2023-03-23 GitHub RSA key change

Question

2023-03-23 GitHub RSA key change

waiyan1612 opened this issue 2 years ago · 12 comments

Describe the bug

GitHub has changed their key. See https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key. Since the standard images package the known_hosts into the image, we will need to rebuild the images.

To Reproduce
Steps to reproduce the behavior:

git init
git remote add origin "$git_url"
git fetch origin

Expected behavior
Can clone the repo.

Workaround
Before executing git commands. Modify the known_hosts file. This is also mentioned in the GitHub blog post above.

ssh-keygen -R github.com
curl -L https://api.github.com/meta | jq -r '.ssh_keys | .[]' | sed -e 's/^/github.com /' >> ~/.ssh/known_hosts

Logs

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
--
59 | @       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
60 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
61 | The RSA host key for github.com has changed,
62 | and the key for the corresponding IP address 20.205.243.166
63 | is unknown. This could either mean that
64 | DNS SPOOFING is happening or the IP address for the host
65 | and its host key have changed at the same time.
66 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
67 | @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
68 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
69 | IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
70 | Someone could be eavesdropping on you right now (man-in-the-middle attack)!
71 | It is also possible that a host key has just been changed.
72 | The fingerprint for the RSA key sent by the remote host is
73 | SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s.
74 | Please contact your system administrator.
75 | Add correct host key in /root/.ssh/known_hosts to get rid of this message.
76 | Offending RSA key in /root/.ssh/known_hosts:1
77 | remove with:
78 | ssh-keygen -f "/root/.ssh/known_hosts" -R "github.com"
79 | RSA host key for github.com has changed and you have requested strict checking.
80 | Host key verification failed.

Platform (please complete the following information):

NA

Additional context

NA

Answer 1 · 2023-03-24T12:19:31.000Z

+1 - can we get a rebuild on the docker image(s) so the known_host file is updated.

Answer 2 · 2023-03-24T17:31:10.000Z

Has anyone heard anything from AWS on this? I just opened a support case and will add anything if they respond but wondering if anyone else has heard anything.

Answer 3 · 2023-03-24T17:48:31.000Z

Hello, thanks for reporting this. We are aware of this issue and are working on a solution

Answer 4 · 2023-03-25T03:20:40.000Z

are there any updates to this issue @Dylan-AWS? we've been experiencing this issue all day and have been building our own standard:4.0 image, in order to push to ECR so we're able to resolve this matter on our own. would prefer to not have to manage our own build's environment image this way, is there a timeline where the AWS managed images will work again?

Answer 5 · 2023-03-30T23:29:34.000Z

We have released a patch for all impacted images for the x86 architecture. (https://github.com/aws/aws-codebuild-docker-images/tree/master/ubuntu/standard) and (https://github.com/aws/aws-codebuild-docker-images/tree/master/al2/x86_64/standard). Using the latest versions of the images will use the patch.

We have released a patch for aarch64 (https://github.com/aws/aws-codebuild-docker-images/tree/master/al2/aarch64/standard) in the following regions: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, ap-northeast-1, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1 eu-central-1, eu-west-1, eu-west-2, eu-west-3. Using the latest versions of the images will use the patch in these regions. We will be following up for remaining arm supported regions.

Answer 6 · 2023-04-01T20:09:43.000Z

Still, we are getting the same issue "Host key verification failed".

Answer 7 · 2023-04-04T08:39:48.000Z

I just tested it with aws/codebuild/standard:6.0 and still get error msg "Host key verification failed." in build log.

Answer 8 · 2023-04-04T16:43:38.000Z

We added the following commands to our buildspec.yml as a (temporary) workaround:

- yum install -y jq
- ssh-keygen -R github.com
- curl -L https://api.github.com/meta | jq -r '.ssh_keys | .[]' | sed -e 's/^/github.com /' >> ~/.ssh/known_hosts

Answer 9 · 2023-04-06T13:40:41.000Z

We have also had to add the workaround. Any updates when this will be fixed?

Answer 10 · 2023-04-06T18:19:50.000Z

We have released a patch for all impacted images for the x86 architecture. (https://github.com/aws/aws-codebuild-docker-images/tree/master/ubuntu/standard) and (https://github.com/aws/aws-codebuild-docker-images/tree/master/al2/x86_64/standard). Using the latest versions of the images will use the patch.

We have released a patch for aarch64 (https://github.com/aws/aws-codebuild-docker-images/tree/master/al2/aarch64/standard) in the following regions: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, ap-northeast-1, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1 eu-central-1, eu-west-1, eu-west-2, eu-west-3. Using the latest versions of the images will use the patch in these regions. We will be following up for remaining arm supported regions.

Answer 11 · 2023-04-10T12:24:15.000Z

If you are using a pipeline and have ~/.ssh/known_hosts as I do. Just update the ssh-rsa key with the one in the link under the ssh_keys property.

https://api.github.com/meta

Answer 12 · 2023-04-10T20:25:23.000Z

Resolving, since the issue was addressed from CodeBuild's end. Do let us know if you encounter errors by commenting on this issue.