1

I'm using a Vagrantbox to regularly test the setup of a physical machine. This is handled by a bash script on Ubuntu, Vagrant and Virtualbox.

The setup and provisioning of the VM works. Now I want to deploy containers via docker-compose fro my host to the VM via DOCKER_HOST="ssh://$BOX_USER@$BOX_IP" docker-compose up -d. This deployment works as well. But since I dispose the Vagrantbox after each test run, the next run gets its own completely fresh VM. And since the VM is completely new I always get the classic ssh connection question:

The authenticity of host '192.168.56.99 (192.168.56.99)' can't be established.
ED25519 key fingerprint is SHA256:YFbh/pNm51dFOw6cOTkadob0bVWDoJdmSSlc/xREoDY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

This is not really cool when I automate my test script because it always means a manual interaction. Cleaning up the known_hosts file afterwards is easy (ssh-keygen -R "$BOX_IP"), but I'd like to avoid this question to begin with.

Each test run creates a new Vagrantbox with a new IP (because of DHCP). But a static IP would not work either because the VM is fresh every time. Then the question would state, that the machine and its keys changed/don't match. Also a manual interaction or even a failure.

Plain ssh allows options to handle StrictHostKeyChecking: ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" "$BOX_USER@$BOX_IP". But I cannot find any way to tell docker-compose the same.

I do not want to disable StrictHostKeyChecking globally because this opens the door to security issues like man in the middle attacks.

Does anyone know how I can pass SSH options to my DOCKER_HOST="ssh://$BOX_USER@$BOX_IP" docker-compose up -d command? Maybe with another env-var or something?

I want to deploy via ssh from the host to the VM because I use the same way to deploy from my host the the actual phyical remote machine (with different user and IP). Only here I don't have the issue with new VMs every time. So accepting the SSH questions once works for future deployments.

Sebastian Sommerfeld
  • 153
  • 7
  • This question looks like an attempt to solve the very same problem as [your previous question](https://superuser.com/q/1734015/432690). There you asked "how can I deploy containers […] without the mentioned issues?". Here the question is "how I can pass SSH options?". These questions are not equivalent, so not strictly duplicates; but the underlying problem is the same, right? – Kamil Maciorowski Aug 08 '22 at 20:14
  • I still follow the same goal and still haven't solved the problem. But this question is more accurate because it focuses on the ssh connection. – Sebastian Sommerfeld Aug 09 '22 at 08:01

1 Answers1

0

I do not want to disable StrictHostKeyChecking globally because this opens the door to security issues like man in the middle attacks.

If you have vagrant provider configured that configures boxes for a specific range of addresses, or a subnet. Then you could configure your ssh options to skip checking for that specific range.

# ~/.ssh/config

# disable key checking for vagrant range
Host 192.168.56.*
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null

Host * 
   # ... default config

See the man page ssh_config, particular the Host, Match, and PATTERNS for how you can adjust your ssh config. so that you can make sure disabling checking only applies to the specific hosts you want.

Zoredache
  • 19,828
  • 8
  • 50
  • 72