Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

support: GHES ssh-keyscan #767

Open
3 tasks done
lmussier opened this issue Jul 13, 2022 · 1 comment
Open
3 tasks done

support: GHES ssh-keyscan #767

lmussier opened this issue Jul 13, 2022 · 1 comment
Assignees
Labels
support User support

Comments

@lmussier
Copy link

lmussier commented Jul 13, 2022

Checklist

  • I am using the latest version of this action.
  • I have read the latest README and followed the instructions.
  • I have read the latest GitHub Actions official documentation and learned the basic spec and concepts.

Describe your question

Hi,

This is a question related to GHES support #580 (thanks for this)!
@mambax if you are still around, could you explain the puropose of the change in 3623583 near this line.

# ${getServerUrl().host}.com:22 SSH-2.0-babeld-1f0633a6

I'm in the process of switching to deploy keys in our GEHS instance, and I was wandering how the ssh-key-scan is done via the action. My understanding is this is not done, and one have to perform the key scan 'outside'.

The issue with the current code is that it takes the target url (my GHES) and write down the signature of github.com RSA key.
Still, if I'm not mistaken, before #580 the intent was to append github.com to the list of known hosts.

Target GHES leads to (obvioulsy) have a different server url, and so the entry added to known_hosts is wrong.
We have GHES host with github.com key.

@peaceiris I don't think the solution proposed in #719 is a resolution, it is a workaround.
The issue here with deploy keys is thaht we dot not add the right key.
Plus, the action should only add things inside know_hosts (in a GHES context this file might contains stuff you do not want to override).

Relevant links

- name: Deploy to GitHub Pages
        uses: peaceiris/[email protected]
        with:
          deploy_key: ${{ secrets.GH_PAGES_DEPLOY }}
          publish_dir: ./build
          user_name: github-actions[bot]
          user_email: 41898282+github-actions[bot]@users.noreply.github.com

Relevant log output

  /usr/bin/git push origin gh-pages
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  @       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  The RSA host key for XXXXXXX has changed,
  and the key for the corresponding IP address 10.236.176.162
  is unknown. This could either mean that
  DNS SPOOFING is happening or the IP address for the host
  and its host key have changed at the same time.
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
  Someone could be eavesdropping on you right now (man-in-the-middle attack)!
  It is also possible that a host key has just been changed.
  The fingerprint for the RSA key sent by the remote host is
  SHA256:o4C9b0Qg4Dqq..........................IP/nV+A.
  Please contact your system administrator.
  Add correct host key in /home/ghactions/.ssh/known_hosts to get rid of this message.
  Offending RSA key in /home/ghactions/.ssh/known_hosts:2
    remove with:
    ssh-keygen -f "/home/ghactions/.ssh/known_hosts" -R "XXXXXXXXXXXXX"
  RSA host key for XXXXXXXXXXXXXXXXXXX has changed and you have requested strict checking.
  Host key verification failed.
  fatal: Could not read from remote repository.

Additional context.

ssh keyscan toward github :

ssh-keyscan -t rsa github.com
# github.com:22 SSH-2.0-babeld-01b97e8f
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

Exactly waht we have here

@lmussier lmussier added the support User support label Jul 13, 2022
@haroldo-bonette
Copy link

haroldo-bonette commented Sep 19, 2023

also having same problem... it is a big problem for us since we use shared runners and editing /etc/ssh/ssh_config is not an option
as a workaround defined here: #719

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
support User support
Projects
None yet
Development

No branches or pull requests

3 participants