Remove ssh-keyscan from git credential initialization

Before this change an SSH Git Secret without a known_hosts would cause Tekton to perform an ssh-keyscan of the remote host to get its public key. This would happen in the entrypoint of the Step which meant that every Step container would have to have a copy of ssh-keyscan. After this change the reponsibility for fetching missing host keys now falls on git-init, meaning that the Git PipelineResource and git-clone catalog task will fetch the missing keys at runtime. This is preferable because we can guarantee that the git-init image has ssh-keyscan in it.
tektoncd · Jul 30, 2020 · f112277 · f112277
1 parent 3fc7c03
commit f112277
Show file tree

Hide file tree

Showing 6 changed files with 109 additions and 99 deletions.
diff --git a/docs/auth.md b/docs/auth.md
@@ -46,7 +46,7 @@ aggregates them into their respective files in `$HOME`.
      ssh-privatekey: <base64 encoded>
      # This is non-standard, but its use is encouraged to make this more secure.
      # If it is not provided then the git server's public key will be requested
-     # with `ssh-keyscan` during credential initialization.
+     # when the repo is first fetched.
      known_hosts: <base64 encoded>
    ```
 
@@ -389,7 +389,7 @@ type: kubernetes.io/ssh-auth
 data:
   ssh-privatekey: <base64 encoded>
   # This is non-standard, but its use is encouraged to make this more secure.
-  # Omitting this results in the use of ssh-keyscan (see below).
+  # Omitting this results in the server's public key being blindly accepted.
   known_hosts: <base64 encoded>
 ```
 

diff --git a/examples/v1beta1/taskruns/authenticating-git-commands.yaml b/examples/v1beta1/taskruns/authenticating-git-commands.yaml
@@ -32,12 +32,16 @@ metadata:
 data:
   # This key was generated for this test and isn't used for anything else.
   ssh-privatekey: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFZRUF5T1g3ZG5OWlFBZVk4cHNMOXlaUnp3NXNDVG1yWGh6Zld1YTZuZ2VDQ0VRRTY4YjVUSThTCkNlbEhlNG9oTUtBdXZ0ZTE4YXJMK2EvVldpeFN6a2tBMmFIZVhkdUJ1bStkS2R2TlVVSUhNc1dOUythcENQYmE4R3ZGaHYKdG81Tkx0bWpxT2M0WjJkK1RPS3AvakMrS3pvUDFHQWdRL25QMitMTldabzlvTTc4TzQ3Z1dSem9FNlFKeGJqbFlPMHRMbwp4YXUxdTNrbUtsNSthbUxsNHpGN25wdmV1dGlSWDhmY2hGam5Ka2dqK3BVeFJvTGF4SDdDN0NTcDExWUkyMEhKRVFXeEk3CllaekNTYml5KzZ1a2l0Tk1MZ29qMnpSTGl2ZTVvZm9nenpYbkdWUUpZdUIzOFhQM0ZIQWMvOXhzUXdzd3dQS2hkQ3g4T0QKbjErYXpLOHp5SGhXK0dxckJhS1R4cDlrcVRpKzZSMWk4ZjVxOEt6NXpGVTZmd05qQXZ3STFBZ3IwS2FzU1JxWTVMcGxnTgpZcW1DY01JODZKUnRGWHRWWVQrT05tdWFhYUQ1QUErbnpkNW81R0haZTlFSlNqUThZMHZwbjhmNjNjeEw2RTdzVmxpMnpzCnNhN1RST2JMK3YyVnFuSlpEY2pIZXMzS1M5Mld0V3RJbXdXOG81VkRBQUFGaU04K0NUL1BQZ2svQUFBQUIzTnphQzF5YzIKRUFBQUdCQU1qbCszWnpXVUFIbVBLYkMvY21VYzhPYkFrNXExNGMzMXJtdXA0SGdnaEVCT3ZHK1V5UEVnbnBSM3VLSVRDZwpMcjdYdGZHcXkvbXYxVm9zVXM1SkFObWgzbDNiZ2Jwdm5TbmJ6VkZDQnpMRmpVdm1xUWoyMnZCcnhZYjdhT1RTN1pvNmpuCk9HZG5ma3ppcWY0d3ZpczZEOVJnSUVQNXo5dml6Vm1hUGFETy9EdU80RmtjNkJPa0NjVzQ1V0R0TFM2TVdydGJ0NUppcGUKZm1waTVlTXhlNTZiM3JyWWtWL0gzSVJZNXlaSUkvcVZNVWFDMnNSK3d1d2txZGRXQ050QnlSRUZzU08yR2N3a200c3Z1cgpwSXJUVEM0S0k5czBTNHIzdWFINklNODE1eGxVQ1dMZ2QvRno5eFJ3SFAvY2JFTUxNTUR5b1hRc2ZEZzU5Zm1zeXZNOGg0ClZ2aHFxd1dpazhhZlpLazR2dWtkWXZIK2F2Q3MrY3hWT244RFl3TDhDTlFJSzlDbXJFa2FtT1M2WllEV0twZ25EQ1BPaVUKYlJWN1ZXRS9qalpybW1tZytRQVBwODNlYU9SaDJYdlJDVW8wUEdOTDZaL0grdDNNUytoTzdGWll0czdMR3UwMFRteS9yOQpsYXB5V1EzSXgzck55a3ZkbHJWclNKc0Z2S09WUXdBQUFBTUJBQUVBQUFHQUNQSGtmbU9vWjZkdThlNWhYQUhDeHJ0WHFCCmwvUGROL1JtYmJqRW05U216czR5cWEwd1BUdzhrMU81VHM0V05nY1hMZFVRTlB6YkE4aWFWTGtvL0JqKzhiSFlhMmdmeVMKUE5qaWpXbXBOR09EWlF2Q0h2b095WUdpNjkycHovWnNTZCt0bEFzNm54LzY1ZjcwZHdVREJub0FjZnFLY28wQnVMRlNBKworamY5RnhISGYzQkFEUS9TdDVFQjlZelo1Q2F2cTRQcjZvS2w3R3RpbnRIbTZIbUlwTUlubWVEMnV3cjl2ZGZ1RGJhVDdYClVOSm10elVGck1uOUhlOWd1WkoyTXd3a015S09ScnRhVFA3VjFZK3FOM3ZncStmRkNtU0VkekxBU3BWTHMyL1hQTCtwTnAKTTVZUVRRMFJSZWdKTEdtTHZ0ZmpkK1RRMFQ0bjBucnBJVGRXRTRsL05sTG9taTVhUndzQXFtY2hZSGxhN0g3YlNyS2lKawpyWTg1RTliZm8wSXJqUDNQNzFYNmxjcTB0VDhDTklUQUNleWJQT3kwcDVDc3JwZTdhZEJBOXF4MTZjR2tkZ0NPWk9GMnRpCktoWWJHeTc4ei9YNEh2OEptVmhaSHF3RlFQQzVleWljbE1PTFJXNDJOcUJhNEVFc3RHT3l4MHZwa0lVS3VhRlJuQkFBQUEKd1FESytXYzU1WHVpWjgySXM5NnN2bWIrR0Y5c2pBRWVaWHpHSWpDL1NHVEhIWTZSQmc1TnlQOUdZNmtoWnBjd0cyTU52dQpZUjhuN0psRWlVanU2cjY2Smh0WGtvdTR4WlU1dDkvMlJvdHRmeWpKODJmYm8yTHZmNERUOVNvSURxZnk5VmlMSjhSWUNkCkt6NnpYSHFTZ1RBRU1vaUhjbFpIZzRqTitrOW1ma2tPMDBQbEJJaE1YU0ZMLzUrZUhGdStQTmxaU1g5NUlMRjJvZ0Y1RG0KWTFuaTRUOGJjdzY2dmFzamthcjFZekptM1VidEVnSzQ2VVllNGJac2NXbWt4dngwMEFBQURCQVA4UysyTmtheWkvb3NzVApTQXpJMi9QU2tJMDVEY1lTYnNOQjZ4a3pobzdKaDlHeUNvbW5xZ1IxR2ZBOTBqV3AxVks0TG43TmtYYWJaVmJPc0xoT21DCkdBbVRZTHRjaTB0bkhhYk5HTEZ3ZmdiUitqRzZNQ2p4cEh5anM5MDlKSHhtYmswbElpczdPN1N3VThERGcrSEVxc0EvNUoKQ1VMTWU3em9mNERhUnZXdFhTRks2ZW5LNnpGaHBINjVQY29TN0o0NjJhNzdUMDVGQXhMemNaRkc5VWZ5WUdMa1ZmdHRTTApNVDhudW9LaW5XTGNLSlVQeis1MjJlM3lIcis4c3pVUUFBQU1FQXlhQ28xSnRBcjRpczY0YTBuZTFUV0o0dXcyT3FDdUlDCm9acG1QN2UyRnh3bVRCSWMrbzZkSEVNVHo2c2ZZSkFxU2l4ZzYydXYzWlRTc25STWljaDZ0b1k0SVI4cWFMa1prLzU5cmEKQWFONFlvTkdpQTZxY0Jzc3NLMmZuM2YxRFJhckxPbWZHTnpTMU41S1RvSFVlUkVGWDExdHVNM1pqOGxTelFBOWZSakk1OQpFWmFnOWJaOXRJOEg5dmEvTGRMK3U3dTZZWkVRSEJCS1MxMW1tOVVXd1pDMkdUV3ZnNzRlTnRmemtZeDQxdlhIeTZBbW9ECmxuOHo2N3lvWEZzbEpUQUFBQURuTmpiM1IwUUcxbFkyZ3ViR0Z1QVFJREJBPT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==
-  # This known_hosts file doesn't actually get used; we overwrite it with the public key
-  # of our temporary test git server. But it's required here because otherwise creds-init
-  # calls ssh-keyscan which in turn tries to reach out over the network, will fail to make
-  # contact with the localhost SSH server because it isn't running yet, and the TaskRun
-  # will end in failure.
-  known_hosts: Cg==
+  # Note: we intentionally omit a known_hosts entry here. You should include
+  # one in your own Secrets as a security measure, otherwise the Git PipelineResource
+  # and git-clone Tasks will blindly accept any public key returned by a repository.
+  #
+  # We're able to omit known_hosts here because the file is generated by the
+  # git server sidecar. The benefit of omitting it here is that it exercises
+  # a codepath in Tekton that used to fail. In prior versions Tekton would
+  # run ssh-keyscan if known_hosts was omitted, which would fail for this example
+  # because the git server sidecar is not up and running at the time the scan
+  # would have happened.
 ---
 apiVersion: v1
 kind: ServiceAccount

diff --git a/examples/v1beta1/taskruns/git-ssh-creds-without-known_hosts.yaml b/examples/v1beta1/taskruns/git-ssh-creds-without-known_hosts.yaml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-ssh-without-known-hosts
+  annotations:
+    tekton.dev/git-0: github.com
+type: kubernetes.io/ssh-auth
+data:
+  # Generated by:
+  # cat id_rsa | base64 -w 0
+  # This deploy key has read-only permissions on github.com/knative/build
