I already added the keys to gitlab-ci
$ cd /home/pi/dashboard
$ git fetch
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.```
You could try and scan for your gitlab-ci server first
ssh-keygen -R domain.com
ssh-keyscan -t rsa domain.com >> ~/.ssh/known_hosts
(REplace 'domain.com' by your gitlab-ci server)
Then try your git fetch again.
Related
i am using Azure CI/CD pipeline to deploy code to remote server on centOS. i have a zip file residing in the remote server. and i am using this piece of task to unzip the file. but pipeline fails saying host key verification failed.(pipeline is successfully connected to the remoteserver)
- task: SSH#0
inputs:
sshEndpoint: 'CentOS FTA VM APP1 CBVR'
runOptions: 'inline'
inline: |
ssh cbvr#172.22.159.132 'cd opt/cbvr/;unzip -o EQ.MaxitCostBasis.Web.zip -d'
readyTimeout: '20000'
host key verification failed
Based on the error message, you could run the following command to put the rsa key of the target host into the source host.
ssh-keyscan -t rsa targethost(e.g. IP Address) >> ~/.ssh/known_hosts
For more info, you could refer to this doc: Auth with SSH
Error message
After having added the ssh key of a user of a GitLab server and repository that is hosted over tor, a test was performed that tried to clone a private repository (to which the testing user is added) over tor. The cloning was attempted with command:
torsocks git clone git#some_onion_domain.onion:root/test.git
Which returns error:
Cloning into 'test'... 1620581859 ERROR torsocks[50856]: Connection
refused to Tor SOCKS (in socks5_recv_connect_reply() at socks5.c:543)
ssh: connect to host some_onion_domain.onion port 22: Connection
refused fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository
exists.
GitLab SSH Cloning Verification
However, to verify the ssh access is available to the test user, the cloning was verified without tor using command:
git clone git#127.0.0.1:root/test.git
Which successfully returned:
Cloning into 'test'... remote: Enumerating objects: 3, done. remote:
Counting objects: 100% (3/3), done. remote: Total 3 (delta 0), reused
0 (delta 0), pack-reused 0 Receiving objects: 100% (3/3), done.
Server side hypothesis
My first guess is that it is a server-side issue that has to do with the lack of https, in following setting in the /etc/gitlab/gitlab.rb file:
external_url 'http://127.0.0.1'
However setting external_url 'https://127.0.0.1 requires an https certificate, e.g. from Let's encrypt, which seem to not be provided for onion domains.
Client-side hypothesis
My second guess would be that it is a client-side issue related to some SOCKS setting is incorrect at the test user side that runs the torsocks command, similar to an issue w.r.t. the SOCKS 5 protocol that seems to be described here.
Question
Hence I would like to ask:
How can I resolve the connect to host some_onion_domain.onion port 22: Connection refused error when users try to clone the repo over tor?
One can set the ssh port of the GitLab instance to 9001, e.g. with:
sudo docker run --detach \
--hostname gitlab.example.com \
--publish 443:443 --publish 80:80 --publish 22:9001 \
--name gitlab \
--restart always \
--volume $GITLAB_HOME/config:/etc/gitlab \
--volume $GITLAB_HOME/logs:/var/log/gitlab \
--volume $GITLAB_HOME/data:/var/opt/gitlab \
gitlab/gitlab-ee:latest
Next, add port 9001 and port 22 to the ssh configuration in /etc/ssh/sshd_config by adding:
Port 9001
Port 22
then restart the ssh service with: systemctl restart ssh.
It is essential that one adds a public ssh key to the GitLab server for each computer you want to download the repo from, even if one wants to clone a public repository. You can make a new GitLab account for each computer, or add multiple public ssh keys to a single GitLab account. These instructions explain how to do that, tl;dr
ssh-keygen -t ed25519
<enter>
<enter>
<enter>
systemctl restart ssh
xclip -sel clip < ~/.ssh/id_ed25519.pub
Ps. if xclip does not work, one can manually copy the ssh key with: cat ~/.ssh/id_ed25519.pub.
Then open a browser and go to https://gitlab.com/-/profile/keys so for your own tor GitLab server that would be: someoniondomain.onion/-/profile/keys, and copy paste that key in there.
That is it, now one can clone the repository over tor with:
torify -p 22 git clone ssh://git#someoniondomain.onion:9001/root/public.git
Note
As a side note, in the question I happened to have tested git clone git#127.0.0.1:root/test.git however, instead of using 127.0.0.1 I should have used either the output of hostname -I or the public ip address of the device that hosts the GitLab server. Furthermore, I should have verified whether the GitLab server was accessible through ssh by testing:
ssh -T git#youronionserver.onion
Which should return Congratulations... It would not have done so if I had tested that, indicating the problem was in the ssh access to the GitLab server (or the ssh connection to the device). I could have determined whether the ssh problem was with the device or the ssh server by testing if I could log into the device with: ssh deviceusername#device_ip, which would have been successfull indicating, the ssh problem with at the GitLab server.
