lambci/git-lambda-layer

Git tries to create ~/.ssh/ directory

kbreit opened this issue · 13 comments

I tailored the complex example to Python and am receiving an error which seems to make this not work. It's possible the problem is on my side but it seems like something is missing from the example since it's still trying to write to .ssh.

Cloning into '/tmp/git'...
Could not create directory '/home/sbx_user1075/.ssh'.
Warning: Permanently added the RSA host key for IP address '52.95.19.19' to the list of known hosts.
Permission denied (publickey).
fatal: Could not read from remote repository.
mhart commented

The Could not create directory ... warning you can ignore – the same thing happens in Node.js – it's a core ssh feature that can't be switched off AFAIK.

The real error is the permission denied error – you haven't set the key up correctly or something similar

mhart commented

Are you sure your known_hosts is setup correctly? I'm not sure that's a github.com IP address you're trying to connect to.

I’m using AWS CodeCommit so the addresses would indeed vary. Although I suspect that file is my issue. Need to figure out why.

mhart commented

Ah, in that case you'll need to tailor the known_hosts to match the IP address and signature of the server you're connecting to.

You can also test with ssh -o StrictHostKeyChecking=no ... instead of ssh -o UserKnownHostsFile=... – obviously that's not quite as safe, but if that works, then you know it's just a setup issue with your known_hosts

mhart commented

(if you've connected to the server in question from your own machine, you should already have the signature in your own known_hosts file so you can just copy that line)

That’s what I did. I did a checkout and copied the line from my local key file. But if they have multiple IP addresses, it may be missing some.

mhart commented

Might be better to verify that you can do this to another host, eg github.com – I don't think this is an issue with this layer.

Regarding host key checking, I am going to try that later. I am not very concerned about my personal website having MITM vulnerabilities for AWS->AWS communication. It’s a problem, sure, but not one I am sweating at this time.

I’ll close the case as it doesn’t sound like it’s a problem with the layer or example. If it proves otherwise, I’ll re-open.

mhart commented

Great – I updated the README to make it clear that warning is expected and unlikely to be the source of any specific error.

BTW, StrictHostKeyChecking=no didn't solve the problem.

mhart commented

Then I'd say it's your key (and/or the user you're using) that's the problem

@kbreit I was having a similar issue and ended up creating the ssh file.

Here is the JavaScript code I used to solve it:

/**
 * Create a suitable ssh private key from a corresponding envirnment variable.
 */
function prepareSshKey (dir, base, sshKey, callback) {
  process.env.GIT_SSH_COMMAND = 'ssh -o UserKnownHostsFile=/tmp/known_hosts -o StrictHostKeyChecking=no -F /tmp -i /tmp/codecommit_rsa';
  var basePath = path.format({dir, base});
  fs.writeFile(basePath,
    '-----BEGIN RSA PRIVATE KEY-----\n' +
      sshKey.match(/.{1,64}/g).toString().replace(/,/g, '\n') +
      '\n-----END RSA PRIVATE KEY-----\n',
    {mode: 0o600}, function (error) {
      callback(error, {status: 'sshKey file finished'});
    });
}

prepareSshKey(
  process.env.BASE_REPO_PATH, // defined as '/tmp'
  'codecommit_rsa',
  process.env.SSH_KEY, // # retrieve from IAM after uploading CodeCommit ssh key
  cb
);