skip to Main Content

I have added the github.com SSH Key to /etc/ssh/ssh_known_hosts. But when I run

git clone [email protected]:me/repo

I still get

Cloning into 'repo'...
The authenticity of host 'github.com (XXX.XXX.XXX.XXX)' can't be established.
RSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.
Are you sure you want to continue connecting (yes/no)?
  • If I add the key to ~/.ssh/known_hosts it works as expected, no prompt.
  • I am running this on a debian machine.
  • I would like this to work directly using file /etc/ssh/ssh_known_hosts as there are several users.
  • I also can’t type 'yes', because this is running in puppet.
  • For security reasons we can’t use StrictHostKeyChecking = no.
  • I have no ~/.ssh/config file.
  • (edit) I have also restarted sshd since modifying /etc/ssh/ssh_known_hosts.

How do I force git to use /etc/ssh/ssh_known_hosts?

Edit 1:

This is the file /etc/ssh/ssh_config (and ~/.ssh/config doesn’t exist):

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

and this is my /etc/ssh/ssh_known_hosts:

# HEADER: This file was autogenerated at 2020-12-31 10:33:06 +0000
# HEADER: by puppet.  While it can still be managed manually, it
# HEADER: is definitely not recommended.
gerrit.wikimedia.org ssh-rsa AAAAB3Nz[...]
github ssh-rsa AAAAB3NzAAAAB3Nz[...]

Edit 2:

all have read permissions on /etc/ssh/ssh_known_hosts:

vagrant@vagrant:~$ ls -la /etc/ssh/ssh_known_hosts 
-rw-r--r-- 1 root root 795 Dec 31 10:33 /etc/ssh/ssh_known_hosts

2

Answers


  1. This is definitely an SSH problem. The SSH(1) man page states:

    ssh automatically maintains and checks a database containing identification for all hosts it has ever been used with. Host keys are stored in ~/.ssh/known_hosts in the user’s home directory. Additionally, the file /etc/ssh/ssh_known_hosts is automatically checked for known hosts.

    Your issue might be that the un-elevated user cannot read the /etc/ssh/ssh_known_hosts file.

    There is a caveat to ssh where if you run something like sudo ssh-keygen -R domain.com, it can modify your existing /etc/ssh/ssh_known_hosts/ file to be only readable by root. (-rw------- root root). You might want to use chown or chmod to change permissions of this file to make sure it is readable without root privileges.

    sudo chmod +r /etc/ssh/ssh_known_hosts
    
    Login or Signup to reply.
  2. Your known hosts file is incorrectly formatted. The first entry in each line is the name of the system you’re connecting to. In this case, that needs to be github.com, not a plain github. This is the technique that OpenSSH uses to find the appropriate key.

    You can find the correct format by using ssh-keyscan github.com.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search