We have a RHEL 7 remote server where I created a dummy user called gitlabci.
While SSH'd into the remote server, I generated a public-private key pair (for use when grabbing files from GitLab)
Uploaded the public key as a deploy key for use later when we get our CI set up
Generated another public-private key pair in my local machine (for use when SSH'ing into the remote server from the GitLab Runner)
Added the public key to the remote server's authorized_keys
Added the private key to the project's CI environment variables
The idea is when the CI runs, the GitLab runner will SSH into the remote server as the gitlabci user I created then fetch the branch into the web directory using the deploy keys.
I thought I have set up the keys properly but whenever the runner tries to SSH, the connection gets refused.
$ which ssh-agent || ( apt-get update -y && apt-get install openssh-client git -y )
...
$ eval $(ssh-agent -s)
Agent pid 457
$ echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
Identity added: (stdin) (GitLab CI)
$ mkdir -p ~/.ssh
$ chmod 700 ~/.ssh
$ [[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
$ ssh gitlabci#random.server.com
Pseudo-terminal will not be allocated because stdin is not a terminal.
ssh: connect to host random.server.com port 22: Connection refused
ERROR: Job failed: exit code 1
When I tried to SSH into the remote server via GitBash on my local machine using the key pair I generated it did work.
$ ssh -i ~/.ssh/gitlabci gitlabci#random.server.com
Last login: Mon Nov 4 13:49:59 2019 from machine01.work.server.com
ssh: connect to host random.server.com port 22: Connection refused
"Connection refused" means that the ssh client transmitted a connection request to the named host and port, and it received in response a so-called "reset" packet, indicating that the remote server was refusing to accept the connection.
If you can connect to random.server.com from one host but get connection refused from another host, a few possible explanations come to mind:
You might have an entry in your .ssh/config file which substitutes a different name or address for random.server.com. For example, an entry like the following would cause ssh to connect to random2.server.com when you request random.server.com:
Host random.server.com
Hostname random2.server.com
The IP address lookup for "random.server.com" is returning the wrong address somehow, so ssh is trying to connect to the wrong server. For example, someone might have added an entry to /etc/hosts for that hostname.
Some firewall or other packet inspection software is interfering with the connection attempt by responding with a fake reset packet.
Using Ansible to provision Vagrant box, Ansible fails when cloning Git repo: Host key verification failed. fatal: Could not read from remote repository.. Oddly I can clone from Git with no issues when I SSH into the box and run git clone <GIT_URL>. Have set sudo: no in Ansible task but still fails. ssh-agent is running correctly on both host and box.
Host key verification failed.
is not related to the agent forwarding. As noted in the comments, it is related to the known_hosts file.
Before the first connection to the server (github.com), you need to manually verify it's host key, or use similar process as noted in comments, using keyscan:
ssh-keyscan -H github.com >> ~/.ssh/known_hosts
The other (not recommended) possibility is to turn off the host key verification in the ~/.ssh/config:
Host git
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
in the home directory of the user running the git clone.
I have setup my gitlab server behind a route, and I have mapped my ssh port to 50000 in the server. the gitlab port is 50001.Then I create a test project and try to clone it in another machine,it's ok when I use http.
git remote add origin http://myrouteaddress:50001/user/test.git
but when I try to test it use ssh, it failed with
git remote add origin ssh://git#myrouteaddress:50000/user/test.git
fatal: The remote end hung up unexpectedly
I have test my ssh setting with
ssh -vT git#myrouteaddress -p 50000
and it passed without problem.
I find out the auth with
sudo tail -f /var/log/auth.log
and get the follow
Jun 1 12:29:22 debian sshd[24799]: Accepted publickey for git from mytestpcip port 37848 ssh2
Jun 1 12:29:22 debian sshd[24799]: pam_unix(sshd:session): session opened for user git by (uid=0)
Jun 1 12:29:22 debian sshd[24801]: Received disconnect from mytestpcip: 11: disconnected by user
Jun 1 12:29:22 debian sshd[24799]: pam_unix(sshd:session): session closed for user git
can someone tell me the reason? Thank you very much!
I finally got the reason, I have generate the ssh rsa key with wrong parameter. the right way is:
ssh-keygen -t rsa -C "email#email.com"
Check your config:
# check gitlab-shell install
sudo -u git -H /home/git/gitlab-shell/bin/check
# check gitlab install
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production
Then, try and use the scp syntax:
git#myrouteaddress:50000:user/test.git
or
gitolite:user/test.git
With a config file in your ~/.ssh/config with
Host gitolite
Hostname myrootaddress # or ip address
Port 5000
User git
IdentityFile ~/.ssh/git