Format of known_hosts
Opened this issue · 3 comments
If I run
- run: for ip in $(dig @8.8.8.8 gitlab.evilcorp.de +short);
do ssh-keyscan gitlab.evilcorp.de,$ip; ssh-keyscan $ip; done
And paste the output:
#gitlab.evilcorp.de:22 SSH-2.0-OpenSSH_8.2p1
gitlab.evilcorp.de,IP ssh-ed25519 AAA...
gitlab.evilcorp.de,IP ssh-rsa AAA...
IP ssh-ed25519 AAA...
IP ssh-rsa AAA...
... to GIT_SSH_KNOWN_HOSTS, mirror-action fails with:
Host key verification failed.
fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
BUT if I run mirror-action with GIT_SSH_NO_VERIFY_HOST: "true" it runs without errors.
I also pulled my repo to my machine, accepted the fingerprint and copied the .ssh/known_hosts to my secrets. The according file was differently formatted (|1| 3Wm...=|z+s...= ecdsa-sha2-nistp256 PubKey) but also won't work.
Any suggestions on how to fix this?
P.S. My Script:
steps:
- uses: actions/checkout@v1
- uses: spyoungtech/mirror-action@master
with:
REMOTE: 'ssh://git@gitlab.evilcorp.de/group/repo.git'
GIT_SSH_PRIVATE_KEY: ${{ secrets.GIT_SSH_PRIVATE_KEY }}
GIT_SSH_KNOWN_HOSTS: ${{ secrets.GIT_SSH_KNOWN_HOSTS }}
DEBUG: "true"
Sorry to have missed this for so long, I thought I definitely responded to this before.
The GIT_SSH_KNOWN_HOSTS is simply the contents of a known_hosts file. The action simply dumps the variable contents directly into a file and the ssh configuration is told to use that file.
So, you just need to follow the standard convention. You can probably just copy/paste the host from your own known_hosts file for whichever host you're using.
The format is like
<host> <key format> <key>
For example for GitHub.com you can use this:
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
Hello, I encounter the same issue @catchMyException described, using a copy of my own know_hosts file or the result of the ssh-keyscan -p <port> <hostname> command. The format matches what you said, still I can only seem to be able to push by using the GIT_SSH_NO_VERIFY_HOST parameter.
Copying what is in GIT_SSH_KNOWN_HOSTS to a known_hosts file via echo "<content>" > known_hosts and executing manually what your GH action does is working fine (and passing it an empty known_hosts fails, as expected).
ssh <user>@<host> -p <port> -i ~/.ssh/id_rsa -o IdentitiesOnly=yes -o UserKnownHostsFile=known_hostsI'll take a look at your code to see whether a quick fix is possible for me to PR.
My GH workflow:
name: Mirror the repository
on:
push:
branches: [ main ]
jobs:
mirror:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: 'Mirror'
uses: spyoungtech/mirror-action@master
with:
REMOTE: ${{ secrets.REMOTE }}
GIT_SSH_PRIVATE_KEY: ${{ secrets.GIT_SSH_PRIVATE_KEY }}
GIT_SSH_KNOWN_HOSTS: ${{ secrets.GIT_SSH_KNOWN_HOSTS }}
# GIT_SSH_NO_VERIFY_HOST: "true"
DEBUG: "true"I found what the problem was and made a PR.
Using non-explicit path for the git config --global core.sshCommand parameter resulted in the known_hosts file not to be found (I guess). I replaced the ~ with the actual path /github/home. You might want to put the resolution of ~ in a variable and concatenate it instead of hard coding it as I did: Github could change the home path and therefore break the script.
Check the PR #19
I would be very glad if you could accept it soon as I will have to GIT_SSH_NO_VERIFY_HOST in the mean time.
Thank you for your efforts, this GH action is very handy!