Host key verification failed for private repository

[kpcallplus]

I am getting below error when i am running /deploy.php from browser or if i push anything in repository.

$ git clone --depth=1 --branch master [email protected]:myrepository.git /tmp/spgd-8fbc87725193f8667aff13a1372edd28/
Cloning into '/tmp/spgd-8fbc87725193f8667aff13a1372edd28'...
Host key verification failed.
fatal: Could not read from remote repository.

When i run $ git clone --depth=1 --branch master [email protected]:myrepository.git /tmp/spgd-8fbc87725193f8667aff13a1372edd28/ directly in terminal its cloning repository without any error.

I have also referred #9 but didn't help.

[orendecor]

Is there any solution?
I have the same problem

[kpcallplus]

No luck. Please do post here if you find any solution.

[gotlisch]

I'm having the same issue...have setup the SSH key and everything but no luck. Works a charm on public projects but that's no good to me..

[orendecor]

I found out why it doesn't work - basically is is because git sends message to deploy.php and then apache is trying to run "git clone..." on your server, well, apache is not root so it runs (in my server it's daemon on others it's www-data) the command and it won't let it to add git to known_hosts.

Try to run this on your server:
sudo -u www-data ssh -T [email protected]

for me it's asking me to save git to known host:
The authenticity of host 'github.com (192.30.252.128)' can't be established.
RSA key fingerprint is 16:27:...:48.
Are you sure you want to continue connecting (yes/no)? yes

I write "yes" and this is what I got
Failed to add the host to the list of known hosts (/usr/sbin/.ssh/known_hosts).
Permission denied (publickey).

And this is weird because I opened the permissions to the known_hosts file...
I think after solving this it should work...

[georgiandinca]

You need to generate a key for www-data user and added to github repo.
If www-data has the /var/www/ home directory, then in there you will have a .ssh forder where the generated key files and the known_hosts file should be.

how to generate a ssh key as web server user:
http://stackoverflow.com/questions/7306990/generating-ssh-keys-for-apache-user`

Good luck!

[orendecor]

Thanks! this tip took me one step forward, the problem now is that I cannot add the new id_rsa to ssh-agent for some reason..

When I try to write this:
sudo ssh-add /usr/sbin/.ssh/id_rsa

It says:
Could not open a connection to your authentication agent.

[kalpitpandit]

I got it working on private repository too. I have followed below steps :

Note : For debian system(which i am running), www-data is the Apache user. If you are on non-debian system you can check apache user by this command : ps aux | egrep '(apache|httpd)' and replace that user name with www-data here.

1. Create new directory in your webroot :
   --- mkdir -p /var/www/.ssh/
   --- chown -R www-data:www-data /var/www/.ssh
   --- chmod 0700 /var/www/.ssh
2. Generate a new key for www-data user (Apache user) or move current user key to /var/www/.ssh directory.
   --- To generate fresh key : sudo -u www-data ssh-keygen -t rsa.
   --- To use existing one : cp ~/.ssh/ /var/www/.ssh/ (We are moving id_rsa.pub, id_rsa & known_hosts files here)
3. Change ownership of /var/www/.ssh directory www-data.
   --- sudo chown -R www-data:www-data /var/www/.ssh
4. Change ownership of /var/www/your-deployment-directory/ directory to www-data.
   --- sudo chown -R www-data:www-data /var/www/YourProjectDirectory

That's it !!

Happy Coding 👍

[gotlisch]

Thanks for you replies! I had generated the SSH key and hooked it up in
github, so thats not the problem. Also the script runs just fine when i
connect to an open Repo using https so i dont think its permission related.
Anyway will have a play around with it to see if i can work it out. Just to
be clear, does it definetly work for github private repo over SSH, I saw
several people having the same issue, dont want to spend time trying to fix
it if it doesnt work in the first place :-)
On 3 Jan 2016 11:50 pm, "orendecor" [email protected] wrote:

I found out way it doesn't work - basically is is because git sends
message to deploy.php and then apache is trying to run "git clone..." on
your server, well, apache is not root so it runs (in my server it's daemon
on others it's www-data) the command and it won't let it to add git to
known_hosts.

