Disable strict host checking for git clone
Posted on 4/2/09 by Felix Geisendörfer
while playing with automated machine configuration in EC2 for a few minutes this morning, I stumbled across a little hurdle. One of the items in my init script was the cloning of a git repository from GitHub.
This normally isn't a very difficult task to automate. However, it can become so if you see the following message:
$ git clone firstname.lastname@example.org:debuggable/secret-project.debuggable.com.git Initialized empty Git repository in /var/git/secret-project.debuggable.com/.git/ The authenticity of host 'github.com (18.104.22.168)' can't be established. RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48. Are you sure you want to continue connecting (yes/no)?
Interactive questions like this can be really annoying when it comes to automation. Luckily there is an easy fix available.
$ echo -e "Host github.com\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config
This will add a configuration line to your ~/.ssh/config script that will silently ignore the authenticity of github.com.
-- Felix Geisendörfer aka the_undefined
PS: If the topic of passing ssh options to your git commands is interesting to you, make sure to also check out this git wiki page.
You can skip to the end and add a comment.
Dardo: Yeah, to protect me from connecting to the wrong machine due to DNS / man-in-the-middle attacks.
Which in this case doesn't matter. If somebody spoofs GitHub yet serves me a repository with the proper SHA1 HEAD, I call him a friend / load balancer ; ).
He/She could serve you a specially crafted response to exploit a git vulnerability...
Dardosordi: Lol ... If this app ever gets hacked I hope it is by someone like you. I'd consider being target of such a sophisticated app a true honor.
Everybody: This setting does not make any authentication warnings go away, it just disables an interactive prompt for confirmation. So check your log files for crazy hackers ; ).
A better solution would be to just add the host key to ~/.ssh/known_hosts
Dieter_be: I'll try that but that seems indeed better. The only downside is that you need to previously have verified the identity of the host you are connecting to which is ok in my case.
This post is too old. We do not allow comments here anymore in order to fight spam. If you have real feedback or questions for the post, please contact us.
Don't you think that check is there for something?