Why can I pull ssh key without password, in terminal, but not through script?

It’s a server running Ubuntu 20.04. With the root user, in the terminal, if I run git pull, it works ok, but if nginx runs a script for automatic deployment, it doesn’t do git pull, the message below appears:

Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

See the ssh configuration file, in ~/.ssh/config:

Host github.com
Hostname github.com
IdentityFile /var/www/deploy/.ssh/id_ed25519
IdentitiesOnly yes

Key Permissions:

-rwxrwxrwx 1 _nginx _nodejs 411 Nov 24 14:52 id_ed25519

The goal is: a webhook calls for a url that calls a shell script that auto-deploys it on the server.

The error message is about the host key, not your identity key. The host key is what GitHub’s SSH server uses for authentication, to ensure you’re talking to the right server (and not, say, deploying code provided by some MITM attacker).

The correct host key must be listed in the user’s ~/.ssh/known_hosts file. You could either copy the relevant line from yours, or connect interactively as the nginx user and confirm after checking the fingerprint against this list: GitHub's SSH key fingerprints - GitHub Docs

As a side note, please avoid running things as root that don’t actually need root access. It’s an unnecessary risk. :slightly_smiling_face:

1 Like

Thank you very much for the answer. Unfortunately, it didn’t work out. Includes the following line:

github.com ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU

in /var/www/.ssh/know_hosts, restarted ssh, and the message still continues to appear.

I left /var/www/.ssh because looking in /etc/passwd, there it is:

_nginx:x:998:1002::/var/www:/bin/false

Oops, I solved the case haha. The correct user is _nodejs and not _nginx. So your answer helped me, thank you very much!

1 Like

You can’t copy the fingerprint for the last part, check your own .ssh/known_hosts file to see the correct format. This should work:

github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl

You can get the fingerprint from that with ssh-keygen -l to verify.