SSH Host Key Verification Failed inside GitLab CI
You may need to try setting the mode to 644 rather than 700. 644 is what is suggested in the Verifying the SSH host keys documentation, and is also what SSH uses for this file by default. Some parts of SSH are very particular about this - I'm not sure if known_hosts is particular.
The docs also mention you should set the value of SSH_KNOWN_HOSTS
variable to the entire output of ssh-keyscan
since there are multiple keys.
EDIT:
The following .gitlab-ci.yml
worked for me on GitLab.com. Note the use of ~/.ssh/
rather than /.ssh/
.
image: ubuntu:latest
test_job:
script:
- apt-get update
- apt-get install openssh-client git-core -y
- eval $(ssh-agent -s)
- echo "$SSH_DEPLOY_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
- mkdir -p ~/.ssh && touch ~/.ssh/known_hosts
- echo "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
- git clone git@gitlab.com:gitlab-org/gitlab-ce.git
Git error: Host Key Verification Failed when connecting to remote repository
You are connecting via the SSH protocol, as indicated by the ssh://
prefix on your clone URL. Using SSH, every host has a key. Clients remember the host key associated with a particular address and refuse to connect if a host key appears to change. This prevents man in the middle attacks.
The host key for domain.example
has changed. If this does not seem fishy to you, remove the old key from your local cache by editing ${HOME}/.ssh/known_hosts
to remove the line for domain.example
or letting an SSH utility do it for you with
ssh-keygen -R domain.example
From here, record the updated key either by doing it yourself with
ssh-keyscan -t rsa domain.example >> ~/.ssh/known_hosts
or, equivalently, let ssh
do it for you next time you connect with git fetch
, git pull
, or git push
(or even a plain ol’ ssh domain.example
) by answering yes when prompted
The authenticity of host 'domain.example (a.b.c.d)' can't be established.
RSA key fingerprint is XX:XX:...:XX.
Are you sure you want to continue connecting (yes/no)?
The reason for this prompt is domain.example
is no longer in your known_hosts
after deleting it and presumably not in the system’s /etc/ssh/ssh_known_hosts
, so ssh
has no way to know whether the host on the other end of the connection is really domain.example
. (If the wrong key is in /etc
, someone with administrative privileges will have to update the system-wide file.)
I strongly encourage you to consider having users authenticate with keys as well. That way, ssh-agent
can store key material for convenience (rather than everyone having to enter her password for each connection to the server), and passwords do not go over the network.
Cloning git repo causes error - Host key verification failed. fatal: The remote end hung up unexpectedly
Resolved the issue... you need to add the ssh public key to your github account.
- Verify that the ssh keys have been setup correctly.
- Run
ssh-keygen
- Enter the password (keep the default path -
~/.ssh/id_rsa
)
- Run
- Add the public key (
~/.ssh/id_rsa.pub
) to github account - Try
git clone
. It works!
Initial status (public key not added to git hub account)
foo@bn18-251:~$ rm -rf test
foo@bn18-251:~$ ls
foo@bn18-251:~$ git clone git@github.com:devendra-d-chavan/test.git
Cloning into 'test'...
Permission denied (publickey).
fatal: The remote end hung up unexpectedly
foo@bn18-251:~$
Now, add the public key ~/.ssh/id_rsa.pub
to the github account (I used cat ~/.ssh/id_rsa.pub
)
foo@bn18-251:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/foo/.ssh/id_rsa):
Created directory '/home/foo/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/foo/.ssh/id_rsa.
Your public key has been saved in /home/foo/.ssh/id_rsa.pub.
The key fingerprint is:
xxxxx
The key's randomart image is:
+--[ RSA 2048]----+
xxxxx
+-----------------+
foo@bn18-251:~$ cat ./.ssh/id_rsa.pub
xxxxx
foo@bn18-251:~$ git clone git@github.com:devendra-d-chavan/test.git
Cloning into 'test'...