+  ssh-privatekey: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKSndJQkFBS0NBZ0VBc0YrY3ZIdUlKRjBwNWZNVDBUUVZhMWpTZVBNVlhtUWhGa1F0andsamJFSXVKaVh5CmVrU1I0WUtDbFZIZVo0M2VOa2p5SzFwTDVmVnZnY3J2bkVUMXE5dmFmOThtNzdHWjZUdnJGY0RyZjViZDFIZGUKTU1MTFZRRU8vN1lkcEJFeVJ1UjA4RXRzbWp0RUVaNERVZnBUWGQ5RnAyTU5UWTYwVzFpa0p0Mm53dGhWVlF0OApubFcxTTRvc1d0SHE1OVFDbnhqUkVmNzNhdHdtUTZ6enlXcCtJM3ZBRFRJUmZpTWcvSjc0UDJHOWlwL0U1U0YrCnNuRmRnU2x0cjhyd0tmTE5jTDVYandOSE53aHErQ2NJRHBUZGhuVTBUaEFZNlRsa25KWFJudXRicGNRajA4MjAKMyt1aXRxaXhJcnIwQmkrU2NDQ21GNERxZGdRUXIwRzdieXRKemJkdjJOL3dGbGFpWmVOTWtXSVd5TzRpdnU4TQoxbGUyajVHeDZFaVQ0TG5sNitoRHd3aXozUGR4Y1I0S0VxZzVqRmQ3QjNDcHQ0cUswRDFHVVhnMmx1ZHRsMU40CjVoNUJaNEZZcWF0VU1LQkVjeHd4ekZVVE1iNFZmdFhuMEJOSHkyVXlxUkx6VnBMZWgyRHRYcmtaZnRnTlFCeFAKNkNKc2FnYkpuRmZ1Mk1IaTh5VkE3UFZnUXExS3hPWnF0c0JKb3RvSzJXb0lONldpbnl0d0lwUFhsblJrZ3duYgo4dVBZdmhoZDB0ZVllZ2pYNW85azcwaDhFOEFpZGtqaFpKRkwzakRjc0NFdGJQSWtBMHp3bCs0UFN5aWV2UXpVCldFTkFTSzhXc1NxSk40bUtNSEJMbDU2WWZpTnBJNXVEUGx6eC9hS3hnQis2RExYL25GRzB0Y2ZTYlJFQ0F3RUEKQVFLQ0FnQnRjQlpZR2FxakxhK213RXFHbi9PK2RSRzcvTkZBalk2K096V3RzRnlodXZyWnJ1Z2pGOU1SQTZNMQpOZVJ6aXVMYitpMVIyeWlIR3VEQ3Y0SW9DOTRJY2xYRXpGbGpsMmJ5QXJ6ZTlhTHF1MWtQMGJWL09nOWl3bEpsCk5zSnpvRHY3SXh5d1VZeWtzcXVNNXVnV2dPWWp0RHVMSG5vTnFzT2Nmb2IwbXNyU3F0dGY5czJ2ald6dSt3aUUKbmdaTkxROG5Xd1czVGVhRnh1NXpSYWpMVEtuU0tLSkZUZER1M0t0R05QbkNra3BDN3RvRWR1RWZwaG9uMytYdwprMUtzSkwxMi9KUmw1OW5UZXdTc3o4TS9FUDNYeFhmY0RENzQwQ1R1eUVPV2dXR1BuUUhDRmJ6cXlGSmhWcEQ3CkJOZ1Awb3JoeWxCayt4Z0FmSXRCdzk2aW4xQ2VMZHZKek9TdDNXSUVrY0w3ZVB0bkpzWVpBa1J4eFU1NWF6ajEKbFJHNWRWN010ZzgwWXJTcDdoYXIxamhTQ0JjVzZMUHdueTdXK1psWEd6VG9Gb1o2clIwdytJdGRjNGpPSEhtTgpRVk9tWFd3SFJuZm5rQWZlNXdDQkZQbXpMT2tYbnloWjdaNWxmVlJQaE9lT0hlV09NeHJvWFZoRmJPcTFxemo1Cm85a1dMVGxwTk42YXhrOW41R1N6NlZDVDRHSW1iOUsyWmpQUklOMktQZ3Vxd0RRSFVmd0ViZ0NnTkVUOG5wc2UKelYxRnRpRUJaeVJPa2RwdDhDd2NrbGxHc0Nab0dIa3Z1OXlRSytMUldvV2xJS041WGJXYVljaW01VVhIZlIzUgp4ZGx2QmgxNDl2MW02Y3haMWpzNUFJM09Xb0lpaXlaWjdKUGUxbUIycDE2dUlsUGhsUUtDQVFFQTRNZmNPRVluCkdrQVEzaEdKMm5ia0ZzZ1hJemJrQkQvanIrY1JHd1pjeitBZ2x0cXFZRnQ2Rzh3eElBMGd2V1BLNDFhR1UzU1AKdHVjUEF6VjVEYlR3WklFdjVpY3kycHJlbHJ1ZTB4RkV4WWRZNFFCVGRiVFM4TE9ZWncxTEZpTGRXb1VKVlhiWApTaE4rSktpSDVpM3J1K2dwTHArT0ZHUSthWFdQSFp0TjdjTUZidEpUUkNQUlZqUkVHb25qejY3c2NNcWxZNjAyCkYxaFlURGRkTGNnNnhiN0M3ZmdXc25pdEh4ZWY5UHZFUlZSUWdyRW9RT3lOcFczL0VOU1RQN1IzTzhnNnNHTXYKUXI4SDd1a3RGUlAxUVRqSGNvdmtrdm9aaERHOHRGREd4T0FhbFMxK2phQVpBMmNVdEI4VU5ueHpqMFJFNE43VAp3OHZST3NHbjJ2aG9vd0tDQVFFQXlONmV1d0FFdllpanVlV21pYWNJTUQ0bExaL3JjLzF