This question already has answers here:
Git error: "Host Key Verification Failed" when connecting to remote repository
(30 answers)
Closed 1 year ago.
I'd like to pip install a library from a private GitHub repository in a GitHub Actions job. I can install it on my computer just fine because I've configured GitHub to accept the SSH key. But how do I give an SSH key to a GitHub Actions runner?
On my computer, this works fine:
python -m pip install "git+ssh://git#github.com/ORG/LIBRARY.git#main#egg=SOMETHING&subdirectory=SOMETHING"
Collecting LIBRARY
Cloning ssh://****#github.com/ORG/LIBRARY.git (to revision main) to /tmp/pip-install-_kw52ce5/LIBRARY_35c4fb5cf6a64e30914beaec4a768bd1
Installing build dependencies ... done
...
Successfully built LIBRARY-0.1.1
I changed the name of the library, organization, and directories for privacy. Documentation for pip installations from GitHub repos are here.
I have tried this guide with this GitHub action with no luck. In GitHub Actions, I get this error message:
Step 15/20 : RUN pip install -r requirements.txt
---> Running in 5ece3eb6572e
Collecting LIBRARY# git+ssh://git#github.com/ORG/LIBRARY.git#main#egg=SOMETHING&subdirectory=SOMETHING
Cloning ssh://****#github.com/ORG/LIBRARY.git (to revision main) to /tmp/pip-install-ohx86p2h/LIBRARY_2972ab1296ce45afa73bbb3c5a036bd1
Running command git clone -q 'ssh://****#github.com/ORG/LIBRARY.git' /tmp/pip-install-ohx86p2h/LIBRARY_2972ab1296ce45afa73bbb3c5a036bd1
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
How do I give an SSH key to a GitHub Actions runner?
I think the "Host key verification failed" points to an issue with the ~/.ssh/known_hosts file. Typically, the first time you connect to a host via ssh you are prompted with something similar to:
The authenticity of host 'domain.com (a.b.c.d)' can't be established.
RSA key fingerprint is XX:XX:...:XX.
Are you sure you want to continue connecting (yes/no)?
When you answer yes, the host key is automatically added to the known_hosts file. You can manually add the host key to the known_hosts file of the user that is running your Github Actions:
Get the host key directly from a github admin or once logged into github.com (more secure - highly suggest).
use ssh-keyscan -H github.com >> ~/.ssh/known_hosts
Have you seen and do you have a solution for or investigation ideas for this problem:
jenkins pipeline jobs using Pipeline from GitHub SCM intermittently hang on clone/checkout
nothing reported in jenkins logs about this situation
only seems to happen when we have a lot of activity (usually right before sprint demos)
clears after some period of time - haven't been able to detect much a pattern yet
Checking out git git#github.com:MyTeam/myproject into
/var/lib/jenkins/jobs/myproject-dev-deploy/workspace#script to read deploy/dev-Jenkinsfile
git rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
git config remote.origin.url git#github.com:MyTeam/myproject # timeout=10
Fetching upstream changes from git#github.com:MyTeam/myproject
git --version # timeout=10
using GIT_SSH to set credentials Deploy key for myproject
git fetch --tags --progress git#github.com:MyTeam/myproject +refs/heads/:refs/remotes/origin/```
A horrible intermittent problem in a java app? To the JVM settings we go. Luckily CloudBees wrote a great article on this Tuning Jenkins GC For Responsiveness and Stability with Large Instances
Turns out this wasn't the prime factor. The real cause was network configuration and impact of a backup job on saturation. Still, an excellent article.
Here's how we debugged it:
Github support gave us this https://github-debug.com/ script and we augmented it thus
`
#!/usr/bin/env bash
echo Clearing Previous Run
rm -rf /tmp/debug-repo-http
rm -rf /tmp/debug-repo-ssh
echo clone1: `date`
time git clone https://github.com/github/debug-repo /tmp/debug-repo-http
echo clone2: `date`
time git clone git#github.com:github/debug-repo /tmp/debug-repo-ssh
echo Ping: `date`
time ping -c 10 github.com
#echo traceroute: `date`
#traceroute github.com
Setup jenkins job to attempt checkout, fail and report if it took longer than 30s - once via pipeline + plugin and once via shell script
Began running various tests: dump all docker images and re-pull, s3 pull backup, s3 push backup etc.
