-
aguestuser authored
* if we don't have the keys, we get prompted the first time, which we can't automate * previously, we worked around this by passing `StrictHostKeyChecking=no` to `ssh`, but this leaves us open to the (small) possibility of a MIM attack on the server's SSH key * instead, pin the backup server's pub key on prod by loading the results of calling `ssh-keyscan -H <backup host ip>` into `/root/.ssh/known_hosts` on prod (via `provision.yml`) * and then remove the call to `StrictHostKeyChecking` in `bin/backup`