1

I'm using a startup-script on Google Cloud Compute.

The goal of the script is to clone a private repo from Github at startup time of the compute server.

To authenticate, I have a public deploy key for this one repo. The private deploy key passed to the script at startup time.

... # Some action where the private key is passed in 

chmod u=rw,go= github_pri_deploy_key
eval "$(ssh-agent -s)"  # Start ssh-agent in the background
ssh-add ${WORKING_DIR_PATH}/github_pri_deploy_key
ssh-keyscan -t rsa github.com > /root/.ssh/known_hosts

The issue I'm running into is the /root/.ssh/known_hosts file is inaccessible during startup time.

So I get an error in the logs saying Host key validation failed.

What I tried

I've tried attempting creating the file manually but same issue since the root user couldn't create the file.

I was able to get the desired result of adding the Host key when after the machine starts up and I ssh into the machine and perform the task manually.

My startup-script is run as root, as is the only option on GCP Compute. But if it's running as root, why can't ssh-keyscan append to the /root/ file?

This is the best I can illustrate since the repo is private. Thank you.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
engineer-x
  • 2,173
  • 2
  • 12
  • 25
  • 1
    I am posting a comment instead of an answer as I have not tested this recently. Git supports the environment variable `GIT_SSH_COMMAND`. If set, git will use the specified command for `git pull`. Try this in your startup script: `GIT_SSH_COMMAND="ssh -i /path/to/private-key" git pull` Docs: https://git-scm.com/docs/git Make sure the permissions for the private key file are read-only (400). – John Hanley Jun 20 '21 at 23:28
  • @JohnHanley thank you! I prefer not to use env variables but your answer actually gave me an idea to use this approach: `sudo -i mkdir /root/.ssh/; sudo touch /root/.ssh/known_hosts; ssh-keyscan -t rsa github.com | sudo tee -a /root/.ssh/known_hosts` – engineer-x Jun 21 '21 at 00:37

1 Answers1

2

Host key validation failed is more about the known_hosts than the private key.

ssh-keyscan -t rsa github.com > /root/.ssh/known_hosts should have taken care of it, provided /root is indeed used.

That is why using, for testing, GIT_SSH_COMMAND set to ssh -Tv would give you an idea of what is actually used during your SSH commands, making sure your startup script was effective or not.

Warning March 2023:

"GitHub has updated its RSA SSH host key"

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250