I'm trying to npm install a project with git+ssh://git@github.com dependencies using node:10.21.0-jessie-slim docker image.
I'm running a ssh-keyscan like that:
RUN mkdir /root/.ssh \
&& ssh-keyscan github.com >> /root/.ssh/known_hosts
Without the package-lock, I'm able to install the dependencies. But when the package-lock exists, the authenticity of host 'github.com (140.82.114.3)' can't be established.
I found that when I run with package-lock, the know_hosts file used is the one in /home/node/.ssh/
So, I add it on my Dockerfile:
ssh-keyscan github.com >> /home/node/.ssh/known_hosts
And it works. But I want to know why it happens.
This happens when your ssh config file set some properties true like CheckHostIP or HashKnownHosts so if any property set to true which force ssh to verify the host then ssh first look into known_hosts so verify you ssh config file.
~/. ssh/config and /etc/ssh/ssh_config
please have a look https://www.ssh.com/ssh/config/