2

I know similar questions have been asked many times, but there's a difference here:

Trying to clone project from cpanel shared hosing server:

If tried with this command sudo git clone ssh://mlbrpkxs@mlbranch.com:21098/home/mlbrpkxs/unified.mlbranch.com it show the following error.

Cloning into 'unified.mlbranch.com'...
Unable to negotiate with 63.250.38.32 port 21098: no matching host key type found. Their offer: ssh-rsa,ssh-dss
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Then if found a solution here and try to clone with this command.

sudo GIT_SSH_COMMAND="ssh -oHostKeyAlgorithms=+ssh-dss" git clone ssh://mlbrpkxs@mlbranch.com:21098/home/mlbrpkxs/unified.mlbranch.com

 Cloning into 'unified.mlbranch.com'...
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
 Someone could be eavesdropping on you right now (man-in-the-middle attack)!
 It is also possible that a host key has just been changed.
 The fingerprint for the DSA key sent by the remote host is
 SHA256:hSIV2UEWbLuZQu2gkNaYNYxfmOd59VGlaNwXI85P+fA.
 Please contact your system administrator.
 Add correct host key in /var/root/.ssh/known_hosts to get rid of this message.
 Offending RSA key in /var/root/.ssh/known_hosts:1
 Host key for \[mlbranch.com\]:21098 has changed and you have requested strict checking.
 Host key verification failed.
fatal: Could not read from remote repository.

The most relevant question I found is here, which is closed as a duplicate of this one which itself is closed as off-topic. But they're not the same anyway. Another related question is asked here.

In most cases, as we know, you can fix the problem by replacing the server key, for example by running:

ssh-keygen -R <host>

In my case:

ssh-keygen -R "[mlbranch.com]:21098"

But neither this solution, nor removing the offending key from the file ~/.ssh/known_hosts did solve my problem.

I have clean all of my known_hosts recommend by an answer by stackOver flow. Now I am completely stucked and unable to find any solution how can I resolve this issue.

Please note that I am using Mac book and my code is on a shared hosting that is using the Cpanel. On my other Mac's I can get the clone.

Qazi Ammar
  • 953
  • 1
  • 8
  • 23
  • You run `sudo git clone` as root (which you shouldn't do in the 1st place) hence all your other commands must be run as root (with `sudo`): `sudo ssh-keygen -R `, etc. But better do not use `sudo` — it's not required for GIt operations. `~` with `sudo` mens `/root/` directory, not your home. – phd Nov 24 '22 at 10:46
  • 1
    Its not run the command if I did't enter `sudo` – Qazi Ammar Nov 24 '22 at 10:54
  • 2
    That should be fixed and then you can avoid `sudo`. – phd Nov 24 '22 at 11:10
  • Related re: removing old host keys ["Warning: Remote Host Identification Has Changed" — Did GitHub change their RSA key?](https://stackoverflow.com/q/75830783) - some answers there mention removing based on IP address as well as hostname, since ssh may add records for those as well. – Peter Cordes Mar 26 '23 at 23:00

2 Answers2

2

Check first where is your private key.

If it is in /home/aUser/.ssh, then sudo xxx will ignore it completely.
You would need sudo ssh -i /home/aUser/.ssh/myPrivateKey mlbrpkxs@mlbranch.com:21098 if you have to use root.

With Git:

sudo "GIT_SSH_COMMAND="ssh -oHostKeyAlgorithms=+ssh-dss -i /home/aUser/.ssh/myPrivateKey" git clone ssh://mlbrpkxs@mlbranch.com:21098/home/mlbrpkxs/unified.mlbranch.com

The best practice, however, is to avoid sudo except for system admin commands.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • I am facing the same issue, Once I run ` sudo ssh -i /home/aUser/.ssh/myPrivateKey... ` then its showing me this error, ` not accessible: No such file or directory` – Naqvi Nov 25 '22 at 09:11
  • 1
    @Naqvi Did you replace "`myPrivateKey`" by your actual private key? And remove last three dots (`...`), just for testing the SSH access? – VonC Nov 25 '22 at 09:15
  • Yes I have replace it with my private key, and I use this command to find my private key `/Users/naqvi/.ssh/id_rsa` – Naqvi Nov 25 '22 at 09:18
  • 1
    @Naqvi I have edited the answer to use the parameters from the question. Why use `sudo` though in your case? – VonC Nov 25 '22 at 09:18
  • if I did't enter the sudo keyword its shows me this error ` Permission denied` – Naqvi Nov 25 '22 at 09:26
  • 1
    @VonC its some me the same error of permission if I use it without sudo. – Qazi Ammar Nov 25 '22 at 09:37
  • @Naqvi Then change the permission of the current folder you are in, in order for your user to have the right to write in it. – VonC Nov 25 '22 at 09:38
  • @QaziAmmar Perfect, no need for sudo then. You get the "no matching host key type found"? – VonC Nov 25 '22 at 09:40
  • if I did't enter sudo then its shows this complete error, `fatal: could not create work tree dir 'mywebsites.com': Permission denied ` – Naqvi Nov 25 '22 at 09:45
  • @Naqvi Hence the sudo chown, to make sure your current folder is owner by your current user. – VonC Nov 25 '22 at 09:59
1

Github just have updated the RSA SSH host key recently!

At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com.

To fix that, just add the new RSA SSH host key to .ssh/known_hosts file.

Remove the old key by running this command:

$ ssh-keygen -R github.com

And add this to file .ssh/known_hosts

echo "github.com ssh-rsa <OMITTED KEY>" >> ~/.ssh/known_hosts

If you prefer do it manually

github.com ssh-ed25519 <OMITTED KEY>
github.com ssh-rsa <OMITTED KEY>

Or only this, if others not needed.

github.com ssh-rsa <OMITTED KEY>

Keys from source here: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints

Emanuel Braz
  • 364
  • 2
  • 8
  • 1
    Link to github announcement: https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ – daggerhart Mar 24 '23 at 12:51
  • 1
    PSA to anyone reading: don't copy/paste any of the keys mentioned in the answer - go to the official source for it – Prateek Madhikar Mar 24 '23 at 21:00
  • For GitHub specifically, see ["Warning: Remote Host Identification Has Changed" — Did GitHub change their RSA key?](https://stackoverflow.com/q/75830783). (A moderator deleted a cross-posted copy of this answer there; they should have deleted this copy of it, since it's about the specific case of github, not this question. And this answer doesn't address CPanel.) Also, don't tell people to copy/paste keys from Stack Overflow or other sources that don't have a chain of trust leading back to the original owners. It's not good security hygiene. – Peter Cordes Mar 26 '23 at 22:58
  • I understand your concerns, and I added the ORIGINAL SOURCE AS PART OF THE ANSWER, as you can see in the original answer. I gonna edit answer, just to omit them, to avoid misunderstanding – Emanuel Braz Mar 28 '23 at 16:26