From 1a8b3784eaa665f677fa114edd5683bb6a6bfaa8 Mon Sep 17 00:00:00 2001 From: Nicklas Frahm Date: Sat, 15 May 2021 17:05:07 +0200 Subject: [PATCH] Document setup of SSH host fingerprint validation (#120) --- README.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/README.md b/README.md index 1ece7cc..779db86 100644 --- a/README.md +++ b/README.md @@ -372,6 +372,32 @@ It is not uncommon for files to leak from backups or decommissioned hardware, an ls -al ``` +#### Using host fingerprint verification + +Setting up SSH host fingerprint verification can help to prevent Person-in-the-Middle attacks. Before setting this up, run the command below to get your SSH host fingerprint. Remember to replace `ed25519` with your appropriate key type (`rsa`, `dsa`, etc.) that your server is using and `example.com` with your host. + +In modern OpenSSH releases, the _default_ key types to be fetched are `rsa` (since version 5.1), `ecdsa` (since version 6.0), and `ed25519` (since version 6.7). + +``` +ssh example.com ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub | cut -d ' ' -f2 +``` + +Now you can adjust you config: + +```diff + - name: ssh key passphrase + uses: appleboy/ssh-action@master + with: + host: ${{ secrets.HOST }} + username: ${{ secrets.USERNAME }} + key: ${{ secrets.KEY }} + port: ${{ secrets.PORT }} ++ fingerprint: ${{ secrets.FINGERPRINT }} + script: | + whoami + ls -al +``` + ## Contributing We would love for you to contribute to `appleboy/ssh-action`, pull requests are welcome!