Pushing to github from windows: “host key verification failed”

https://travis-ci.org/github/openziti/desktop-edge-win/builds/713829254

I have been struggling to push from travis back into github for too long. I have the build- linked above. It does ‘stuff’ and then at the very end of the build it will mutate a file (version info) and try to commit/push that file back to github.

I’ve tried everything but I can’t get it to work yet. the build basically will:

  • grab a private key from an environment variable
  • tell git to use that key as part of the sshCommand
  • update the url to be git@ vs https://
  • git add, git commit -m “[skip ci]” (a nice travis feature), and finally a git push

the push fails no matter what i do - i added an ssh -Tv git@github.com to see what that might tell me and it seeeeems like travis doesn’t have a proper entry in known_hosts? Here’s that snippet:

issuing ssh -vT -i github_deploy_key git@github.com
OpenSSH_8.3p1, OpenSSL 1.1.1g  21 Apr 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to github.com [140.82.113.4] port 22.
debug1: Connection established.
debug1: identity file github_deploy_key type 0
debug1: identity file github_deploy_key-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.3
debug1: Remote protocol version 2.0, remote software version babeld-5a455904
debug1: no match: babeld-5a455904
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.

you can see on those last three lines “Host key verification failed” Surely this is doable - I must have missed something but I’ve tried everything to get it to work. I’ve issued

git config remote.url git@github.com:openziti/desktop-edge-win.git

to make sure it’s using git@ not https

I’m out of things to try and any help from the community would be greatly appreciated.

Thanks

.travis.yml here: https://github.com/openziti/desktop-edge-win/blob/issue-82-fix-mtu/.travis.yml

you can see i tried to add it with ‘addons’

addons:
  ssh_known_hosts:
    - git.savannah.nongnu.org
    - github.com

relevant section of ‘publish.bat’ https://github.com/openziti/desktop-edge-win/blob/issue-82-fix-mtu/service/publish.bat#L54-L90

You need to accept the GitHub host key. Use ssh-keyscan :

ssh-keyscan -t rsa github.com 2>&1 >> /root/.ssh/known_hosts
2 Likes

Thanks for the reply, I tried that to… You can see that i do that in the publish.bat already. Should it be elsewhere like in the .travis.yml?

Hmm. I see you’ve specified a slightly different set of options and a slightly different path. I’ll try that…

this worked @Montana, was having same problem!

No problem! I’m glad this worked out for you @SolarUltima!

1 Like

This still doesn’t work for me and it’s still unclear as to why. you can see in the raw log here that the following was run by travis on my behalf because of these lines in my .travis.yml

[0K$ ssh-keyscan -t $TRAVIS_SSH_KEY_TYPES -H git.savannah.nongnu.org 2>&1 | tee -a ${TRAVIS_HOME}/.ssh/known_hosts
...
[0K$ ssh-keyscan -t $TRAVIS_SSH_KEY_TYPES -H github.com 2>&1 | tee -a ${TRAVIS_HOME}/.ssh/known_hosts

It then again is called by me in my script: https://github.com/openziti/desktop-edge-win/blob/576186f1dba39fe5403c9cbcd0e88bb6bbd6fbb2/service/publish.bat#L73

The ssh -T output still shows the key is not valid:

Host key verification failed.

I don’t know what else to try… I’m going to ‘type’ the file to make sure the key is there… thanks for continuing to look at this.

I’ll try and reproduce @dovholuknf, and get to the bottom of this. Thank you for your patience.

@Montana - any luck? I still can’t get a git push to work :frowning:

@Montana - sorry to be a pest here. Just following up again as I’m still having this issue… :frowning:

Thanks

This suggests that it tries to read the password for SSH connection, interactively. Of course, this is impossible in a non-interactive build.

What are you trying to do here? Could you reference some documentation on that process? Because I’m not sure if whatever you are trying is supposed to be possible.


AFAICS, you are using some 3rd-party program instead of Travis’ built-in facilities to upload some artifact… somewhere. In this case, that program’s maintainers are going to be better positioned to tell you how to use it.


The last idea I have is that 3rd-party program seems to be trying to unshallow your local repo clone. You can make that step unnecessary as per https://docs.travis-ci.com/user/customizing-the-build#git-clone-depth:

git:
  depth: false

hopefully, that will stop that program from trying to do whatever it is failing at and allow it to proceed further.

The original post states the issue:

at the very end of the build it will mutate a file (version info) and try to commit/push that file back to github.

So I am trying to mutate a file, and push it back into my repository from travis. Travis has a mechanism to add keys to known hosts - which I’ve used. I’ve also tried to work around travis. Effectively everything I do appears to be failing from a windows-based travis build because the ssh command is not finding github in the knownhosts file.

@Montana gave me a command to try - in order for this to clear travis but I’d already done that as well as tried to use the built-in way of doing the same via travis.

The 3rd party program is just ‘git push’ using an ssh key.

The depth: false tip is appreciated. I might try that just to see what happens if I avoid Travis’ shallow clone.

Thanks for the reply!

It’s not enough to add a name to known hosts. You also need to provide an SSH key pair for Git to use that the host you’re connecting to trusts.


Since the clone is made via HTTPS, it may be more straightforward to push via HTTPS, too, using a “personal access token” as password.

I appreciate you trying to help but I’m aware of this requirement. The original post above explains that I’m already doing this…

I’ve tried everything but I can’t get it to work yet. the build basically will:

  • grab a private key from an environment variable

This process works fine from my local machine. It is only failing when running from Travis.

Then I can only suggest increasing log verbosity and comparing the messages with OpenSSH’s source code (appropriate tag) to find out what’s happening.

I suspect you have something cached locally. E.g. your private key may be password-protected.

After a very lengthy break from this topic I finally backed up far enough to figure out what went wrong and why. As with most bugs - it’s notoriously simple. I do think this is a bug with Travis though.

Here’s what fixes this issue when trying to push from windows using an ssh key… Create the .ssh folder in %USERPROFILE% and then add github to known_hosts. Here’s how I did it:

@echo mkdir %USERPROFILE%\.ssh and add github.com to known_hosts... 2>&1
mkdir %USERPROFILE%\.ssh 2>&1

@echo adding github key: ssh-keyscan -t rsa github.com 2>&1
ssh-keyscan -t rsa github.com >> %USERPROFILE%\.ssh\known_hosts 2>&1

@echo looking for key using: ssh-keygen -F github.com - expect to find it now! 2>&1
ssh-keygen -F github.com 2>&1

@Montana - I see you are a Travis employee - should I file this as a bug (or do you?) I’d file a bug saying the ‘addon’ does not work:

addons:
  ssh_known_hosts:
    - git.savannah.nongnu.org
    - github.com

this was in my .travis.yml but clearly was not working when running on windows. I am basically “doing this manually” now.

Here’s a link to a now-functioning build if it helps https://travis-ci.org/github/openziti/desktop-edge-win/builds/735498520

Hopefully Travis can fix/update the addons feature or just pre-create %USERPROFILE%.ssh …

@Montana The reason is that in Windows, there’s no ~/.ssh directory and the ssh_known_hosts addon doesn’t create it: https://travis-ci.com/github/native-api/test_travis/builds/190246144

Here’s a fix:

Imprint