Authenticity of host can't be established. Are you sure you want to continue connecting (yes/no)?

Hello!
I get a problem with deploying build results to azure, I get the following error:

The authenticity of host ‘xxx (40.89.139.99)’ can’t be established.
ECDSA key fingerprint is b4:06:c4:fd:36:5c:6e:f6:a4:61:43:02:a6:fd:d7:b9.
Are you sure you want to continue connecting (yes/no)?

I checked similar problems here and tried to add public ssh key to “known_hosts” according to the advices:

i.e.added a “step” in the “deploy” job, tried two different ways:

  1. ssh-keyscan:

run: ssh-keyscan 40.89.139.99 >> ~/.ssh/known_hosts

  1. echo:

run: echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAA (...) BAQCT2K3RJXzbsP >> ~/.ssh/known_hosts

But it did not help, I get the same error so it seems like docker image do not get this key anyway.

I have added an ssh key (no passphrase) to my project settings in circle ci, it is a valid key since I can establish ssh session with azure server with this ssh key on my computer. Ip-adress is correct too.

My whole config looks like this:

# Javascript Node CircleCI 2.0 configuration file
#
# Check https://circleci.com/docs/2.0/language-javascript/ for more details
#
version: 2
jobs:
  build:
    docker:
      # specify the version you desire here
      - image: circleci/node:7.10

      # Specify service dependencies here if necessary
      # CircleCI maintains a library of pre-built images
      # documented at https://circleci.com/docs/2.0/circleci-images/
      # - image: circleci/mongo:3.4.4

    working_directory: ~/repo

    steps:
      - checkout

      # Download and cache dependencies
      - restore_cache:
          keys:
            - v1-dependencies-{{ checksum "package.json" }}
            # fallback to using the latest cache if no exact match is found
            - v1-dependencies-

      - run: yarn install

      - save_cache:
          paths:
            - node_modules
          key: v1-dependencies-{{ checksum "package.json" }}

      # run tests!
      - run: yarn test

  deploy:
    docker:
      - image: circleci/node:7.10
    working_directory: ~/repo
    steps:
      - add_ssh_keys:
          fingerprints:
            - '11:95:f7:ab:a3:67:f9:c6:7f:56:e7:a0:15:e6:e0:29'

      - run: ssh-keyscan 40.89.139.99 >> ~/.ssh/known_hosts

      - run:
          name: upload files to azure
          command: sudo scp -r github-project-name/* username@xxx.francecentral.cloudapp.azure.com:/etc/nginx/sites-available/github-project-name

workflows:
  version: 2
  build-deploy:
    jobs:
      - build
      - deploy:
          requires:
            - build
          filters:
            branches:
              only: master

I wish this proposal would be implemented one day - add command “ssh_known_hosts” like you can do in travis ci.

And what about security - do I need to open SSH port (22) to the whole internet in order to use run “scp” command from the circle ci image?

The best way would be allow access only from circle ci servers by adding those ip-addresses, but it is not possible accodring to this:

Any help appreciated! :pray:

I would double check that you’re adding the right fingerprint to known_hosts. A server typically has more than one key to fingerprint so it depends on which one the client ends up using.

I deploy my personal website via rsync/SSH to a server. Here’s how I do it: https://github.com/felicianotech/www.feliciano.tech/blob/master/.circleci/config.yml#L40

Hi! Thank you for your example! I tried to do the following:

  1. I have generated new ssh key on my computer, no passphrase:
    ssh-keygen -b 2048 -t rsa

  2. Opened SSH session from my computer to azure server:
    ssh username@40.68.130.151

  3. I got the question if I trust the server, after answering ‘yes’ I got new line in my “known_hosts” file:
    40.68.130.151 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP0IqVOIbRoOC2rToQJlKJgVheH65rAzG14X40+ysM8ltjYu5ciNEiQHwL81oM75Utcm5JyXpMqCsFearWwmSGs=

  4. I copied the private key to circle ci and public ssh key to “authorize_keys” file on the server (according to these instructions).

As the result I got “Host key verification failed.” You said that “server typically has more than one key to fingerprint”, could you explain more in this context?

The deploy job in “config.yml” looks like this now:

  deploy:
    docker:
      - image: circleci/node:7.10
    steps:
      - add_ssh_keys

      - run:
          name: upload files to azure
          command: |
            echo '40.68.130.151 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP0IqVOIbRoOC2rToQJlKJgVheH65rAzG14X40+ysM8ltjYu5ciNEiQHwL81oM75Utcm5JyXpMqCsFearWwmSGs=' >> ~/.ssh/known_hosts
            ssh username@40.68.130.151 sudo scp -r github-project-name/* username@40.68.130.151:~/circleupload

and “authorize_keys” file on linux server has 2 keys, looks like this now:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIePdjBnP2OhNE/Q0GSrC6u8Xh6q1JW+AnbzGIama (...)
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP0IqVO (...)

Anything looks wrong to you?

What are you trying to actually accomplish? Does your deployment process consist of a directory of files that you want to upload to a server via scp?

