Known_hosts edit fails using local CLI

github
npm
cli

#1

I need to clone a separate GitHub repo (other than the one checked out by the checkout step) as part of my build process*. It works in the actual CircleCI environment, but I’m having a known_hosts issue when I run circleci build locally.

This shows up during the build, and since it’s an interactive prompt, the build can’t continue:

The authenticity of host 'github.com (192.30.255.113)' can't be established.
RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
Are you sure you want to continue connecting (yes/no)? 

I tried appending to the ~/.ssh/known_hosts file as discussed here but the ~/.ssh directory doesn’t seem to exist. I get /bin/bash: /home/circleci/.ssh/known_hosts: No such file or directory.

Is this an intended difference between the local version and “actual” version of the docker image? Is there something I can do to test the build locally?

*(probably irrelevant detail: it’s an npm package dependency in a private github repo)


#4

My usual way of fixing “known hosts” problems is to use the SSH feature on a (failing) build, do the SSH/Git operation on the console, and then grab the ~/.ssh/known_hosts file generated. This file can then be committed to the repo and copied into place prior to executing the command that needs it.

If the ~/.ssh folder does not exist, then just create it (both in SSH and also in the build process, prior to writing the known_hosts file manually).


Authenticity of host can't be established. Are you sure you want to continue connecting (yes/no)?
#5

The simplest repeatable way is to use ssh-keyscan against the host name, but you’ll find lots of people will quickly tell you this exposes you to man-in-the-middle attacks by blindly trusting that you’re actually getting the right key.

A step up would be to use an authority you trust (google, openDNS, cloudflare, etc) and only add those IPs.

for ip in $(dig @8.8.8.8 github.com +short); do ssh-keyscan github.com,$ip; ssh-keyscan $ip; done 2>/dev/null >> ~/.ssh/known_hosts

This grabs all current IPs returned by google’s DNS and adds them to known_hosts. You can replace 8.8.8.8 with another DNS provider’s IP.

You’ll end up with

cat ~/.ssh/known_hosts 
github.com,192.30.253.112 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
192.30.253.112 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
github.com,192.30.253.113 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
192.30.253.113 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

#6

Hmm, looks like I can create the ~/.ssh directory… for some reason I thought I was getting access denied on that! I think I’m all set, then. Thanks!
Still seems like a surprising difference between the CLI and the “real thing” but I’ve got it figured out for now, and other folks can find this page if they have the same issue.


#7

@eddiewebb I’m aware of that, but my issue was not being able to append to the known_hosts file which does not exist. Creating it seems to work just fine now.


#8

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.