Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Export host ssh key for use with doctl compute ssh #129

Open
johnandersen777 opened this issue May 10, 2024 · 0 comments
Open

Export host ssh key for use with doctl compute ssh #129

johnandersen777 opened this issue May 10, 2024 · 0 comments

Comments

@johnandersen777
Copy link

johnandersen777 commented May 10, 2024
edited
Loading

Originally reported here: digitalocean/do-agent#305

Describe the problem

When we start a droplet and ssh in for the first time we are prompted to validate the host key. If the agent is installed, the host key could be exported by it so that we can use the DO API as an out of band channel to verify the host key, using a temporary UserKnownHostsFile populated with the contents of the reported host key from do-agent when executing doctl compute ssh.

Unless there is some other way of getting the sshd public key(s), then the lack of this ensures the potential for an Entity In the Middle attack.

Steps to reproduce

export COMPUTE_DOMAIN=example.com && export COMPUTE_SUBDOMAIN=scitt.eve export COMPUTE_NAME=scitt-eve
doctl compute droplet create --image "$(doctl compute image list-application --no-header --format Slug | grep docker | tail -n 1)" --size $(doctl compute size list --no-header --format Slug | head -n 2 | tail -n 1) --region sfo3 --droplet-agent=true --tag-name scitt "${COMPUTE_NAME}"
STATUS=new
while [[ "x${STATUS}" = "xnew" ]]; do
  STATUS=$(doctl compute droplet get --no-header --format Status ${COMPUTE_NAME});
done
export COMPUTE_IPV4=$(doctl compute droplet list --no-header --format PublicIPv4 "${COMPUTE_NAME}")
doctl compute ssh --ssh-command "echo No authenticity prompt" "${COMPUTE_NAME}"
The authenticity of host '146.190.157.111 (146.190.157.111)' can't be established.
ED25519 key fingerprint is SHA256:KYj44PidPrB3fnxnrxHBTsIUHPKwtYrL/EkKA/oSoMo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Expected behavior

$ doctl compute ssh --ssh-command "echo No authenticity prompt" "${COMPUTE_NAME}"
No authenticity prompt

System Information

Distribution and version:

+ doctl compute droplet create --image docker-20-04 --size s-1vcpu-1gb --region sfo3 --droplet-agent=true --tag-name scitt scitt-eve                                                                                               
ID           Name         Public IPv4    Private IPv4    Public IPv6    Memory    VCPUs    Disk    Region    Image                                   VPC UUID    Status    Tags     Features         Volumes
384269096    scitt-eve                                                  1024      1        25      sfo3      Ubuntu Docker 23.0.6 on Ubuntu 22.04                new       scitt    droplet_agent

do-agent information:

N/A, new feature request, does not exist in version 3e2db3a5c8686ca0de20be6f4c30124290277213
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@johnandersen777