6

I'm a bit confused. I'm trying to use a github action to SSH into my ec2 instance and do a deploy. I have the key (from ec2 console) saved as a secret in github as such:

    - name: Install SSH key
      uses: shimataro/ssh-key-action@v2
      with:
        key: ${{ secrets.COBOTSSH }}
        name: id_rsa
        known_hosts: ${{ secrets.KNOWN_HOSTS }}
    - name: ssh
      run: ssh ${{ secrets.USERNAME }}@${{ secrets.KNOWN_HOSTS }}

Unfortunately I get: Host key verification failed.

I've tried multiple SSH github action solutions, so I assume this is user error (shimataro is the gold standard). So i'm gonna be really specific as to what I did:

  1. Went to keypairs
  2. Created a new keypair and downloaded the pem file
  3. Copied the entire text of the pem file into the secret COBOTSSH
  4. Copied the DNS name of the EC2 instance into KNOWN_HOSTS (contrary to the variable name, it's just a single DNS entry)
  5. Logged into the box using SSH on my putty terminal, and created a user called X and then put X into the USERNAME secret. I assume this is erroring because it requires a password by default? But the error does not have any verbosity. How do I use the key from the EC2 console and still run commands like ssh-copy-id ? A ny line by line example of how to do this would be super appreciated - I am a linux noob.
Improve this question
3
  • 1
    Try adding -o StrictHostKeyChecking=no to the command line, i.e. run: ssh -o StrictHostKeyChecking=no ${{ secrets.USERNAME }}@${{ secrets.KNOWN_HOSTS }} Commented Jan 16, 2021 at 17:28
  • Host key authentication precedes the key-based authentication and they are not the same. secrets.COBOTSSH will be used in the latter (key-based authentication) but the error message is telling you the process fails on host key verification, before it would be trying COBOTSSH key. Commented Jan 16, 2021 at 17:34
  • Just I would use AWS Code Deploy for code deployment. It robust and free. This ssh type deployment has lots problems imho. Commented Jan 16, 2021 at 18:20

1 Answer 1

Reset to default
3

As per the Q&A on the shimataro/ssh-key-action.

Host key verification failed.: Set known_hosts parameter correctly (use ssh-keyscan command).

The KNOWN_HOSTS secret should reflect what a known_hosts file looks like. known_hosts files contain SSH fingerprints of remote servers you've connected to before. An entry in the known_hosts file for a remote server can look something like this on Windows (on Ubuntu Linux the IP looks like gibberish, perhaps it's encrypted too):

3.25.10.23 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNosdfwecYTItbmlzdHAyNAAAIbmlzdHAyNTYAAABBBAets0ZEyan6q5K1Z7fiMcqpLLjtSGaqn5kwec2vXCdLumKdtWmJexjc1Q8U43COnEiOyEI9HSHBYqm5E1Rog=

The error is because you copied the EC2 DNS into the KNOWN_HOSTS secret, which is not the correct format. The EC2 DNS looks something like: ec2-3-5-30-213.ap-southeast-2.compute.amazonaws.com

To get the proper fingerprint you can open your known_hosts file in notepad. On Windows it's in C:\Users\{YourUserName}\.ssh and on Linux (Ubuntu) it's in \home\{YourUserName}\.ssh.

You might be able to identify the remote server entry by the IP address. It wasn't there on mine, so I opened a terminal (on windows or linux) and did ssh {YourRemoteServerUser}@{YourRemoteServerIP}. It shows a fingerprint in the prompt (ignore it) and asked if I wanted to connect to the host. Click 'Yes' and it will store the SSH fingerprint in the known_hosts file for your OS. Then I simply opened the file and copied the entry into KNOWN_HOSTS secret.

Note: shimataro outlines that using 'StrictHostKeyChecking=no' is not secure in most cases. See here.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.