Add gitlab ssh public key to known host in dockerfile behind corporate firewall (no port 22)

Question

I am trying to get a public key recognized in the known_hosts file within a docker build process, the relevant portion of the dockerfile I'm using being this:

RUN mkdir -p -m 0700 ~/.ssh

# Copy SSH host config to use port 443
COPY docker/config/gitlab_host.txt /root/.ssh/config

RUN cat ~/.ssh/config

# Download public key for gitlab.com
RUN ssh-keyscan -p443 gitlab.com >> ~/.ssh/known_hosts
RUN cat ~/.ssh/known_hosts

For the sake of completion, the ssh config file ( docker/config/gitlab_host.txt ):

Host gitlab.com
  Hostname altssh.gitlab.com
  User git
  Port 443
  PreferredAuthentications publickey
  IdentityFile ~/.ssh/id_rsa

Firstly, I am behind a corporate firewall, no outbound traffic on port 22. Therefore we configure our ssh config to use port 443 as gitlab thankfully provides this option. However, ssh-keyscan does not seem to honour this config nor does specifying this port seem to work, there is just silent failure on the part of ssh-keyscan. I have tried multiple permutations of the command:

ssh-keyscan -p 443 gitlab.com ssh-keyscan gitlab.com:443

All to no avail. Supplying the -v flag for verbosity does not generate output either.

The only other option that I can think of is copying in my own known_hosts file, does this work and is this secure? The actual cloning of repositories is done by 'passing along' the host ssh.

RUN --mount=type=ssh,uid=1001 pip install git+ssh://git@gitlab.com/<private>.git
RUN --mount=type=ssh,uid=1001 pip install git+ssh://git@gitlab.com/<another_private>.git

What option do I have to get the host known so that I can git clone?

Answer 1

I have noticed that problem as well.

When I try to get the public key with ssh-keyscan -p 443 altssh.gitlab.com it just stops silently and the verbose mode with -vv doesn't give too much information either.

I even tried to get the public key through nmap but it doesn't seem to work either:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-20 17:09 CEST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 17:09
Completed NSE at 17:09, 0.00s elapsed
Warning: Hostname altssh.gitlab.com resolves to 26 IPs. Using 172.65.251.182.
Initiating Ping Scan at 17:09
Scanning altssh.gitlab.com (172.65.251.182) [2 ports]
Completed Ping Scan at 17:09, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:09
Completed Parallel DNS resolution of 1 host. at 17:09, 1.01s elapsed
Initiating Connect Scan at 17:09
Scanning altssh.gitlab.com (172.65.251.182) [1 port]
Discovered open port 443/tcp on 172.65.251.182
Completed Connect Scan at 17:09, 0.00s elapsed (1 total ports)
NSE: Script scanning 172.65.251.182.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 17:09
Completed NSE at 17:09, 0.00s elapsed
Nmap scan report for altssh.gitlab.com (172.65.251.182)
Host is up, received syn-ack (0.0020s latency).
Other addresses for altssh.gitlab.com (not scanned): 172.64.33.173 173.245.59.173 108.162.193.173 173.245.58.77 108.162.192.77 172.64.32.77 173.245.59.173 108.162.193.173 172.64.33.173 108.162.192.77 172.64.32.77 173.245.58.77 2a06:98c1:50::ac40:21ad 2606:4700:58::adf5:3bad 2803:f800:50::6ca2:c1ad 2606:4700:50::adf5:3a4d 2803:f800:50::6ca2:c04d 2a06:98c1:50::ac40:204d 2606:4700:90:0:f0ff:e6a3:2ac:f7ef 2606:4700:58::adf5:3bad 2803:f800:50::6ca2:c1ad 2a06:98c1:50::ac40:21ad 2803:f800:50::6ca2:c04d 2a06:98c1:50::ac40:204d 2606:4700:50::adf5:3a4d
Scanned at 2021-10-20 17:09:01 CEST for 1s

PORT    STATE SERVICE REASON
443/tcp open  https   syn-ack

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 17:09
Completed NSE at 17:09, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds

Also, I did a backup of my known_hosts file and I accessed through SSH to altssh.gitlab.com:443 in order to see how the fingerprint is saved, and my surprise comes from the fact that the host, instead of being saved as altssh.gitlab.com is stored as [altssh.gitlab.com] :

I can find it with ssh-keygen -H -F '[altssh.gitlab.com]:443' but not as ssh-keygen -H -F altssh.gitlab.com:443 , which would be the normal way.

I don't know the reason of this behavior, but I know that OpenSSH 7.6 includes a new flag for adding new host keys on the first attempt, so I'm just doing once:

ssh -oStrictHostKeyChecking=accept-new -p 443 git@altssh.gitlab.com

From the documentation of man ssh_config :

If this flag is set to “accept-new” then ssh will automatically
add new host keys to the user known hosts files, but will not
permit connections to hosts with changed host keys.

It will fail and it won't actually perform the connection because I'm not providing any authentication method, but the HostKey will be stored in the known_hosts and from that point you will be able to access with your current configuration.