Repeat tests in another network area and compare results
I had meet this issue by git clone command and it's cost me 2 days to resolved this problems.
If you run git command by windows shell/batch on jenkins, it maybe cause by git ssh key issue...
Jenkins windows shell or batch command will use 'system' account to process git command and its ssh key setting is different form your gerrit plugin or login account.
A. Different git ssh key path
The git ssh key of 'system' account is setting in following path:
C:\Windows\System32\config\systemprofile\.ssh
C:\Windows\SysWOW64\config\systemprofile\.ssh
You can check ssh key in these paths for system account.
B. Register key in know_host file
Jenkins will not auto import new key of known host to your know_host file.
You can do it mannually by following steps:
Login your local account in windows
SSH this git remote path directly ssh <git remote web site> -p <port>, type yes to register the key
Copy the registered key form local account know_host (C:\Users\.ssh) you will see the bottom of file likes:
[gerrit.cartography.com]:29168,[10.25.174.78]:29418 ssh-rsa AAAAB3NzaC1yc2EAASSSSAQABAAAAgQDPHbDKCHL3oPbzDn3qaVZR8S1EZx/rb500Th/fjQYg5jrJ7PBMVVUyNTpJ2moje5hLYjNsVtXtcoNEZjImGul2dl3f+eHrCB27X5198jr8Wj66I/xsQCLEngd7l3velsdfgd3432fsdDiFaE9INjDjgngfNzlFA+CYpFsnaorZ6XSPQ==
Paste to 'system' know_host file.
C:\Windows\System32\config\systemprofile\.ssh
C:\Windows\SysWOW64\config\systemprofile\.ssh
I think you will resolve your problem now !
Enjoy it!
So after installing the Github plugin to Jenkins CI and attempting to add a job for my Github project to compile automatically after a Github push to master, Jenkins reports that .git/config doesn't exist.
I went to /var/lib/jenkins and created .git and the config file and chowned them to jenkins:nogroup.
The error persisted. I then went and did this in my own VPS home directory. Error persists.
I then made a home folder for the jenkins user with no shell and did the same steps. Error persists.
Which .git/config is it referring to?!
Edit:
The actual error I'm referring to is:
Failed to connect to repository : Command "git config --local credential.helper store --file=\"/tmp/git7406572387997126825.credentials\"" returned status code 255:
stdout:
stderr: error: could not lock config file .git/config: No such file or directory
Solved...switched to SSH.
Steps:
Assume control of Jenkins user. su jenkins
(You may need to set a password for it first (make it good!) sudo passwd jenkins.
Go home: cd ~.
Generate key: ssh keygen -t rsa -C "email". (No passcode)
Copy $JENKINS_HOME/.ssh/id_rsa.pub to Github.
Set Jenkins credentials to authenticate to Github using the private key.
Works fine.
Found a neat workaround here: https://groups.google.com/forum/#!topic/git-users/pyv6ldFxUio
mkdir ~/.git
git config --global user.email "m...#school.com"
https://groups.google.com/forum/#!topic/git-users/pyv6ldFxUio
I'm running into a bit of issues with nginx and SSH keys.
I need to add a ssh key for the nginx user to access private github repositories and then run the "git ..." commands to pull or clone the repo onto my Ubuntu box.
With the nginx user just being a worker task is it possible to generate a key for this user?
Thanks for any help!
You can run commands as another user without having to provide their password using sudo:
$ sudo -u nginx ssh-keygen -t rsa -C "email#address.com"
Here is my setup:
Jenkins is running on my linux machine as 'jenkins' user.
I have generated a ssh key-pair as described in Linux - Setup Git, for the 'jenkins' user.
When I sudo su jenkins and try ssh -vT git#github.com, I am always asked my passphrase, but I am always eventually authenicated. (the verbose option shows which key is used, among others).
I could clone my repo from GitHub using jenkins:
Thusly:
jenkins#alpm:~/jobs/test git/workspace$ git pull
Enter passphrase for key '/var/lib/jenkins/.ssh/id*_rsa':
Already up-to-date.