Try to run this on your server:
sudo -u www-data ssh -T [email protected] [email protected]

for me it's asking me to save git to known host:

The authenticity of host 'github.com http://github.com
(192.30.252.128)' can't be established. RSA key fingerprint is
16:27:...:48. Are you sure you want to continue connecting (yes/no)? yes

I write "yes" and this is what I got

Failed to add the host to the list of known hosts
(/usr/sbin/.ssh/known_hosts). Permission denied (publickey).

And this is weird because I opened the permissions to the known_hosts
file...
I think after solving this it should work...

—
Reply to this email directly or view it on GitHub
#65 (comment)
.

[orendecor]

tl;dr - working if you remove passphrases from id_rsa file.

Long story:
The problem is that id_rsa is encrypted with passphrases, and when I try to run ssh-agent on this id_rsa (so it will not ask for the passphrases each time) it won't have a permission on this file.

This because id_rsa has 600 rights (reading only for its owner - which is the apache user), and if you change this permissions then git won't accept this key because its permissions are too open.

I ended up removing the encryption for this key by running this line:
sudo openssl rsa -in id_rsa -out new_id_rsa

Since then everything is working fine :)

(I'm not sure what are the implications of this passphrases removal)

[gotlisch]

I see - thank you for confirming, much appreciated!

On Wed, Jan 6, 2016 at 10:26 AM, orendecor [email protected] wrote:

tl;dr - working if you remove passphrases from id_rsa file.

Long story:
The problem is that id_rsa is encrypted with passphrases, and when I try
to run ssh-agent on this id_rsa (so it will not ask for the passphrases
each time) it won't have a permission on this file.

This because id_rsa has 600 rights (reading only for its owner - which is
the apache user), and if you change this permissions then git won't accept
this key because its permissions are too open.

I ended up removing the encryption for this key by running this line:
sudo openssl rsa -in id_rsa -out new_id_rsa

Since then everything is working fine :)

(I'm not sure what are the implications of this passphrases removal)

—
Reply to this email directly or view it on GitHub
#65 (comment)
.

[mcki0127]

I'm having the same trouble. This was working perfectly when my repository was public, but it broke when I went private. I initially encountered the error:
_
$ git clone --depth=1 --branch master [email protected]:mcki0127/[project].git /tmp/spgd-accb135f8fe13d74a36dc288e0b65c4d/
Host key verification failed.
fatal: Could not read from remote repository._

I contacted GitHub and was instructed to add GitHub's public key to the known hosts file, which I did with ssh -T [email protected].

However, I still got the error. Next, per GitHub support, I added GitHub's key to the global known hosts file with ssh-keyscan -t rsa github.com >> /etc/ssh/ssh_known_hosts

Then I got this:
_
Warning: Permanently added the RSA host key for IP address '192.30.252.131' to the list of known hosts. Permission denied (Public key).
fatal: Could not read from remote repository._

I have checked and verified that there is a GitHub key in that global known_hosts file. But the error persists. I have tried kalpitpandit's solution, and copied the keys into the var/www directory and chown the .ssh and project directories to www-data:www-data (I'm on Ubuntu).

Currently I am getting this error:

_
$ git clone --depth=1 --branch master [email protected]:mcki0127/[project.git] /tmp/spgd-accb135f8fe13d74a36dc288e0b65c4d/
Cloning into '/tmp/spgd-accb135f8fe13d74a36dc288e0b65c4d'...
Failed to add the RSA host key for IP address '192.30.252.129' to the list of known hosts (/var/www/vhosts/[project directory]).
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights_

I currently have the same ssh keys in root and in var/www. private keys have permission 600 and public keys have 644. I'm at a loss at this point

[mcki0127]

I just got this to work. It ended up being a combination of incorrect ownership (username:psacln) and placing the .ssh folder in the wrong directory. It had to be in the project directory itself instead of in /var/www/. Now on to more important things ...

[tobya]

I opened #68 which is a related issue/request

[gonzalon]

I could't make work the private repo from BitBucket, so at this point my solution was quite dirty but straight forward, adding the password in the url:

https://username:**password**@bitbucket.org/repo/repo.git

I know this is not the best solution, but at least it's a provisory solution.