I noticed a message in one of my pipelines that a host key was added to known_hosts during a run of atlassian/ssh-run. A subsequent step with rsync failed on the changed host key.
The script pipe.sh appears to do a lot of work to setup KNOWN_SERVERS_FILE, but then always invokes ssh with -o 'StrictHostKeyChecking=no'.
Is that intentional? Testing with an additional -o 'StrictHostKeyChecking=yes' on openssh's ssh shows that the second value won't override the first one.
Welcome to the community!
I think your observation is worth filing as a feature request or bug report against the `atlassian/ssh-run` Bitbucket pipe repository. At minimum, exposing `STRICT_HOST_KEY_CHECKING` as a configurable variable (defaulting to `no` for backward compatibility) would let security-conscious users opt in to proper verification.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.