From c7baefdc23c4bb3b517a16ffa6ddda31763f0be8 Mon Sep 17 00:00:00 2001 From: Jason Gill Date: Wed, 2 Mar 2022 12:29:53 -0500 Subject: [PATCH 1/9] Allow RSA host keys RSA host keys are disabled by default on OpenSSH 8.8+ which is used by the base Alpine image, but many servers still use RSA host keys --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 9d0f2b5..c62f402 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -9,7 +9,7 @@ set -eu # Variables. SWITCHES="$INPUT_SWITCHES" -RSH="ssh -o StrictHostKeyChecking=no -p $INPUT_REMOTE_PORT $INPUT_RSH" +RSH="ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa -p $INPUT_REMOTE_PORT $INPUT_RSH" LOCAL_PATH="$GITHUB_WORKSPACE/$INPUT_PATH" DSN="$INPUT_REMOTE_USER@$INPUT_REMOTE_HOST" From ee287eb1f090f838d05d64cf0e798b74dbc619fd Mon Sep 17 00:00:00 2001 From: Steven Agyekum Date: Wed, 6 Mar 2024 11:58:08 +0100 Subject: [PATCH 2/9] feat: Update base image to latest 1.4.4 (apline 3.19.1) --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index cf2dca1..bb4a185 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM drinternet/rsync:v1.4.3 +FROM drinternet/rsync:v1.4.4 # Copy entrypoint COPY entrypoint.sh /entrypoint.sh From 9603fc818619574f10c02c47431eb0a7edafef9a Mon Sep 17 00:00:00 2001 From: Steven Agyekum Date: Wed, 6 Mar 2024 12:16:35 +0100 Subject: [PATCH 3/9] feat: Make usage of legacy rsa hostkeys conditional The usage of RSA host keys introduced with c7baefdc23c4bb3b517a16ffa6ddda31763f0be8 was adjusted to make it conditional/configurable and to keep backward compatibility --- entrypoint.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index a19b5cf..b854a54 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -13,8 +13,11 @@ echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add set -eu # Variables. +LEGACY_RSA_HOSTKEYS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa" +LEGACY_RSA_HOSTKEYS=$([ "$INPUT_LEGACY_ALLOW_RSA_HOSTKEYS" = "true" ] && echo "$LEGACY_RSA_HOSTKEYS" || echo "") + SWITCHES="$INPUT_SWITCHES" -RSH="ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa -p $INPUT_REMOTE_PORT $INPUT_RSH" +RSH="ssh -o StrictHostKeyChecking=no $LEGACY_RSA_HOSTKEYS -p $INPUT_REMOTE_PORT $INPUT_RSH" LOCAL_PATH="$GITHUB_WORKSPACE/$INPUT_PATH" DSN="$INPUT_REMOTE_USER@$INPUT_REMOTE_HOST" From 008719532fb1adf12fd09a5f271e7a170a85cbe5 Mon Sep 17 00:00:00 2001 From: Steven Agyekum Date: Wed, 6 Mar 2024 12:20:39 +0100 Subject: [PATCH 4/9] feat: configuarable legacy RSA hostkeys support Ability to configure legacy rsa hostkeys support for OpenSSH servers < 8.8. Related to #24 and 9603fc8 --- action.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/action.yml b/action.yml index 31eaea8..db35730 100644 --- a/action.yml +++ b/action.yml @@ -9,6 +9,10 @@ inputs: description: 'The remote shell argument' required: false default: '' + legacy_allow_rsa_hostkeys: + description: 'Enables support for legacy RSA host keys on OpenSSH 8.8+' + required: false + default: 'false' path: description: 'The local path' required: false From f479c977832a3bb48ae033c5449273ad33d24a30 Mon Sep 17 00:00:00 2001 From: Steven Agyekum Date: Wed, 6 Mar 2024 12:29:40 +0100 Subject: [PATCH 5/9] chore: mention new legacy_allow_rsa_hostkeys option --- README.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/README.md b/README.md index e0aeae9..745e1f9 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,8 @@ The base-image [drinternet/rsync](https://github.com/JoshPiper/rsync-docker/) of - `rsh` - Remote shell commands +- `legacy_allow_rsa_hostkeys` - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false") + - `path` - The source path. Defaults to GITHUB_WORKSPACE and is relative to it - `remote_path`* - The deployment target path @@ -125,6 +127,35 @@ jobs: remote_key: ${{ secrets.DEPLOY_KEY }} remote_key_pass: ${{ secrets.DEPLOY_KEY_PASS }} ``` + +--- + +#### Legacy RSA Hostkeys support for OpenSSH Servers >= 8.8+ + +If your remote OpenSSH Server still uses RSA hostkeys, then you have to +manually enable legacy support for this by using ``legacy_allow_rsa_hostkeys: "true"``. + +``` +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: rsync deployments + uses: burnett01/rsync-deployments@6.0.0 + with: + switches: -avzr --delete + legacy_allow_rsa_hostkeys: "true" + path: src/ + remote_path: ${{ secrets.DEPLOY_PATH }} + remote_host: ${{ secrets.DEPLOY_HOST }} + remote_port: ${{ secrets.DEPLOY_PORT }} + remote_user: ${{ secrets.DEPLOY_USER }} + remote_key: ${{ secrets.DEPLOY_KEY }} +``` + +See [#49](https://github.com/Burnett01/rsync-deployments/issues/49) and [#24](https://github.com/Burnett01/rsync-deployments/issues/24) for more information. + --- ## Version 5.0, 5.1 & 5.2 From b9a68ac619de1a77314c0296dcb1ef6348ea93cf Mon Sep 17 00:00:00 2001 From: Steven Agyekum Date: Wed, 6 Mar 2024 12:35:07 +0100 Subject: [PATCH 6/9] chore!: Versions 4.x EOL, 5.x DEPRECATED, 6.x MAINTENANCE - All versions 4.x are now EOL and no longer maintained - All versions 5.x are now DEPRECATED and will become EOL within Q2 2024 - All versions 6.x are now MAINTENANCE and will become DEPRECATED within Q4 2024 --- README.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 745e1f9..bbef4ee 100644 --- a/README.md +++ b/README.md @@ -158,7 +158,15 @@ See [#49](https://github.com/Burnett01/rsync-deployments/issues/49) and [#24](ht --- -## Version 5.0, 5.1 & 5.2 +## Version 6.0 (MAINTENANCE) + +Check here: + +- https://github.com/Burnett01/rsync-deployments/tree/6.0 (alpine 3.17.2) + +--- + +## Version 5.0, 5.1 & 5.2 & 5.x (DEPRECATED) Check here: @@ -167,10 +175,10 @@ Check here: - https://github.com/Burnett01/rsync-deployments/tree/5.2 (alpine 3.15.0) - https://github.com/Burnett01/rsync-deployments/tree/5.2.1 (alpine 3.16.1) - https://github.com/Burnett01/rsync-deployments/tree/5.2.2 (alpine 3.17.2) -- + --- -## Version 4.0 & 4.1 +## Version 4.0 & 4.1 (EOL) Check here: From c88a1dbded8f658a1e5218497401bcb66bae2529 Mon Sep 17 00:00:00 2001 From: Steven Agyekum Date: Wed, 6 Mar 2024 14:33:02 +0100 Subject: [PATCH 7/9] chore: adjust for EOL, DEPRECATION and MAINTENANCE --- SECURITY.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 885167c..b85ce16 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,12 +6,13 @@ The following versions are currently being supported with security updates: | Version | Supported | | ------- | ------------------ | -| 6.x | :white_check_mark: | -| 5.x | :white_check_mark: | -| 4.x | :white_check_mark: | -| 3.0 | :x: | -| 2.0 | :x: | -| 1.0 | :x: | +| 7.x | :white_check_mark: | +| 6.x | :information_source: MAINTENANCE | +| 5.x | :warning: DEPRECATED | +| 4.x | :x: EOL | +| 3.0 | :x: EOL | +| 2.0 | :x: EOL | +| 1.0 | :x: EOL | ## Reporting a Vulnerability From 21c0e5a9d97faccd2f6caa293c244639eb901c5f Mon Sep 17 00:00:00 2001 From: Steven Agyekum Date: Wed, 6 Mar 2024 14:33:58 +0100 Subject: [PATCH 8/9] chore: mention latest Alpine 3.19.1 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bbef4ee..fe7849f 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ This GitHub Action (amd64) deploys files in `GITHUB_WORKSPACE` to a remote folde Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`. -The base-image [drinternet/rsync](https://github.com/JoshPiper/rsync-docker/) of this action is very small and is based on Alpine 3.17.2 (no cache) which results in fast deployments. +The base-image [drinternet/rsync](https://github.com/JoshPiper/rsync-docker/) of this action is very small and is based on Alpine 3.19.1 (no cache) which results in fast deployments. --- From 93f02b856fbeaf9a8fbfdd8ce1a4adfd0843f849 Mon Sep 17 00:00:00 2001 From: Steven Agyekum Date: Wed, 6 Mar 2024 15:04:26 +0100 Subject: [PATCH 9/9] chore: adjust readme for release 7.0.0 --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index fe7849f..eb393ec 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: rsync deployments - uses: burnett01/rsync-deployments@6.0.0 + uses: burnett01/rsync-deployments@7.0.0 with: switches: -avzr --delete path: src/ @@ -76,7 +76,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: rsync deployments - uses: burnett01/rsync-deployments@6.0.0 + uses: burnett01/rsync-deployments@7.0.0 with: switches: -avzr --delete --exclude="" --include="" --filter="" path: src/ @@ -96,7 +96,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: rsync deployments - uses: burnett01/rsync-deployments@6.0.0 + uses: burnett01/rsync-deployments@7.0.0 with: switches: -avzr --delete path: src/ @@ -116,7 +116,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: rsync deployments - uses: burnett01/rsync-deployments@6.0.0 + uses: burnett01/rsync-deployments@7.0.0 with: switches: -avzr --delete path: src/ @@ -142,7 +142,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: rsync deployments - uses: burnett01/rsync-deployments@6.0.0 + uses: burnett01/rsync-deployments@7.0.0 with: switches: -avzr --delete legacy_allow_rsa_hostkeys: "true"