Hard code VSCode and Azure git SSH keys (#472)

hardillb · web-flow · commit 76b921141c1f · 2024-12-17T09:45:31.000Z
Debian Buster doesn't have correct key exchange algorithms any
more
diff --git a/.docker/Dockerfile.debian b/.docker/Dockerfile.debian
@@ -33,7 +33,7 @@ RUN set -ex && \
 WORKDIR /usr/src/node-red
 
 # Setup SSH known_hosts file
-COPY .docker/known_hosts.sh .
+COPY .docker/known_hosts-debian.sh ./known_hosts.sh
 RUN ./known_hosts.sh /etc/ssh/ssh_known_hosts && rm /usr/src/node-red/known_hosts.sh
 RUN echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> /etc/ssh/ssh_config
 
diff --git a/.docker/known_hosts-debian.sh b/.docker/known_hosts-debian.sh
@@ -0,0 +1 @@
+../docker-custom/known_hosts-debian.sh
diff --git a/docker-custom/Dockerfile.debian b/docker-custom/Dockerfile.debian
@@ -33,7 +33,7 @@ RUN set -ex && \
 WORKDIR /usr/src/node-red
 
 # Setup SSH known_hosts file
-COPY known_hosts.sh .
+COPY ./known_hosts-debian.sh ./known_hosts.sh
 RUN ./known_hosts.sh /etc/ssh/ssh_known_hosts && rm /usr/src/node-red/known_hosts.sh
 RUN echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> /etc/ssh/ssh_config
 
diff --git a/docker-custom/known_hosts-debian.sh b/docker-custom/known_hosts-debian.sh
@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# Originally taken from the Flux project (https://github.com/fluxcd/flux/tree/master/docker) where is under an
+# Apache-2.0 license
+
+set -eu
+
+known_hosts_file=${1}
+known_hosts_file=${known_hosts_file:-/etc/ssh/ssh_known_hosts}
+hosts="github.com gitlab.com bitbucket.org"
+hosts_2022="source.developers.google.com"
+
+# The heredoc below was generated by constructing a known_hosts using
+#
+#     ssh-keyscan github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com > ./known_hosts
+#
+# then generating the sorted fingerprints with
+#
+#     ssh-keygen -l -f ./known_hosts | LC_ALL=C sort
+#
+# then checking against the published fingerprints from:
+#  - github.com: https://help.github.com/articles/github-s-ssh-key-fingerprints/
+#  - gitlab.com: https://docs.gitlab.com/ee/user/gitlab_com/#ssh-host-keys-fingerprints
+#  - bitbucket.org: https://confluence.atlassian.com/bitbucket/ssh-keys-935365775.html
+#  - ssh.dev.azure.com & vs-ssh.visualstudio.com: sign in, then go to User settings -> SSH Public Keys
+#    (this is where the public key fingerprint is shown; it's not a setting)
+#  - source.developers.google.com: https://cloud.google.com/source-repositories/docs/cloning-repositories
+
+fingerprints=$(mktemp -t)
+cleanup() {
+    rm -f "$fingerprints"
+}
+trap cleanup EXIT
+
+# make sure sorting is in the same locale as the heredoc
+export LC_ALL=C
+
+generate() {
+    ssh-keyscan ${hosts} > ${known_hosts_file}
+    ssh-keyscan -p 2022 ${hosts_2022} >> ${known_hosts_file}
+    echo "ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H" >> ${known_hosts_file}
+    echo "vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H" >> ${known_hosts_file}
+}
+
+validate() {
+ssh-keygen -l -f ${known_hosts_file} | sort > "$fingerprints"
+
+diff - "$fingerprints" <<EOF
+2048 SHA256:ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ gitlab.com (RSA)
+2048 SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og ssh.dev.azure.com (RSA)
+2048 SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og vs-ssh.visualstudio.com (RSA)
+256 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU github.com (ED25519)
+256 SHA256:AGvEpqYNMqsRNIviwyk4J4HM0lEylomDBKOWZsBn434 [source.developers.google.com]:2022 (ECDSA)
+256 SHA256:FC73VB6C4OQLSCrjEayhMp9UMxS97caD/Yyi2bhW/J0 bitbucket.org (ECDSA)
+256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw gitlab.com (ECDSA)
+256 SHA256:eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8 gitlab.com (ED25519)
+256 SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM github.com (ECDSA)
+256 SHA256:ybgmFkzwOSotHTHLJgHO0QN8L0xErw6vd0VhFA9m3SM bitbucket.org (ED25519)
+3072 SHA256:46OSHA1Rmj8E8ERTC6xkNcmGOw9oFxYr0WF6zWW8l1E bitbucket.org (RSA)
+3072 SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s github.com (RSA)
+EOF
+
+}
+
+retries=10
+count=0
+ok=false
+wait=2
+until ${ok}; do
+    generate && validate && ok=true || ok=false
+    count=$(($count + 1))
+    if [[ ${count} -eq ${retries} ]]; then
+        echo "ssh-keyscan failed, no more retries left"
+        exit 1
+    fi
+    sleep ${wait}
+done
