Format of known_hosts

[wandt0n]

If I run
- run: for ip in $(dig @8.8.8.8 gitlab.evilcorp.de +short);
do ssh-keyscan gitlab.evilcorp.de,$ip; ssh-keyscan $ip; done

And paste the output:
#gitlab.evilcorp.de:22 SSH-2.0-OpenSSH_8.2p1
gitlab.evilcorp.de,IP ssh-ed25519 AAA...
gitlab.evilcorp.de,IP ssh-rsa AAA...
IP ssh-ed25519 AAA...
IP ssh-rsa AAA...

... to GIT_SSH_KNOWN_HOSTS, mirror-action fails with:

Host key verification failed.
fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.

BUT if I run mirror-action with GIT_SSH_NO_VERIFY_HOST: "true" it runs without errors.

I also pulled my repo to my machine, accepted the fingerprint and copied the .ssh/known_hosts to my secrets. The according file was differently formatted (|1| 3Wm...=|z+s...= ecdsa-sha2-nistp256 PubKey) but also won't work.

Any suggestions on how to fix this?

P.S. My Script:
steps:
- uses: actions/checkout@v1
- uses: spyoungtech/mirror-action@master
with:
REMOTE: 'ssh://git@gitlab.evilcorp.de/group/repo.git'
GIT_SSH_PRIVATE_KEY: ${{ secrets.GIT_SSH_PRIVATE_KEY }}
GIT_SSH_KNOWN_HOSTS: ${{ secrets.GIT_SSH_KNOWN_HOSTS }}
DEBUG: "true"

[spyoungtech]

Sorry to have missed this for so long, I thought I definitely responded to this before.

The GIT_SSH_KNOWN_HOSTS is simply the contents of a known_hosts file. The action simply dumps the variable contents directly into a file and the ssh configuration is told to use that file.

So, you just need to follow the standard convention. You can probably just copy/paste the host from your own known_hosts file for whichever host you're using.

The format is like

<host> <key format> <key>

For example for GitHub.com you can use this:

github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

[simtrami]

Hello, I encounter the same issue @catchMyException described, using a copy of my own know_hosts file or the result of the ssh-keyscan -p <port> <hostname> command. The format matches what you said, still I can only seem to be able to push by using the GIT_SSH_NO_VERIFY_HOST parameter.

Copying what is in GIT_SSH_KNOWN_HOSTS to a known_hosts file via echo "<content>" > known_hosts and executing manually what your GH action does is working fine (and passing it an empty known_hosts fails, as expected).

ssh <user>@<host> -p <port> -i ~/.ssh/id_rsa -o IdentitiesOnly=yes -o UserKnownHostsFile=known_hosts

I'll take a look at your code to see whether a quick fix is possible for me to PR.

My GH workflow:

name: Mirror the repository
on:
  push:
    branches: [ main ]
jobs:
  mirror:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: 'Mirror'
        uses: spyoungtech/mirror-action@master
        with:
          REMOTE: ${{ secrets.REMOTE }}
          GIT_SSH_PRIVATE_KEY: ${{ secrets.GIT_SSH_PRIVATE_KEY }}
          GIT_SSH_KNOWN_HOSTS: ${{ secrets.GIT_SSH_KNOWN_HOSTS }}
#          GIT_SSH_NO_VERIFY_HOST: "true"
          DEBUG: "true"

[simtrami]

I found what the problem was and made a PR.

Using non-explicit path for the git config --global core.sshCommand parameter resulted in the known_hosts file not to be found (I guess). I replaced the ~ with the actual path /github/home. You might want to put the resolution of ~ in a variable and concatenate it instead of hard coding it as I did: Github could change the home path and therefore break the script.

Check the PR #19

I would be very glad if you could accept it soon as I will have to GIT_SSH_NO_VERIFY_HOST in the mean time.
Thank you for your efforts, this GH action is very handy!

[divialth]

any update on this issue?