Add /etc/ssh/ssh_known_hosts file (#234)

* Add /etc/ssh/ssh_known_hosts file

This adds the SSH Host keys for the following services:

 - Github (github.com)
 - Gitlab (gitlab.com)
 - Azure (ssh.dev.azure.com)
 - Visual Studio (vs-ssh.visualstudio.com)
 - BitBucket (bitbucket.org)
 - Google (source.developers.google.com port 2022)

This means that git won't complain on first connect when using
Projects.

Also added note to README.md about creating your own file for
private git server

* Fix file name

Author: hardillb

.docker/Dockerfile.alpine

@@ -36,6 +36,10 @@ RUN set -ex && \
 # Set work directory
 WORKDIR /usr/src/node-red
 
+# Setup SSH known_hosts file
+COPY known_hosts.sh .
+RUN ./known_hosts.sh /etc/ssh/ssh_known_hosts && rm /usr/src/node-red/known_hosts.sh
+
 # package.json contains Node-RED NPM module and node dependencies
 COPY package.json .
 COPY flows.json /data

README.md

@@ -587,3 +587,30 @@ __References:__
 https://groups.google.com/forum/#!topic/node-red/ieo5IVFAo2o
 
 <br>
+
+### SSH Known Hosts
+
+The containers are pre-populated with a `/etc/ssh/ssh_known_hosts` file which holds the public SSH fingerprints for the following services:
+
+ - Github (github.com)
+ - Gitlab (gitlab.com)
+ - Azure (ssh.dev.azure.com)
+ - Visual Studio (vs-ssh.visualstudio.com)
+ - BitBucket (bitbucket.org)
+ - Google (source.developers.google.com port 2022) 
+
+This is to allow the Projects feature to work without complaining the first time you try and connect to a git repository hosted on one of 
+these services. If you are using Projects with your own git server and using SSH URLS then you can mount your own known_hosts file into the 
+container. e.g.
+
+```
+docker run -d -p 1880:1880 -e NODE_RED_ENABLE_PROJECTS=true -v /path/to/known_hosts:/etc/ssh/ssh_known_hosts nodered/node-red
+```
+
+You can generate the known_hosts file as follows:
+
+```
+ssh-keyscan hostname > known_hosts
+```
+
+<br>

docker-custom/Dockerfile.custom

@@ -31,6 +31,10 @@ RUN set -ex && \
 # Set work directory
 WORKDIR /usr/src/node-red
 
+# Setup SSH known_hosts file
+COPY known_hosts.sh .
+RUN ./known_hosts.sh /etc/ssh/ssh_known_hosts && rm /usr/src/node-red/known_hosts.sh
+
 # package.json contains Node-RED NPM module and node dependencies
 COPY package.json .
 COPY flows.json /data

docker-custom/Dockerfile.debian

@@ -32,6 +32,10 @@ RUN set -ex && \
 # Set work directory
 WORKDIR /usr/src/node-red
 
+# Setup SSH known_hosts file
+COPY known_hosts.sh .
+RUN ./known_hosts.sh /etc/ssh/ssh_known_hosts && rm /usr/src/node-red/known_hosts.sh
+
 # package.json contains Node-RED NPM module and node dependencies
 COPY package.json .
 COPY flows.json /data