6T0RUQ3grWm05SHBCCjZyUGMvMG8yR3lGV2Y2aVN3UjhOWlVyM2dvREh6ck8vTHdZUTNyUEhhZFpkRGRFVWh5UXBHeDFuOG9ONXhSU0sKVkVkdnVESkF4SnhHdXRWYk9sNzlDUitadjBqa3hGY2xaOTBaSGdhVEl5TnBlK1dIcTI3Mm1oaENaOXNmK0RTMgppM2V2MEkrQ0t6eXppV2NUdzJKL0ROSlpIN0ZnUlc0U1M3OXBLcDFPOXk0a2hQMk0xQU9nVUp4eFBta0xMc05oCk45dlB0QmpXMENZZmxiei9zWjBYZEVtL1hEUE9xNWVXc0tsZm5XcnpzR3ZZVHRvZkxpN1pVekJhMjRyc1AzT3UKT0JqeFVQWDBhTnQ2bVlOSWVSQkNkVk9BZlFsbGFqSW1hVENNNXZQcXV3S0NBUUF1RXFrZjI3aytGeTJkNXVoagpvQVRtYW9MYmsrK3VzMDIvQzFTbFBtdWRyQ25oNGRZVVJBdkdVTmNzNDZQM1RkSVRRUFB0ZlRITDRwWmdLUUN6Ci80ZGFnbVJILzNiYitleHY1dXNLQmpzYlpiK2c5c2tra2ppK1g0RjRkZkFUREhoa2ltbzhXMHlMZ1cxVXBEcWUKd29EVUZpVUN5bTk3M0lReVo0YzdJVThhMGVOMk1LUWlqbGpsRzNkdUhSOVZ2VnYzVG9JUjZUbnlGUWljTHFqcApybVhsakZFMko2aTNVaWJoL1p5cXdVUWNsY2llMFNNWUU2U0E2UWZqOGo1d1MxUTVLN1JqM1NDZHhMd2lpeWJUCmNERFArb3hlL1MrUHRMV3dNK1dpNi8raDhQRmg3RjVKTnl5SlZ3S1dYTnh1d3BtSkh3d2pMMmttYzh0aUNMbVkKRjF5VEFvSUJBRWpJdWRWaW5WVWNKTTlnVW1jQWVpd1k2Sm5PbjU5bzBBNG11QWw5Q0FOQUpaQm8yZ1E3SEwzWgo1NkRjTVVqKytuaWdvR3pPUXhnMzgyZVRtQnRLSTFETFZ1NkJ1eUY0emRoQVlJRDBlUFFiakVBYm5uU3M2T0VWCkMxLzVuVlBhUlcrLzNwTDhVOEI5SDFXeVBMNnZmVE0zU3FxVk1nTEJjMlBFdEpNelNETkV6bnhjd3YwY2N2czkKeElSZU1FQVUrWnBvd2RpRkNqQStRU3puVDdFY1RSZXR4WmZXMCtlaTVMMHc0cXZObmpxMG13NkZmSTV5amF2ZwpsSU5LZDVBaEx2VjVIM2pHWVBXMk9Pa01obFBoQkNvQitlQWdrem5GeWdPbHV0WmdVVmh3ajBsT2FHcUFwSzQyCkVRZDlGWTZnZ0tSSXZIOFNINGhLWWJhdDIvQjNvNjhDZ2dFQVNnUGZubVdZcXpQTlpwYXh4VFZ3NXl0cXovMGcKUHlhcW41elhDSHFsdDluNkZFYWdRVjE4bjl0bUZzTWtnOFd4MHp1TjY5ajNvcXVDaWVDSkVRTTFDR05GUWg2MQpEV0xrd210R1FPNXZxc0VhcXpLZk9yWktnYTJ5L3BuejY2SkNlUW83UlJEdVVZVHpPY3NpQmtxNmNUNHFLQjY0ClBCVlVhQTROQkVCZlRoc1o5dDhpWHFDQWhUQnVlTDdhQ3pHV0ZjR1k5dndrZkJHNjNacURXbVlqZkZwRGlqSWIKL21ySnJVTTB0a09HcUhESk5aUWhpZXc1VHF6NWp3VElyTDY3YUdZNFpuNEVyODFlb3JOZnpEeDVnak1NYnoweQoyTGZoN1c0MFlWMDA4ZmZJTk5BbXA4VjNqay9qcWFUSFlWYlFQNGxhdTRIWkc5Q2g1Q1VpSmFvN2xBPT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
+  # Note: We are not including a known_hosts entry here. This forces
+  # the Git PipelineResource to accept github's public key the first
+  # time it fetches the repository.
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: robot-git-ssh-without-known-hosts
+secrets:
+- name: git-ssh-without-known-hosts
+---
+apiVersion: tekton.dev/v1beta1
+kind: TaskRun
+metadata:
+  name: git-ssh-creds-without-known-hosts
+spec:
