Deploy to remote server using SSH fails on "Host key verification failed"

I’ve Generated new SSH keys (private & public), stored the private SSH key as a secret and added the public one to .ssh/authorized_keys on my server.

In my github action I’ve writing the private key as a file.

-name: Create SSH key
run: echo "$GITHUB_PRIVATE_KEY" > ../github_do.key
shell: bash
env:
GITHUB\_PRIVATE\_KEY: ${{secrets.GITHUB_PRIVATE_KEY}} 

 Then using this file 

ssh -i path-to-file  ***@***"mkdir -p /home/ ***/*** /releases/2020-02-29-v***.244.0"

It fails on  Host key verification failed.

That message means that the connection failed because your server could not be authenticated. You should write the host key (from /etc/ssh/ssh_host_KEYTYPE_key.pub) to the ~/.ssh/known_hosts file on the runner together with the host name, e.g.:

server.example.net ssh-ed25519 AAAAC...

Thank you!

I’ve used this in order to add my server to known_hosts fille

ssh-keyscan -H ${{secrets.DEPLOY_SERVER}} > ~/.ssh/known_hosts

And it solved the previous error, but, now I get this:

@ ***-err*** @***: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Any pointers? 

That error probably means that your server doesn’t accept the configured private key for the target user. Check that the matching public key is included in the authorized_keys file of that user.

Also, if you use the result of ssh-keyscan without verification you’re effectively disabling host key checking. Consider if that really is an acceptable risk according to your security model.

Ok, i will try to with your approach.

Ok, so I’ve changed my approach,

I’ve entered to my server, ssh-keyscan server.ip, copied the first part to a secret, DO_GITHUB_PUBLIC_KEY.
I’ve added this part to prepare known_hosts.

echo "$DO_GITHUB_PUBLIC_KEY" > ~/.ssh/known_hosts

And I still get the same thing :\

@ ***-err*** @***: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

I solved it!!!
Apparently keys were protected with passphrase :exploding_head:.

Once I’ve generated a new ones without it, it worked.

So that is the whole process:

  1. Genereate new keys

    ssh-keygen -t rsa -b 4096 -C “user@host” -q -N “”

  2. Update your host’s authorized_keys

    ssh-copy-id -i ~/.ssh/id_rsa.pub user@host

  3. Enter the server & run 

    ssh-keyscan host

  4. Copy the output to github secret (let call it SSH_KNOWN_HOSTS)

  5. Copy the private key to a github secret (lets call it SSH_PRIVATE_KEY)

In your workflow.yml file

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Create SSH key
        run: |
          mkdir -p ~/.ssh/
          echo "$SSH_PRIVATE_KEY" > ../private.key
          sudo chmod 600 ../private.key
          echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
        shell: bash
        env:
          SSH_PRIVATE_KEY: ${{secrets.SSH_PRIVATE_KEY}}
          SSH_KNOWN_HOSTS: ${{secrets.SSH_KNOWN_HOSTS}}

Then you can use ssh with 

ssh -i path-to/private.key user@host
5 Likes

Could you please provide an example with rsync? thanks in advance

What are you trying to do with rsync? There shouldn’t be any difference, if SSH works you can use rsync over SSH without any additional steps.

1 Like

rsync works with ssh, like @airtower-luna said, all you need is a working ssh…