I need to clone a separate GitHub repo (other than the one checked out by the checkout step) as part of my build process*. It works in the actual CircleCI environment, but I’m having a known_hosts issue when I run circleci buildlocally.
This shows up during the build, and since it’s an interactive prompt, the build can’t continue:
The authenticity of host 'github.com (192.30.255.113)' can't be established.
RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
Are you sure you want to continue connecting (yes/no)?
I tried appending to the ~/.ssh/known_hosts file as discussed here but the ~/.ssh directory doesn’t seem to exist. I get /bin/bash: /home/circleci/.ssh/known_hosts: No such file or directory.
Is this an intended difference between the local version and “actual” version of the docker image? Is there something I can do to test the build locally?
*(probably irrelevant detail: it’s an npm package dependency in a private github repo)
My usual way of fixing “known hosts” problems is to use the SSH feature on a (failing) build, do the SSH/Git operation on the console, and then grab the ~/.ssh/known_hosts file generated. This file can then be committed to the repo and copied into place prior to executing the command that needs it.
If the ~/.ssh folder does not exist, then just create it (both in SSH and also in the build process, prior to writing the known_hosts file manually).
The simplest repeatable way is to use ssh-keyscan against the host name, but you’ll find lots of people will quickly tell you this exposes you to man-in-the-middle attacks by blindly trusting that you’re actually getting the right key.
A step up would be to use an authority you trust (google, openDNS, cloudflare, etc) and only add those IPs.
for ip in $(dig @8.8.8.8 github.com +short); do ssh-keyscan github.com,$ip; ssh-keyscan $ip; done 2>/dev/null >> ~/.ssh/known_hosts
This grabs all current IPs returned by google’s DNS and adds them to known_hosts. You can replace 8.8.8.8 with another DNS provider’s IP.
Hmm, looks like I can create the ~/.ssh directory… for some reason I thought I was getting access denied on that! I think I’m all set, then. Thanks!
Still seems like a surprising difference between the CLI and the “real thing” but I’ve got it figured out for now, and other folks can find this page if they have the same issue.
@eddiewebb I’m aware of that, but my issue was not being able to append to the known_hosts file which does not exist. Creating it seems to work just fine now.