+  serviceAccountName: robot-git-ssh-without-known-hosts
+  resources:
+    inputs:
+    - name: gitssh
+      resourceSpec:
+        type: git
+        params:
+        - name: revision
+          value: master
+        - name: url
+          value: git@github.com:tektoncd/pipeline.git
+  taskSpec:
+    resources:
+      inputs:
+      - name: gitssh
+        type: git
+    steps:
+    - name: config
+      image: ubuntu
+      script: |
+        #!/usr/bin/env bash
+        cat /workspace/gitssh/README.md
diff --git a/pkg/credentials/gitcreds/ssh.go b/pkg/credentials/gitcreds/ssh.go
@@ -17,12 +17,10 @@ limitations under the License.
 package gitcreds
 
 import (
-	"bytes"
 	"fmt"
 	"io/ioutil"
 	"net"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 
@@ -108,7 +106,9 @@ func (dc *sshGitConfig) Write(directory string) error {
 			}
 			configEntry += fmt.Sprintf(`    IdentityFile %s
 `, e.path(sshDir))
-			knownHosts = append(knownHosts, e.knownHosts)
+			if e.knownHosts != "" {
+				knownHosts = append(knownHosts, e.knownHosts)
+			}
 		}
 		configEntries = append(configEntries, configEntry)
 	}
@@ -117,9 +117,12 @@ func (dc *sshGitConfig) Write(directory string) error {
 	if err := ioutil.WriteFile(configPath, []byte(configContent), 0600); err != nil {
 		return err
 	}
-	knownHostsPath := filepath.Join(sshDir, "known_hosts")
-	knownHostsContent := strings.Join(knownHosts, "\n")
-	return ioutil.WriteFile(knownHostsPath, []byte(knownHostsContent), 0600)
+	if len(knownHosts) > 0 {
+		knownHostsPath := filepath.Join(sshDir, "known_hosts")
+		knownHostsContent := strings.Join(knownHosts, "\n")
+		return ioutil.WriteFile(knownHostsPath, []byte(knownHostsContent), 0600)
+	}
+	return nil
 }
 
 type sshEntry struct {
@@ -132,32 +135,6 @@ func (be *sshEntry) path(sshDir string) string {
 	return filepath.Join(sshDir, "id_"+be.secretName)
 }
 
-func sshKeyScan(host, port string) ([]byte, error) {
-	var c *exec.Cmd
-	if port == "" {
-		c = exec.Command("ssh-keyscan", host)
-	} else {
-		c = exec.Command("ssh-keyscan", host, "-p", port)
-	}
-	var output bytes.Buffer
-	c.Stdout = &output
-	c.Stderr = &output
-	if err := c.Run(); err != nil {
-		return nil, err
-	}
-	return output.Bytes(), nil
-}
-
-// sshKeyScanArgs returns the host and optional port for running ssh-keyscan
-// given a url.
