Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Host fingerprint verification fails #275

Open
markgomez opened this issue Oct 17, 2023 · 10 comments
Open

Host fingerprint verification fails #275

markgomez opened this issue Oct 17, 2023 · 10 comments

Comments

@markgomez
Copy link

I'm unable to get host fingerprint verification to succeed. The following works (i.e., my SSH settings are proven to be correct since the workflow completes):

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - name: executing remote ssh commands using ssh key
        uses: appleboy/[email protected]
        with:
          host: ${{ secrets.SSH_HOST }}
          username: ${{ secrets.SSH_USER }}
          key: ${{ secrets.SSH_KEY }}
          passphrase: ${{ secrets.SSH_PASSPHRASE }}
          script_stop: true
          script: # ...

But when I add my remote server's public fingerprint...

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - name: executing remote ssh commands using ssh key
        uses: appleboy/[email protected]
        with:
          host: ${{ secrets.SSH_HOST }}
+         fingerprint: ${{ secrets.SSH_HOST_FINGERPRINT }}
          username: ${{ secrets.SSH_USER }}
          key: ${{ secrets.SSH_KEY }}
          passphrase: ${{ secrets.SSH_PASSPHRASE }}
          script_stop: true
          script: # ...

...the workflow fails with the following message:

======END======
2023/10/17 02:28:35 ssh: handshake failed: ssh: host key fingerprint mismatch

I've triple-checked that I'm adding/saving the correct repo action secret, the output from the following command while logged into my remote server:

ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub | cut -d ' ' -f2

I've also checked against the following command:

ssh-keyscan <my_ssh_host> | ssh-keygen -lf -

The fingerprints are consistent with each other, so I'm not sure what's causing the mismatch. Any additional debugging steps I should try? My remote server is running Ubuntu 22.04.3 LTS.

@msalehipro
Copy link

same problem

@csnyder616
Copy link

Also encountering this issue. Remote server for me is Debian 12, so probably similar configuration to Ubuntu. I tried just about every permutation I could think of, and both RSA and ed25519 keys.

@thinkovation
Copy link

I have the same problem - but it only occurrs when I add an SCP command...

With SCP command...

image

With SCP commented out...
image

Here's my workflow source..

`# Step 1 V5
name: Deploy Go Program

on:
push:
branches:
- main

jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Copy assets and binary to remote server
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.SSH_HOST }}
username: ${{ secrets.SSH_USERNAME }}
key: ${{ secrets.SSH_PRIVATE_KEY }}
port: ${{ secrets.SSH_PORT }}
fingerprint: ${{ secrets.SSH_FINGERPRINT }}
script: |
# Remove existing binary and assets folder
ls ~/
rm -rf ~/test
mkdir -p ~/test
ls ~/test/
touch /test/foo.md
#scp -r test.md ${{ secrets.SSH_USERNAME }}@${{ secrets.SSH_HOST }}:
/test
ls ~/test/`

@Jeff-Tian
Copy link

I met the same issue, and thanks, @thinkovation, for the inspiration! I fixed it by removing the fingerprint option, as, by default, it's not needed.

The thing is that my scripts contain git pull, which causes the ssh fingerprint issue. So it's not about GitHub Actions connecting to the server; it's about the server can't contact the Git Origin.

So, I logged into the server and fixed that.

No need to add the fingerprint to the GitHub Actions secret.

@METACEO
Copy link

METACEO commented May 11, 2024

I would appreciate knowing why this isn't working for me. I get the same issue in both appleboy/scp-action and appleboy/ssh-action.

I've tried following the docs with the ssh-keygen commands to print out the SHA256. I've tried a combination of the below, no luck.

Tried with the SHA256 prefix

SHA256:<hash here>

And tried without the SHA256 prefix

<hash here>

image

image

It'd be great to have some examples here for this extra security measure!

@kenjis
Copy link

kenjis commented May 18, 2024

The same problem.

======END======
2024/05/18 10:53:48 ssh: handshake failed: ssh: host key fingerprint mismatch

According to #81 (comment)
the correct format is just <hash algo>:<fingerprint> eg: SHA256:Bbf….
I tried it, but it does not work.

@Finn10111
Copy link

I tried all mentioned suggestions but same for me, it doesn't work...

@shehata412
Copy link

I had the same issue and was fixed when I SSH to the server and either git clone or git pull first so that I can save the fingerprint on the server, then I run my workflow.

Try that and let me know how it goes.

@codeAndxv
Copy link

codeAndxv commented Nov 5, 2024

I encountered the same issue. Below is my solution. First, it's important to know that there are three types of fingerprints. Please check the /etc/ssh directory on the remote server to see if it contains rsa, ecdsa, and ed25519 key.pub files. I first tried rsa and ed25519, and finally switched to the ecdsa fingerprint, which successfully passed the verification.

I'm not sure what rules GitHub Actions uses to choose the validation algorithm. To avoid potential issues, I didn't choose to delete the other two algorithms and only kept one.

@Havunen
Copy link

Havunen commented Jan 13, 2025

@codeAndxv solution worked for me too. I was using azure VM ubuntu 24.04 latest image and it automatically had following public keys in /etc/ssh folder:

ssh_host_ecdsa_key        ssh_host_ed25519_key      ssh_host_rsa_key          
ssh_host_ecdsa_key.pub    ssh_host_ed25519_key.pub  ssh_host_rsa_key.pub      

generating the key for ssh_host_ecdsa_key.pub worked

user*****@******:~$ ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub | cut -d ' ' -f2
SHA256:fNN7*******************************************

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests