does not make any authentication warnings go away, it just disables an interactive prompt for confirmation. So check your log files for crazy hackers ; ).

Dieter_be said on Feb 04, 2009:

A better solution would be to just add the host key to ~/.ssh/known_hosts

Felix Geisendörfer said on Feb 04, 2009:

Dieter_be: I'll try that but that seems indeed better. The only downside is that you need to previously have verified the identity of the host you are connecting to which is ok in my case.

This post is too old. We do not allow comments here anymore in order to fight spam. If you have real feedback or questions for the post, please contact us.