docker-custom/known_hosts.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# Originally taken from the Flux project (https://github.com/fluxcd/flux/tree/master/docker) where is under an
+# Apache-2.0 license
+
+set -eu
+
+known_hosts_file=${1}
+known_hosts_file=${known_hosts_file:-/etc/ssh/ssh_known_hosts}
+hosts="github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com"
+hosts_2022="source.developers.google.com"
+
+# The heredoc below was generated by constructing a known_hosts using
+#
+#     ssh-keyscan github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com > ./known_hosts
+#
+# then generating the sorted fingerprints with
+#
+#     ssh-keygen -l -f ./known_hosts | LC_ALL=C sort
+#
+# then checking against the published fingerprints from:
+#  - github.com: https://help.github.com/articles/github-s-ssh-key-fingerprints/
+#  - gitlab.com: https://docs.gitlab.com/ee/user/gitlab_com/#ssh-host-keys-fingerprints
+#  - bitbucket.org: https://confluence.atlassian.com/bitbucket/ssh-keys-935365775.html
+#  - ssh.dev.azure.com & vs-ssh.visualstudio.com: sign in, then go to User settings -> SSH Public Keys
+#    (this is where the public key fingerprint is shown; it's not a setting)
+#  - source.developers.google.com: https://cloud.google.com/source-repositories/docs/cloning-repositories
+
+fingerprints=$(mktemp -t)
+cleanup() {
+    rm -f "$fingerprints"
+}
+trap cleanup EXIT
+
+# make sure sorting is in the same locale as the heredoc
+export LC_ALL=C
+
+generate() {
+    ssh-keyscan ${hosts} > ${known_hosts_file}
+    ssh-keyscan -p 2022 ${hosts_2022} >> ${known_hosts_file}
+}
+
+validate() {
+ssh-keygen -l -f ${known_hosts_file} | sort > "$fingerprints"
+
+diff - "$fingerprints" <<EOF
+2048 SHA256:ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ gitlab.com (RSA)
+2048 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 github.com (RSA)
+2048 SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og ssh.dev.azure.com (RSA)
+2048 SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og vs-ssh.visualstudio.com (RSA)
+2048 SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A bitbucket.org (RSA)
+256 SHA256:AGvEpqYNMqsRNIviwyk4J4HM0lEylomDBKOWZsBn434 [source.developers.google.com]:2022 (ECDSA)
+256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw gitlab.com (ECDSA)
+256 SHA256:eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8 gitlab.com (ED25519)
+EOF
+
+}
+
+retries=10
+count=0
+ok=false
+wait=2
+until ${ok}; do
+    generate && validate && ok=true || ok=false
+    count=$(($count + 1))
+    if [[ ${count} -eq ${retries} ]]; then
+        echo "ssh-keyscan failed, no more retries left"
+        exit 1
+    fi
+    sleep ${wait}
+done

known_hosts.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# Originally taken from the Flux project (https://github.com/fluxcd/flux/tree/master/docker) where is under an
+# Apache-2.0 license
+
+set -eu
+
+known_hosts_file=${1}
+known_hosts_file=${known_hosts_file:-/etc/ssh/ssh_known_hosts}
+hosts="github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com"
+hosts_2022="source.developers.google.com"
+
+# The heredoc below was generated by constructing a known_hosts using
+#
+#     ssh-keyscan github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com > ./known_hosts
+#
+# then generating the sorted fingerprints with
+#
+#     ssh-keygen -l -f ./known_hosts | LC_ALL=C sort
+#
+# then checking against the published fingerprints from:
+#  - github.com: https://help.github.com/articles/github-s-ssh-key-fingerprints/
+#  - gitlab.com: https://docs.gitlab.com/ee/user/gitlab_com/#ssh-host-keys-fingerprints
+#  - bitbucket.org: https://confluence.atlassian.com/bitbucket/ssh-keys-935365775.html
+#  - ssh.dev.azure.com & vs-ssh.visualstudio.com: sign in, then go to User settings -> SSH Public Keys
+#    (this is where the public key fingerprint is shown; it's not a setting)
+#  - source.developers.google.com: https://cloud.google.com/source-repositories/docs/cloning-repositories
+
+fingerprints=$(mktemp -t)
+cleanup() {
+    rm -f "$fingerprints"
+}
+trap cleanup EXIT
+
+# make sure sorting is in the same locale as the heredoc
+export LC_ALL=C
+
+generate() {
+    ssh-keyscan ${hosts} > ${known_hosts_file}
+    ssh-keyscan -p 2022 ${hosts_2022} >> ${known_hosts_file}
+}
+
+validate() {
+ssh-keygen -l -f ${known_hosts_file} | sort > "$fingerprints"
+
+diff - "$fingerprints" <<EOF
+2048 SHA256:ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ gitlab.com (RSA)
+2048 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 github.com (RSA)
+2048 SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og ssh.dev.azure.com (RSA)
+2048 SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og vs-ssh.visualstudio.com (RSA)
+2048 SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A bitbucket.org (RSA)
+256 SHA256:AGvEpqYNMqsRNIviwyk4J4HM0lEylomDBKOWZsBn434 [source.developers.google.com]:2022 (ECDSA)
+256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw gitlab.com (ECDSA)
+256 SHA256:eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8 gitlab.com (ED25519)
+EOF
+
+}
+
+retries=10
+count=0
+ok=false
+wait=2
+until ${ok}; do
+    generate && validate && ok=true || ok=false
+    count=$(($count + 1))
+    if [[ ${count} -eq ${retries} ]]; then
+        echo "ssh-keyscan failed, no more retries left"
+        exit 1
+    fi
+    sleep ${wait}
+done