Adding to SSH Known Hosts

Travis CI can add entries to ~/.ssh/known_hosts prior to cloning your git repository, which is necessary if there are git submodules from domains other than,, or

Both hostnames and IP addresses are supported, as the keys are added via ssh-keyscan. A single host may be specified like so:


Multiple hosts or IPs may be added as a list:


Hosts with ports can also be specified:


Security Implications #

Note that the ssh_known_hosts option may introduce a risk of man-in-the-middle attacks for your builds. (Also see the Security section of the ssh-keyscan man page.) For example, it may prevent a build from detecting that an illegitimate 3rd party attempts to inject a modified git repository or submodule into the build. This possibility might be of particular relevance where Travis CI build outputs are used for release packages or production deployments.

Mitigations and Workarounds #

Currently, Travis CI only detects the above attacks out-of-the-box for repositories on,, or If you host your code on other domains, there is currently no straightforward alternative to using the ssh_known_hosts option and its security implications.

However, you can protect other SSH connections that occur after the cloning phase in your build, e.g., when deploying build outputs. To make your builds reject spoofed SSH servers for such connections, you configure them with known good SSH keys. Say your build instance connects to the SSH server

  1. Remove the ssh_known_hosts option for

  2. Obtain the public key of the SSH server at

    • Ideally (but rarely), the owner of can provide you with the server’s public SSH key through e-mail or some other trusted channel.

    • If you have previously connected to from a trusted local computer, run ssh-keygen -F to display its public key.

    • If you have not yet connected to, run ssh-keyscan to retrieve it and ssh-keygen -F to display it. Ideally, you would double-check with the owner of that it is indeed the server’s public key and not the key of a spoofed instance of

  3. Configure Travis CI to use the public key of the SSH server: Add the key server’s public key KEY to the SSH known_hosts file, e.g., with the following addition to the installation phase:

  - echo 'KEY' >> $HOME/.ssh/known_hosts

Make sure to replace KEY with the complete line of text containing the public key of the SSH server as obtained in the previous step.