There are tutorials on the web, like this one: https://blog.oddbit.com/post/2019-02-24-docker-build-learns-about-secr/
Show you a sample code to run
ssh-keyscan in an automated way so that subsequent automation steps that depend on SSH can be completed successfully. E.g. Excerpt from that tutorial:
# syntax=docker/dockerfile:1.0.0-experimental FROM alpine RUN apk add --update git openssh # This is necessary to prevent the "git clone" operation from failing # with an "unknown host key" error. RUN mkdir -m 700 /root/.ssh; touch -m 600 /root/.ssh/known_hosts; ssh-keyscan github.com > /root/.ssh/known_hosts # This command will have access to the forwarded agent (if one is # available) RUN --mount=type=ssh git clone email@example.com:moby/buildkit
Is that a good idea? Is there a way for ssh-keyscan to automatically verify the legitimacy of the scanning host? If not, does it not become a security theater and defeat the SSH point?