Host key verification failed - Even demo file on v0.8.0 is broken

[philippe-boyd-maxa]

It seems that latest release following the update to the host keys broke everything...

Also, Demo github action no longer working : https://github.com/webfactory/ssh-agent/blob/master/.github/workflows/demo.yml

[sebastiankugler]

@philippe-boyd-maxa where are you trying to run the action? If it's in a self-hosted environment, you have to provide the host keys yourself. If run in github.com, GitHub should provide the keys in the environment automatically: see #171 (comment)

[philippe-boyd-maxa]

@sebastiankugler I'm running it in github.com. And if you check the Actions page of THIS repository https://github.com/webfactory/ssh-agent/actions you'll see that even the demo action fails. That's what I'm mentioning in my original issue.

[mpdude]

Seems we have problems with Windows-based builds and actions running in Docker images…? For the latter, #174 might contain hints

[schr4der]

I'm having this issue when running Poetry Install in GitHub Actions. "Host Key Verification" Fails after half of packages are installed with poetry. This issue started happening out of nowhere 2 weeks ago, so the timeline checkouts.

[16L-YT]

I having the same error. My github action was based on ssh-agent v0.5.3 and after the breaking change in Github SSH, I used v0.8.0 and this is what I've done to setup the new generated private key:

1- I've created new pair of SSH keys using this command
ssh-keygen -t ed25519 -C "[email protected]" with no passphrase
2- updated the SSH_PRIVATE_KEY in secrets/actions with the generated private key.
3- Added the public key to 'Deploy keys'.
4- I added this run command in the action to test the SSH connection with private repos
- run: git ls-remote [email protected]:org/private-repo

        with:
          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
                - run: git ls-remote [email protected]:org/private-repo

I always get: fatal: Could not read from remote repository.

5- I've tried to change the comment in the key generating command with `-c "[email protected]:org/private-repo" to help the action to match the provate key with the public key. It did not work.

[tan-wei-xin-alez]

Also having this issue when trying to run

    runs-on: ubuntu-latest
    container:
      image: <container_registry_url>/<image_name>:latest
    steps:
      # https://github.com/orgs/community/discussions/50130#discussioncomment-5322500
      - name: Checkout repo using ssh (so that submodules also use ssh)
        uses: actions/checkout@v3
        with:
          ssh-key: ${{ secrets.ROBOT_SAFEPLCHANDLER_APP_DEPLOY_KEY_ED25519 }}

      # need to use ROBOT_SAFEPLCHANDLER_APP_DEPLOY_KEY_ED25519 twice as checkout action does not apply for LFS command
      - name: Supply ssh deploy keys for submodules and LFS
        uses: webfactory/[email protected]
        with:
          ssh-private-key: |
            ${{ secrets.ROBOT_SAFEPLCHANDLER_APP_DEPLOY_KEY_ED25519 }}
            ${{ secrets.ROBOT_HELPERSCRIPTS_DEPLOY_KEY_ED25519 }}
            ${{ secrets.ROBOT_HELPERSCRIPTS_GETCALLERPREFERENCE_DEPLOY_KEY_ED25519 }}

      # https://github.com/actions/checkout/issues/287#issuecomment-1310504620
      - name: Pull LFS files and update submodules
        shell: bash
        run: |
          git lfs pull
          git submodule update --init --recursive

Reverting to v0.7.0 allows everything to work fine but otherwise, same "fatal: Could not read from remote repository" error that everyone above is experiencing

[RockLobster]

same issue here, 0.7.0 works, 0.8.0 fails

[ericksprengel]

same issue here, 0.7.0 works, 0.8.0 fails [2]

[speedym]

Same here, 0.8.0 fails on Windows runners.

[akram]

Hi this is what worked for me:

  build:
    runs-on: ubuntu-latest
    steps:
    - name: "Add GitHub to the SSH known hosts file"
      run: |
        mkdir -p -m 0700 /home/runner/.ssh
        curl --silent https://api.github.com/meta  | jq --raw-output '"github.com "+.ssh_keys[]' >> /home/runner/.ssh/known_hosts
        chmod 600 /home/runner/.ssh/known_hosts
    - uses: actions/checkout@v3
    - uses: webfactory/[email protected]
      with:
        ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

    - name: Build and push
      id: docker_build
      uses: docker/build-push-action@v3
      with:
        ssh: |
          default=${{ env.SSH_AUTH_SOCK }}

and in Dockerfile

RUN --mount=type=ssh git clone [email protected]:my-repo/gh-action-test3.git

and create the key with:

ssh-keygen -b 4096 -t rsa -N "" -f my-key -C "[email protected]:my-repo/gh-action-test3.git"

And deploy the public key as a Deploy key in github.com:my-repo/gh-action-test3.git and the private key as an Action Secret in the repo running the GitHub Actions

[rlueder]

The solution descbribed on #174 (comment) worked for me with webfactory/[email protected]

[scottamain]

Based on the clues here, I got the following to work for me, which adds GitHub's SSH keys on a self-hosted Windows runner:

      - name: Add GitHub to the SSH known hosts
        run: |
          mkdir -p C:\Users\ContainerAdministrator\.ssh
          $response = Invoke-RestMethod -Uri "https://api.github.com/meta"
          $response.ssh_keys | ForEach-Object { "github.com $_" } | Out-File -Append -FilePath "C:\Users\ContainerAdministrator\.ssh\known_hosts" -Encoding UTF8
          cat C:\Users\ContainerAdministrator\.ssh\known_hosts
        shell: pwsh

Although I then instead get an error in libcrypto when I try to access a private GitHub repo with a deploy key...

[guettli]

Check that $HOME is correct by comparing getent passwd $(id -un) | cut -d: -f6 with $HOME. You might be affected by: HOME is overridden in Container.

It took me hours to understand and solve this.