Cannot clone from gitlab: "Host key verification failed"

Stijn's Avatar

Stijn

30 Mar, 2020 11:23 AM

Somewhere in our build we clone (private) gitlab repositories. To enable that an ssh key is installed on the build machine, and that key is installed for the gitlab account as deploy key. But the clone doesn't even get to using that key:

debug1: Connection established.
debug1: identity file C:\Users\appveyor\.ssh\id_rsa type -1
debug1: identity file C:\Users\appveyor\.ssh\id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.8 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to gitlab.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email blocked]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email blocked] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email blocked] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
fatal: Could not read from remote repository.
So it looks like gitlab.com is not in .ssh/known_hosts. And indeed when using remote desktop to login to the build worker it is not there. If I run the clone manually it asks for that:
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw
The authenticity of host 'gitlab.com (172.65.251.78)' can't be established.
ECDSA key fingerprint is SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'gitlab.com,172.65.251.78' (ECDSA) to the list of known hosts
and then it adds an entry for gitlab.com into known_hosts and the rest succeeds.

So couple of questions:

  • our Appveyor configuration does not specify it should cache known_hosts, yet it's a file with over a thousand entries, mostly github.com and bitbucket.org (which we also clone from). How does that happen?

  • I assume those entries were added there during previous builds. Why can those entries be added, but not the one from gitlab?

  • is there a fix apart from using using (& ssh-keyscan gitlab.com) | Add-Content -Encoding 'ASCII' ~/.ssh/known_hosts before cloning ?

  1. Support Staff 1 Posted by Feodor Fitsner on 30 Mar, 2020 04:48 PM

    Feodor Fitsner's Avatar

    Thanks for the detailed investigation and great report! I've added a new issue to add GitLab's key to ~/.ssh/known_hosts during the next image update: https://github.com/appveyor/ci/issues/3367

    The records in known_hosts file are not being added/preserved between builds (as there is always a fresh VM for every build), but they are baked into VM image with the following script: https://github.com/appveyor/build-images/blob/master/scripts/Window...

    As a workaround, yes, ssh-keyscan gitlab.com is a good solution for now.

  2. 2 Posted by Stijn on 30 Mar, 2020 06:54 PM

    Stijn's Avatar

    Thanks for the quick reply and explanation, and glad to hear this will be sorted out!

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac