From 52765e29688c0e74664b41aee6a95a8f17481a23 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Mon, 19 Jul 2021 09:28:10 -0400
Subject: [PATCH] Burn in some SSH host key knowledge

This avoids a prompt at deploy time and the possibility of an MitM attack
against TOFU.
---
 ci-tools/known_hosts.production |  7 +++++++
 ci-tools/known_hosts.staging    |  3 +++
 ci-tools/update-grid-servers    | 19 +++++++++++++++++--
 3 files changed, 27 insertions(+), 2 deletions(-)
 create mode 100644 ci-tools/known_hosts.production
 create mode 100644 ci-tools/known_hosts.staging

diff --git a/ci-tools/known_hosts.production b/ci-tools/known_hosts.production
new file mode 100644
index 00000000..88e5696c
--- /dev/null
+++ b/ci-tools/known_hosts.production
@@ -0,0 +1,7 @@
+monitoring.private.storage ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvKv2y+IAL4+oDnX7Cm5G9QuADBHUj9OxzLX0okf6hF
+payments.private.storage ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBlyFTJyN+VDlzGWANKqBlXeexlX/xTpp6gb5sUlA9U
+storage001.private.storage ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILQojjGVvmjZfDcrlec8ZmpbzMEeHd4+t4DJq1R/NUXw
+storage002.private.storage ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDWqK7FBzT4L1eoIU/iaEZNZxq3Jr613PmK2nbAXFs2
+storage003.private.storage ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHobJpQVv9GaTv8Xh9CGlL7BL5yKLxCiD3ZDdVTyt0Ep
+storage004.private.storage ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy96VEPp617ewxdkt+8ZgWcYkLxlVG/C7bZAq0ULH+z
+storage005.private.storage ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOgJBoER0lX2Rx8UIfv/3MVJXNFn9RldYmpU+EqAc9H
diff --git a/ci-tools/known_hosts.staging b/ci-tools/known_hosts.staging
new file mode 100644
index 00000000..2a015656
--- /dev/null
+++ b/ci-tools/known_hosts.staging
@@ -0,0 +1,3 @@
+monitoring.privatestorage-staging.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINI9kvEBaOMvpWqcFH+6nFvRriBECKB4RFShdPiIMkk9
+payments.privatestorage-staging.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0eO/01VFwdoZzpclrmu656eaMkE19BaxtDdkkFHMa8
+storage001.privatestorage-staging.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFP8L6OHCxq9XFd8ME8ZrCbmO5dGZDPH8I5dm0AwSGiN
diff --git a/ci-tools/update-grid-servers b/ci-tools/update-grid-servers
index b11bc6f4..0d019526 100755
--- a/ci-tools/update-grid-servers
+++ b/ci-tools/update-grid-servers
@@ -8,6 +8,10 @@
 
 set -euxo pipefail
 
+# Find the location of this script so we can refer to data files with a known
+# relative location.
+HERE=$(dirname $0)
+
 # Get the path to the ssh key which authorizes us to deliver this
 # notification.
 DEPLOY_KEY=$1
@@ -21,13 +25,24 @@ shift
 
 # Tell one server to update itself.
 update_one_node() {
+    grid_name=$1
+    shift
+
     deploy_key=$1
     shift
 
     node=$1
     shift
 
-    ssh -i "${deploy_key}" "deployment@${node}"
+    # Avoid both the "host key unknown" prompt and the possibility for a
+    # man-in-the-middle attack (on every single deploy!) by referring to a
+    # pre-initialized known hosts file for this grid.
+    #
+    # Then use the specified deploy key to authenticate as the deployment user
+    # and trigger the update on the host.  There's no command here because the
+    # deployment key is restricted *only* the deloyment update command and the
+    # ssh server will supply that command itself.
+    ssh -o "UserKnownHostsFile=${HERE}/known_hosts.${grid_name}" -i "${deploy_key}" "deployment@${node}"
 }
 
 # Tell all servers belonging to one grid to update themselves.
@@ -65,7 +80,7 @@ update_grid_nodes() {
 	    # This isn't a server, it's part of the morph configuration.
 	    continue
 	fi
-	update_one_node "${deploy_key}" "${node}.${domain}"
+	update_one_node "${gridname}" "${deploy_key}" "${node}.${domain}"
     done
 }
 
-- 
GitLab