Errata: The old keys describing github in my ~/.ssh/known_hosts have not been left by ssh-agent. Instead it seems to be a "normal behaviour" of git to add the github key again cryptically once a project is cloned locally... Not sure (just because I blamed ssh-agent)
Neil Young schrieb am Freitag, 24. März 2023 um 13:43:43 UTC+1: > Thanks. I quoted this in my original post. > > Meanwhile this is the way I found and it made the ssh-agent deployment run > on 5+ machines again: > > - Remove everything from the target hosts ~/.ssh/known_host > - Follow the suggestions given in the blog entry to add the. new github > keys > > > > > Simon Kelly schrieb am Freitag, 24. März 2023 um 13:41:24 UTC+1: > >> You can find out more about why this happened on this Github blog: >> https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ >> >> *Simon Kelly* >> >> Senior Director of Server Engineering >> >> Dimagi | www.dimagi.com >> >> >> On Fri, 24 Mar 2023 at 14:37, 'Neil Young' via Ansible Project < >> [email protected]> wrote: >> >>> OK, maybe a solution (workaround?) >>> >>> I got another error message later, which clarified the failing command: >>> >>> FAILED! => {"changed": false, "cmd": "/usr/bin/git ls-remote >>> [email protected]:xxxxxxxxxxx.git -h refs/heads/HEAD", " >>> >>> So I ssh'ed to the machine and issued exactly this command: >>> >>> The response lead me to an offending, but not obvious "known_host" entry >>> (which obviously described "github.com"), maybe left by "ssh-agent" >>> (hmm, didn't know that. Shouldn't be left there I guess). >>> >>> Warning: the ECDSA host key for 'github.com' differs from the key for >>> the IP address '140.82.121.3' >>> >>> Offending key for IP in /home/ubuntu/.ssh/known_hosts:2 >>> >>> >>> I removed this entry in line 2 and it worked. So the fix is: Remove >>> everything from your .ssh/known_hosts which looks like remains from >>> ssh-agent. It might trap the github auth. >>> >>> >>> >>> >>> Neil Young schrieb am Freitag, 24. März 2023 um 13:28:10 UTC+1: >>> >>>> To be specific: I'm unable to execute this (and maybe many other lines >>>> as well) now. I can update the project with manual git command on the >>>> target host, but not with Ansible from my machine: >>>> >>>> - name: SOFTWARE - Clone xxx-project (run as non-privileged user) >>>> tags: software >>>> git: >>>> repo: "{{ xxx_procect_git_repo_clone_url }}" >>>> dest: xxx-project >>>> force: yes >>>> become: yes >>>> become_user: "{{ non_root_user }}" >>>> >>>> >>>> Neil Young schrieb am Freitag, 24. März 2023 um 13:20:26 UTC+1: >>>> >>>>> Hi, >>>>> >>>>> This morning I noticed this error while attempting to update a project >>>>> on my server via `git clone` (I'm using Ansible's ssh-agent-forwarding, >>>>> which worked fine for months) >>>>> >>>>> <quote> >>>>> >>>>> "Failed to download remote objects and refs: >>>>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>>>> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >>>>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>>>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >>>>> Someone could be eavesdropping on you right now (man-in-the-middle >>>>> attack)! >>>>> It is also possible that a host key has just been changed. >>>>> The fingerprint for the RSA key sent by the remote host is >>>>> SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s. >>>>> Please contact your system administrator. >>>>> Add correct host key in /home/ubuntu/.ssh/known_hosts to get rid of >>>>> this message. >>>>> Offending RSA key in /home/ubuntu/.ssh/known_hosts:1 >>>>> remove with: >>>>> ssh-keygen -f \"/home/ubuntu/.ssh/known_hosts\" -R \"github.com\" >>>>> RSA host key for github.com has changed and you have requested >>>>> strict checking. >>>>> Host key verification failed. >>>>> fatal: Could not read from remote repository. >>>>> Please make sure you have the correct access rights >>>>> and the repository exists. >>>>> >>>>> </quote> >>>>> >>>>> The fix didn't solve the problem, just changed the error message: >>>>> >>>>> <quote> >>>>> >>>>> TASK [SOFTWARE - Clone xxx-project (run as non-privileged user)] >>>>> ******************************************************************************************************************************************************************************** >>>>> fatal: [server]: FAILED! => {"changed": false, "cmd": ["/usr/bin/git", >>>>> "fetch", "--tags", "--force", "origin"], "msg": "Failed to download >>>>> remote >>>>> objects and refs: Host key verification failed.\r\nfatal: Could not read >>>>> from remote repository.\n\nPlease make sure you have the correct access >>>>> rights\nand the repository exists.\n"} >>>>> >>>>> </quote> >>>>> >>>>> I then discovered this blog entry which states, that Github updated >>>>> their RSA SSH key this morning: >>>>> >>>>> https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ >>>>> >>>>> Now, everything they suggest work somehow. But it doesn't fix the >>>>> problem, that I'm unable to clone my project on the target machine. >>>>> >>>>> Anybody having the same issue and maybe a solution? >>>>> >>>>> >>>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/1e7ac8cd-d4b5-41e0-a314-bf048257dbe7n%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/ansible-project/1e7ac8cd-d4b5-41e0-a314-bf048257dbe7n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/641ada68-9fe0-4103-8a25-f09871ef42e1n%40googlegroups.com.
