Adding to SSH Known Hosts
Travis CI can add entries to
~/.ssh/known_hosts prior to cloning
your git repository, which is necessary if there are git submodules
from domains other than
Both hostnames and IP addresses are supported, as the keys are
ssh-keyscan. A single host may be specified like so:
addons: ssh_known_hosts: git.example.com
Multiple hosts or IPs may be added as a list:
addons: ssh_known_hosts: - git.example.com - 126.96.36.199
Hosts with ports can also be specified:
addons: ssh_known_hosts: git.example.com:1234
Security Implications #
Note that the
ssh_known_hosts option may introduce a risk of man-in-the-middle attacks for your builds.
(Also see the Security section of the ssh-keyscan man page.)
For example, it may prevent a build from detecting that an illegitimate 3rd party attempts to inject a modified git repository or submodule into the build.
This possibility might be of particular relevance where Travis CI build outputs are used for release packages or production deployments.
Mitigations and Workarounds #
Currently, Travis CI only detects the above attacks out-of-the-box for repositories on
If you host your code on other domains, there is currently no straightforward alternative to using the
ssh_known_hosts option and its security implications.
However, you can protect other SSH connections that occur after the cloning phase in your build, e.g., when deploying build outputs. To make your builds reject spoofed SSH servers for such connections, you configure them with known good SSH keys. Say your build instance connects to the SSH server ssh.example.com:
ssh_known_hostsoption for ssh.example.com.
Obtain the public key of the SSH server at ssh.example.com:
Ideally (but rarely), the owner of ssh.example.com can provide you with the server’s public SSH key through e-mail or some other trusted channel.
If you have previously connected to ssh.example.com from a trusted local computer, run
ssh-keygen -F ssh.example.comto display its public key.
If you have not yet connected to ssh.example.com, run
ssh-keyscan ssh.example.comto retrieve it and
ssh-keygen -F ssh.example.comto display it. Ideally, you would double-check with the owner of ssh.example.com that it is indeed the server’s public key and not the key of a spoofed instance of ssh.example.com.
Configure Travis CI to use the public key of the SSH server: Add the key server’s public key KEY to the SSH
known_hostsfile, e.g., with the following addition to the installation phase:
install: - echo 'KEY' >> $HOME/.ssh/known_hosts
Make sure to replace KEY with the complete line of text containing the public key of the SSH server as obtained in the previous step.