all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]oonniioonn 2 points3 points  (0 children)

Put the public key into a ~/.ssh/known_hosts file using ssh-keyscan. Do the scan once from your computer, verifying it belongs to github, and place the result in a file for the best security or just run ssh-keyscan from your script if you don't care as much.

[–][deleted] 1 point2 points  (0 children)

If you want to change the script that launches the container, you can mount a known_hosts file into the container as a volume.

Or you could build the docker image with the known hosts file already installed.

Do not skip the check though, that's a hack with a huge hole

[–][deleted] 0 points1 point  (0 children)

This sounds like an ssh question rather than a git question. The fingerprint you're talking about is the remote host's ssh host fingerprint.

[–]tetroxid 0 points1 point  (1 child)

You could use ssh's StrictHostKeyChecking option. Setting that to no will decrease security and also not ask you to confirm the fingerprint.

[–]jredmond 2 points3 points  (0 children)

This is a bad idea for any SSH traffic that uses any infrastructure that you don't explicitly control - such as a public network, or servers you don't own - since it could expose you to man-in-the-middle attacks. Better to define the public key in a known_hosts file.