The authenticity of host 'github.com (207.97.227.239)' can't be established.
RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,207.97.227.239' (RSA) to the list of known hosts.
Enter passphrase for key '/home/foo/.ssh/id_rsa':
warning: You appear to have cloned an empty repository.
foo@bn18-251:~$ ls
test
foo@bn18-251:~/test$ git status
# On branch master
#
# Initial commit
#
nothing to commit (create/copy files and use "git add" to track)
Getting GitLab CI to clone private repositories
I'm posting this as an answer since others weren't completely clear and/or detailed IMHO
Starting from GitLab 8.12+, assuming the submodule repo is in the same server as the one requesting it, you can now:
Set up the repo with git submodules as usual (
git submodule add git@somewhere:folder/mysubmodule.git
)Modify your
.gitmodules
file as follows[submodule "mysubmodule"]
path = mysubmodule
url = ../../group/mysubmodule.gitwhere
../../group/mysubmodule.git
is a relative path from your repository to the submodule's one.Add the following lines to
gitlab-ci.yml
variables:
GIT_SUBMODULE_STRATEGY: recursiveto instruct the runner to fetch all submodules before the build.
Caveat: if your runner seems to ignore the GIT_SUBMODULE_STRATEGY
directive, you should probably consider updating it.
(source: https://docs.gitlab.com/ce/ci/git_submodules.html)
SSH error when trying to deploy to Digital Ocean via Gitlab CI/CD
The prerequisites of the DigitalOcean tutorial you are following include a sudo non-root user, and a user account on a GitLab instance with an enabled container registry.
The gitlab-runner service installed through script.deb.sh should need a non-root user’s password to proceed.
And it involves creating a user that is dedicated for the deployment task, with a CI/CD pipeline configured later to log in to the server with that user.
That means the gitlab-ci is not supposed to be executed by root
, which is not involved at any stage.
Is there a `ssh-add` Linux alpine one liner
You have to quote the variable in your first command:
echo "$SSH_PRIVATE_KEY" | ssh-add -
^----------------^
Or specify -
as the filename in your second command:
printf '%s\n' "$SSH_PRIVATE_KEY" | ssh-add -
-----^
How to pull submodules with --remote within Gitlab CI?
I mentioned before updating the ~/.ssh/.known_hosts
file, as in here.
This is not needed when fetching the submodules before the script (which is not what you are doing with GIT_SUBMODULE_STRATEGY
set to NONE
)
With dind (Docker In Docker), consider also this thread, regarding ssh-add for private keys, and .dockerini
/ .dockerenv
SSH directives.
The OP d33tah confirms in the comments:
I actually didn't add any key, assuming that since Gitlab CI's defaults can pull the key, I should be able to as well.
Then I found that docs say that I needed a deploy key and I added one
Yes: adding the public key on Gitlab side is mandatory.
Related Topics
Host Multiple ASP.NET Core Web Application Under a Single Linux Server
Linux Sysfs Gpio: What Re-Arms Interrupt
Bash Script to Install Postgresql - Not Working
Perl Script to Capture Stderr and Stdout of Command Executed in Back-Quotes
Container Running in Privileged Mode
Launching Sonar Scanner from a Gitlab Docker Runner
Most Efficient Way to Concatenate Thousands of Files in Perl
Bash, Execute Command But Continue with Interactive Session
How to Find Libstdc++.So.6: That Contain Glibcxx_3.4.19 for Rhel 6
Ftrace: System Crash When Changing Current_Tracer from Function_Graph via Echo
Perl Signal Processing Only Works Once When Sighandler Calls Subroutine
Cuda-Gdb Not Working in Nsight on Linux
Shell Script to Find The Nth Occurrence of a String and Print The Line Number
Copying Local Git Config into Docker Container
How to Cross-Compile a Autotools Project for Arm
How to Find/Cut for Only The Filename from an Output of Ls -Lrt in Perl