-func sshKeyScanArgs(url string) (string, string) {
-	host, port, err := net.SplitHostPort(url)
-	if err != nil {
-		return url, ""
-	}
-	return host, port
-}
-
 func (be *sshEntry) Write(sshDir string) error {
 	return ioutil.WriteFile(be.path(sshDir), []byte(be.privateKey), 0600)
 }
@@ -171,15 +148,10 @@ func newSSHEntry(url, secretName string) (*sshEntry, error) {
 	}
 	privateKey := string(pk)
 
-	kh, err := ioutil.ReadFile(filepath.Join(secretPath, sshKnownHosts))
-	if err != nil {
-		host, port := sshKeyScanArgs(url)
-		kh, err = sshKeyScan(host, port)
-		if err != nil {
-			return nil, fmt.Errorf("ssh-keyscan error: %w", err)
-		}
+	knownHosts := ""
+	if kh, err := ioutil.ReadFile(filepath.Join(secretPath, sshKnownHosts)); err == nil {
+		knownHosts = string(kh)
 	}
-	knownHosts := string(kh)
 
 	return &sshEntry{
 		secretName: secretName,

diff --git a/pkg/credentials/gitcreds/ssh_test.go b/pkg/credentials/gitcreds/ssh_test.go
diff --git a/pkg/git/git.go b/pkg/git/git.go
@@ -20,13 +20,19 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strconv"
 	"strings"
 
 	homedir "github.com/mitchellh/go-homedir"
 	"go.uber.org/zap"
 )
 
+const (
+	sshKnownHostsUserPath          = ".ssh/known_hosts"
+	sshMissingKnownHostsSSHCommand = "ssh -o StrictHostKeyChecking=accept-new"
+)
+
 func run(logger *zap.SugaredLogger, dir string, args ...string) (string, error) {
 	c := exec.Command("git", args...)
 	var output bytes.Buffer
@@ -78,6 +84,18 @@ func Fetch(logger *zap.SugaredLogger, spec FetchSpec) error {
 	if _, err := run(logger, "", "remote", "add", "origin", trimmedURL); err != nil {
 		return err
 	}
+
+	hasKnownHosts, err := userHasKnownHostsFile(logger)
+	if err != nil {
+		return fmt.Errorf("error checking for known_hosts file: %w", err)
+	}
+	if !hasKnownHosts {
+		if _, err := run(logger, "", "config", "--global", "core.sshCommand", sshMissingKnownHostsSSHCommand); err != nil {
+			err = fmt.Errorf("error disabling strict host key checking: %w", err)
+			logger.Warnf(err.Error())
+			return err
+		}
+	}
 	if _, err := run(logger, "", "config", "--global", "http.sslVerify", strconv.FormatBool(spec.SSLVerify)); err != nil {
 		logger.Warnf("Failed to set http.sslVerify in git config: %s", err)
 		return err
@@ -209,3 +227,20 @@ func ensureHomeEnv(logger *zap.SugaredLogger) error {
 	}
 	return nil
 }
+
+func userHasKnownHostsFile(logger *zap.SugaredLogger) (bool, error) {
+	homepath, err := homedir.Dir()
+	if err != nil {
+		logger.Errorf("Unexpected error: getting the user home directory: %v", err)
+		return false, err
+	}
+	f, err := os.Open(filepath.Join(homepath, sshKnownHostsUserPath))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	f.Close()
+	return true, nil
+}