Yeah, my goal is to build nodejs project when I do commit to github, run tests and deploy the results of “npm run build” to prod server - all that with help of circle ci :grinning:

Okay so this may not completely solve your issue but should get us closer. In the most recent config you posted, the deployment command you used looks kind of convoluted. I think the command from your first post is more correct.

sudo scp -r github-project-name/* username@xxx.francecentral.cloudapp.azure.com:/etc/nginx/sites-available/github-project-name

The problem with the above command though is that you are using sudo. That elevates your user’s privileges to the root user, which then means it will try to use the SSH keys for the root user and not the user CircleCI / add_ssh_keys will actually add the keys for.

When deploying via SSH from CircleCI you want to:

  1. Make sure you have the right SSH fingerprint stored, which I think you might have now as of post #3
  2. Make sure you’re using the add_ssh_keys step, which you are.
  3. Make sure that a private SSH key has been added to CircleCI and the public counter-part added to your server.

Thank you for your help!

I tried to remove “sudo” from the command “sudo scp -r”, but still got the same problem “authenticity of host can’t be established”.

I tried to add this command in order to see some debug info:
ssh username@40.68.130.151 -v

It shows that circleci could actually establish ssh connection with the server! See debug info:

debug1: Connecting to 40.68.130.151 [40.68.130.151] port 22.
debug1: Host '40.68.130.151' is known and matches the ECDSA host key.
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: 
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: 
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).

Authenticated to 40.68.130.151 ([40.68.130.151]:22).
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-1025-azure x86_64)

But if I add scp -r ... on the next line after ssh username@40.68.130.151 -v - nothing happends.

Isn’t it strange?

        echo '40.68.130.151 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP0IqVOIbRoOC2rToQJlKJgVheH65rAzG14X40+ysM8ltjYu5ciNEiQHwL81oM75Utcm5JyXpMqCsFearWwmSGs=' >> ~/.ssh/known_hosts
        ssh username@40.68.130.151 -v
        scp -r github-project-name/* username@40.68.130.151:~/circleupload

Can you please post what the current version of your deployment job looks like?

Also, can you confirm that:

  1. username is being replaced with your actual server username?
  2. The username that you’re using has permission to write to the circleupload directory?

Yes, sure! I did some more changes, and finally “authenticity” problem is gone now! :tada:

  • added “PubkeyAuthentication yes” in /etc/ssh/ssh_config (according to this answer)
  • restarted ssh service: service sshd restart

I got now “No such file or directory”.

I added “pwd” command in build job and got “/home/circleci/repo”.
The repo name is “dolores-westworld” and I tried to upload build results like this:

scp -r ~/dolores-westworld/* john@40.68.130.151:~/circleupload

After adding “persist_to_workspace” in build job and “attach_workspace” in deploy job (copied from your example above) - it finally worked as expected, hooray!

:tada: :tada:


Answers to questions above:

  1. Yes, username is being replaced with your actual server username, see yml below.

  2. Yes, the user has permission to write to the circleupload directory:

    john@circle-deploy:~$ ls -l
    drwxrwxrwx 2 john john 4096 Oct 24 12:11 circleupload

I hope it will help somebody else - I post the final result - whole config.yml:

# Javascript Node CircleCI 2.0 configuration file
#
# Check https://circleci.com/docs/2.0/language-javascript/ for more details
#
version: 2
jobs:
  build:
    docker:
      # specify the version you desire here
      - image: circleci/node:8.11

      # Specify service dependencies here if necessary
      # CircleCI maintains a library of pre-built images
      # documented at https://circleci.com/docs/2.0/circleci-images/
      # - image: circleci/mongo:3.4.4

    working_directory: ~/repo

    steps:
      - checkout
      - add_ssh_keys

      # Download and cache dependencies
      - restore_cache:
          keys:
            - v1-dependencies-{{ checksum "package.json" }}
            # fallback to using the latest cache if no exact match is found
            - v1-dependencies-

      - run: yarn install
      - run: yarn build

      - persist_to_workspace:
          root: ~/repo
          paths:
            - src

      - save_cache:
          paths:
            - node_modules
          key: v1-dependencies-{{ checksum "package.json" }}

      # run tests!
      - run: yarn test

  deploy:
    docker:
      - image: circleci/node:8.11

    steps:
      - attach_workspace:
          at: ~/repo
      - add_ssh_keys
      - run:
          name: upload files to azure
          command: |
            echo '40.68.130.151 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP0IqVOIbRoOC2rToQJlKJgVheH65rAzG14X40+ysM8ltjYu5ciNEiQHwL81oM75Utcm5JyXpMqCsFearWwmSGs=' >> ~/.ssh/known_hosts
            scp -r ~/repo john@40.68.130.151:~/circleupload

workflows:
  version: 2
  build-deploy:
    jobs:
      - build
      - deploy:
          requires:
            - build
          filters:
            branches:
              only: master

:beer:

1 Like

Thank you so much for your help! :+1: :+1:

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.