0

I was migrating a service from one server to another. After testing everything we went ahead and updated CI but it couldn't do the tunneling we required via ssh anymore. We went through all the usual suspect checking syslog and /etc/ssh/sshd_config parameters. Everything appeared okay.

In our case the CI we were using was BitBucket Pipelines but I think this is likely to happen in any continuous integration solution since it's more an ssh thing. This might be happening to you if you're seeing something like this:

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:I1Jbni6WLT89FOUyYALAC+thfmPw4m9XBiXHFnlUaCQ
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
darrin
  • 749
  • 5
  • 23

1 Answers1

0

It turns out that while I'd copied the rsa keys onto the ci user on the new server that ssh is a bit smarter than that - and checks the host against known hosts. In Bitbucket you need to register pipeline SSH keys under Repository Settings / Pipelines / SSH Keys. This section allows you to setup an SSH key as you'd expect BUT you also need to ensure you've updated the Known Hosts section. This is what I missed. Once I added the fingerprint for the new host everything began working.

Others have suggested here that you might be able to set StrictHostKeyChecking to no in your ~/.ssh/config file which might work in the event that your CI provider doesn't have a similar mechanism and this is where I was headed next.

DharmanBot
  • 1,066
  • 2
  • 6
  • 10
darrin
  • 749
  • 5
  • 23