Up to this point I have followed the instructions to the letter. The problem is that the Jenkins job fails with the following error:
status code 128:
stdout:
stderr: Permission denied (publickey).
fatal: The remote end hung up unexpectedly
This is same error as I get when I typo the passphrase (but of course, Jenkins does not ask me for the passphrase). The following pages:
GitHub - SSH Issues
Using SSH Agent Forwarding
indicate to me that ssh-agent could help remember the passphrase, which it does when I am using my own user, but not the jenkins id. Note that while running as my normal user yields:
echo "$SSH_AUTH_SOCK"
/tmp/keyring-nQlwf9/ssh
While running the same command as my 'jenkins' yields nothing (not even permission denied)
My understanding of the problem is that the passphrase is not remembered.
Do you have any idea?
Shall I start a ssh-agent or key ring manager for the jenkins user? How?
Or is ssh forwarding suitable when forwarding to the same machine?
Any brighter idea?
ps: I never sudo gitted, I always used jenkins or my user account (as mentioned in this SO post - Ubuntu/GitHub SSH Key Issue)
Since nobody wrote the answer from the comments for several months, I will quickly do so.
There are 2 possible problems/solutions:
id_rsa created with wrong user
Create id_rsa as the jenkins user (see hudson cannot fetch from git repository)
Leave passphrase empty
To summarise what must be done on the Jenkins server:
# 1. Create the folder containing the SSH keys if necessary
if [ ! -e ~jenkins/.ssh ]; then mkdir ~jenkins/.ssh; fi
cd ~jenkins/.ssh/
# 2. Create the SSH pair of keys
# The comment will help to identify the SSH key on target systems
ssh-keygen -C "jenkins" -f ~jenkins/.ssh/id_rsa -P ""
# 3. Assign the proper access rights
chown -R jenkins ~jenkins/.ssh/
chmod 700 ~jenkins/.ssh
chmod 600 ~jenkins/.ssh/*
Remember:
Please keep the default "id_rsa" name when generating the keys, as other such as "id_rsa_jenkins" won't work, even if correctly set up.
Do not use a passphrase for your key
Check that the public key (id_rsa.pub) has been uploaded on the git server (GitHub, Bitbucket, etc). Once done, test your SSH key by running: ssh -vvv git#github.com (change address according to your git server)
I got around this problem by simply leaving the passphrase empty when creating the keys.
I would add that if you created the keys by hand, they might still be owned by you and not readable by jenkins, try:
sudo chown jenkins -R /var/lib/jenkins/.ssh/*
To check are the following:
if the right public key (id_rsa.pub) is uploaded to the git-server.
jenkins user will access to github -> to CHECK if the right private key (id_rsa) is copied to /var/lib/jenkins/.ssh/
if the known_hosts file is created inside ~/.ssh folder. Try ssh -vvv git#github.com to see debug logs. If thing goes well, github.com will be added to known_hosts.
if the permission of id_rsa is set to 755 (chmod 755 id_rsa)
After all checks -> try ssh -vvv git#github.com
Dont try to do config in jenkins until ssh works!
If you are running jenkins as a service in windows, you need to verify the user running the service. If you created the keys using the user "MACHINENAME\user", change the service so the user running it can match
For Mac users, the issue can be solved by removing the existing keys and creating new Private and Public Keys by following these steps:
1.Remove all Public and Private keys located at /Users/Username/.ssh
2.Remove all the credentials saved under the Credentials tab in Jenkins.
3.Remove the existing Public SSH keys defined in the Github Repository Settings.
4.Create new SSH keys (private and public: id_rsa and id_rsa.pub) by following the steps from https://confluence.atlassian.com/bitbucketserver/creating-ssh-keys-776639788.html#CreatingSSHkeys-CreatinganSSHkeyonLinux&MacOSX
5.Set the newly created public SSH key (id_rsa.pub) in Github or an equivalent Repository Settings.
6.In Jenkins,create new credentials by adding the private SSH key(id_rsa) for your Github username.
7.The Error should be removed now.
keys need to generated from jenkins user.
sudo su jenkins
ssh-keygen
once the key is generated, it should be added as ssh key in bitbucket or github.