Host fingerprint verification fails

[markgomez]

I'm unable to get host fingerprint verification to succeed. The following works (i.e., my SSH settings are proven to be correct since the workflow completes):

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - name: executing remote ssh commands using ssh key
        uses: appleboy/[email protected]
        with:
          host: ${{ secrets.SSH_HOST }}
          username: ${{ secrets.SSH_USER }}
          key: ${{ secrets.SSH_KEY }}
          passphrase: ${{ secrets.SSH_PASSPHRASE }}
          script_stop: true
          script: # ...

But when I add my remote server's public fingerprint...

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - name: executing remote ssh commands using ssh key
        uses: appleboy/[email protected]
        with:
          host: ${{ secrets.SSH_HOST }}
+         fingerprint: ${{ secrets.SSH_HOST_FINGERPRINT }}
          username: ${{ secrets.SSH_USER }}
          key: ${{ secrets.SSH_KEY }}
          passphrase: ${{ secrets.SSH_PASSPHRASE }}
          script_stop: true
          script: # ...

...the workflow fails with the following message:

======END======
2023/10/17 02:28:35 ssh: handshake failed: ssh: host key fingerprint mismatch

I've triple-checked that I'm adding/saving the correct repo action secret, the output from the following command while logged into my remote server:

ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub | cut -d ' ' -f2

I've also checked against the following command:

ssh-keyscan <my_ssh_host> | ssh-keygen -lf -

The fingerprints are consistent with each other, so I'm not sure what's causing the mismatch. Any additional debugging steps I should try? My remote server is running Ubuntu 22.04.3 LTS.

[msalehipro]

same problem

[csnyder616]

Also encountering this issue. Remote server for me is Debian 12, so probably similar configuration to Ubuntu. I tried just about every permutation I could think of, and both RSA and ed25519 keys.

[thinkovation]

I have the same problem - but it only occurrs when I add an SCP command...

With SCP command...

With SCP commented out...

Here's my workflow source..

`# Step 1 V5
name: Deploy Go Program

on:
push:
branches:
- main

jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Copy assets and binary to remote server
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.SSH_HOST }}
username: ${{ secrets.SSH_USERNAME }}
key: ${{ secrets.SSH_PRIVATE_KEY }}
port: ${{ secrets.SSH_PORT }}
fingerprint: ${{ secrets.SSH_FINGERPRINT }}
script: |
# Remove existing binary and assets folder
ls ~/
rm -rf ~/test
mkdir -p ~/test
ls ~/test/
touch /test/foo.md
#scp -r test.md ${{ secrets.SSH_USERNAME }}@${{ secrets.SSH_HOST }}:/test
ls ~/test/`

[Jeff-Tian]

I met the same issue, and thanks, @thinkovation, for the inspiration! I fixed it by removing the fingerprint option, as, by default, it's not needed.

The thing is that my scripts contain git pull, which causes the ssh fingerprint issue. So it's not about GitHub Actions connecting to the server; it's about the server can't contact the Git Origin.

So, I logged into the server and fixed that.

No need to add the fingerprint to the GitHub Actions secret.

[METACEO]

I would appreciate knowing why this isn't working for me. I get the same issue in both appleboy/scp-action and appleboy/ssh-action.

I've tried following the docs with the ssh-keygen commands to print out the SHA256. I've tried a combination of the below, no luck.

Tried with the SHA256 prefix

SHA256:<hash here>

And tried without the SHA256 prefix

<hash here>

It'd be great to have some examples here for this extra security measure!