ssh-action
ssh-action copied to clipboard
appleboy
Host fingerprint verification fails
I'm unable to get host fingerprint verification to succeed. The following works (i.e., my SSH settings are proven to be correct since the workflow completes):
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: executing remote ssh commands using ssh key
uses: appleboy/[email protected]
with:
host: ${{ secrets.SSH_HOST }}
username: ${{ secrets.SSH_USER }}
key: ${{ secrets.SSH_KEY }}
passphrase: ${{ secrets.SSH_PASSPHRASE }}
script_stop: true
script: # ...
But when I add my remote server's public fingerprint...
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: executing remote ssh commands using ssh key
uses: appleboy/[email protected]
with:
host: ${{ secrets.SSH_HOST }}
+ fingerprint: ${{ secrets.SSH_HOST_FINGERPRINT }}
username: ${{ secrets.SSH_USER }}
key: ${{ secrets.SSH_KEY }}
passphrase: ${{ secrets.SSH_PASSPHRASE }}
script_stop: true
script: # ...
...the workflow fails with the following message:
======END======
2023/10/17 02:28:35 ssh: handshake failed: ssh: host key fingerprint mismatch
I've triple-checked that I'm adding/saving the correct repo action secret, the output from the following command while logged into my remote server:
ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub | cut -d ' ' -f2
I've also checked against the following command:
ssh-keyscan <my_ssh_host> | ssh-keygen -lf -
The fingerprints are consistent with each other, so I'm not sure what's causing the mismatch. Any additional debugging steps I should try? My remote server is running Ubuntu 22.04.3 LTS.
Also encountering this issue. Remote server for me is Debian 12, so probably similar configuration to Ubuntu. I tried just about every permutation I could think of, and both RSA and ed25519 keys.
I have the same problem - but it only occurrs when I add an SCP command...
With SCP command...
With SCP commented out...
Here's my workflow source..
`# Step 1 V5 name: Deploy Go Program
on: push: branches: - main
jobs: deploy: runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v2 - name: Copy assets and binary to remote server uses: appleboy/ssh-action@master with: host: ${{ secrets.SSH_HOST }} username: ${{ secrets.SSH_USERNAME }} key: ${{ secrets.SSH_PRIVATE_KEY }} port: ${{ secrets.SSH_PORT }} fingerprint: ${{ secrets.SSH_FINGERPRINT }} script: | # Remove existing binary and assets folder ls ~/ rm -rf ~/test mkdir -p ~/test ls ~/test/ touch ~/test/foo.md #scp -r test.md ${{ secrets.SSH_USERNAME }}@${{ secrets.SSH_HOST }}:~/test ls ~/test/`
I met the same issue, and thanks, @thinkovation, for the inspiration! I fixed it by removing the fingerprint option, as, by default, it's not needed.
The thing is that my scripts contain git pull, which causes the ssh fingerprint issue. So it's not about GitHub Actions connecting to the server; it's about the server can't contact the Git Origin.
So, I logged into the server and fixed that.
No need to add the fingerprint to the GitHub Actions secret.
I would appreciate knowing why this isn't working for me. I get the same issue in both appleboy/scp-action and appleboy/ssh-action.
I've tried following the docs with the ssh-keygen commands to print out the SHA256. I've tried a combination of the below, no luck.
Tried with the SHA256 prefix
SHA256:<hash here>
And tried without the SHA256 prefix
<hash here>
It'd be great to have some examples here for this extra security measure!
The same problem.
======END======
2024/05/18 10:53:48 ssh: handshake failed: ssh: host key fingerprint mismatch
According to https://github.com/appleboy/ssh-action/issues/81#issuecomment-750937443
the correct format is just <hash algo>:<fingerprint> eg: SHA256:Bbf….
I tried it, but it does not work.
