Document setup of SSH host fingerprint validation (#120)
This commit is contained in:
parent
29007ce6fb
commit
1a8b3784ea
26
README.md
26
README.md
|
@ -372,6 +372,32 @@ It is not uncommon for files to leak from backups or decommissioned hardware, an
|
||||||
ls -al
|
ls -al
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Using host fingerprint verification
|
||||||
|
|
||||||
|
Setting up SSH host fingerprint verification can help to prevent Person-in-the-Middle attacks. Before setting this up, run the command below to get your SSH host fingerprint. Remember to replace `ed25519` with your appropriate key type (`rsa`, `dsa`, etc.) that your server is using and `example.com` with your host.
|
||||||
|
|
||||||
|
In modern OpenSSH releases, the _default_ key types to be fetched are `rsa` (since version 5.1), `ecdsa` (since version 6.0), and `ed25519` (since version 6.7).
|
||||||
|
|
||||||
|
```
|
||||||
|
ssh example.com ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub | cut -d ' ' -f2
|
||||||
|
```
|
||||||
|
|
||||||
|
Now you can adjust you config:
|
||||||
|
|
||||||
|
```diff
|
||||||
|
- name: ssh key passphrase
|
||||||
|
uses: appleboy/ssh-action@master
|
||||||
|
with:
|
||||||
|
host: ${{ secrets.HOST }}
|
||||||
|
username: ${{ secrets.USERNAME }}
|
||||||
|
key: ${{ secrets.KEY }}
|
||||||
|
port: ${{ secrets.PORT }}
|
||||||
|
+ fingerprint: ${{ secrets.FINGERPRINT }}
|
||||||
|
script: |
|
||||||
|
whoami
|
||||||
|
ls -al
|
||||||
|
```
|
||||||
|
|
||||||
## Contributing
|
## Contributing
|
||||||
We would love for you to contribute to `appleboy/ssh-action`, pull requests are welcome!
|
We would love for you to contribute to `appleboy/ssh-action`, pull requests are welcome!
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue