• aguestuser's avatar
    [fixup] preload backup host's ssh key fingerprints on prod · dd7d4d07
    aguestuser authored
    * if we don't have the keys, we get prompted the first time, which we
      can't automate
    * previously, we worked around this by passing
      `StrictHostKeyChecking=no` to `ssh`, but this leaves us open to
      the (small) possibility of a MIM attack on the server's SSH key
    * instead, pin the backup server's pub key on prod by loading the
      results of calling `ssh-keyscan -H <backup host ip>` into
      `/root/.ssh/known_hosts` on prod (via `provision.yml`)
    * and then remove the call to `StrictHostKeyChecking` in `bin/backup`
    dd7d4d07