Git plugin fail to connect my git repository

Hello everybody,

I created a git repository:

grep -r gitu /etc/passwd
gituser:x:1200:1200::/home/gituser:/usr/bin/git-shell

cd /mnt/500go
ls -ls | grep Git
4 drwxr-xr-x 15 gituser   gituser   4096 23 aoû 10:13 GitRepo
cd GitRepo
ls -l            
total 52
drwxr-xr-x 7 gituser gituser 4096 23 aoû 16:14 auto-add-to-repo
drwxr-xr-x 7 gituser gituser 4096 12 aoû 17:14 kawa-Banga
drwxr-xr-x 7 gituser gituser 4096 10 aoû 01:31 kawa-base
drwxr-xr-x 7 gituser gituser 4096 12 aoû 17:23 kawa-BM
drwxr-xr-x 7 gituser gituser 4096 12 aoû 17:23 kawa-cinnamon
drwxr-xr-x 7 gituser gituser 4096 12 aoû 17:23 kawa-intel
drwxr-xr-x 7 gituser gituser 4096 12 aoû 17:23 kawa-nvidia
drwxr-xr-x 7 gituser gituser 4096 12 aoû 17:23 kawa-nvidia-lts
drwxr-xr-x 7 gituser gituser 4096 23 aoû 21:57 kawaOS
drwxr-xr-x 7 gituser gituser 4096 12 aoû 17:23 kawa-papaetmaman
drwxr-xr-x 7 gituser gituser 4096 12 aoû 17:50 kawa-printers
drwxr-xr-x 7 gituser gituser 4096 24 oct 10:23 kawa-wine
drwxr-xr-x 7 gituser gituser 4096 22 aoû 18:17 kawa-X11
cd kawa-base
ls -l
total 32
drwxr-xr-x  2 gituser gituser 4096 12 aoû 17:16 branches
-rw-r--r--  1 gituser gituser   66 12 aoû 17:16 config
-rw-r--r--  1 gituser gituser   73 12 aoû 17:16 description
-rw-r--r--  1 gituser gituser   23 12 aoû 17:16 HEAD
drwxr-xr-x  2 gituser gituser 4096 12 aoû 17:16 hooks
drwxr-xr-x  2 gituser gituser 4096 12 aoû 17:16 info
drwxr-xr-x 22 gituser gituser 4096 10 aoû 01:31 objects
drwxr-xr-x  4 gituser gituser 4096 12 aoû 17:16 refs

I updated my jenkins rsa key, and add the private key into mydomain.com/manage/credentials/store/system/domain/_/credential/git_rpi4/update
and added the public key.pub on my git server into /home/gituser/.ssh/authorized_keys
I added to my git server, the rsa public key from my desktop.

So now i can git clone commit, fetch and push from my desktop, but jenkins return this error message to me :

Started by user PowaBanga
Running as SYSTEM
Building in workspace /var/lib/jenkins/workspace/Repository_x86_64_kawa-base
The recommended git tool is: NONE
using credential git_rpi4
 > git rev-parse --resolve-git-dir /var/lib/jenkins/workspace/Repository_x86_64_kawa-base/.git # timeout=10
Fetching changes from the remote Git repository
 > git config remote.origin.url ssh://gituser@rpi4-1/mnt/500go/GitRepo/kawa-base/ # timeout=10
Fetching upstream changes from ssh://gituser@rpi4-1/mnt/500go/GitRepo/kawa-base/
 > git --version # timeout=10
 > git --version # 'git version 2.38.1'
 > git fetch --tags --force --progress -- ssh://gituser@rpi4-1/mnt/500go/GitRepo/kawa-base/ +refs/heads/*:refs/remotes/origin/* # timeout=10
ERROR: Error fetching remote repo 'origin'
hudson.plugins.git.GitException: Failed to fetch from ssh://gituser@rpi4-1/mnt/500go/GitRepo/kawa-base/
	at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:1006)
	at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1248)
	at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1312)
	at hudson.scm.SCM.checkout(SCM.java:540)
	at hudson.model.AbstractProject.checkout(AbstractProject.java:1239)
	at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:647)
	at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:85)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:519)
	at hudson.model.Run.execute(Run.java:1899)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:44)
	at hudson.model.ResourceController.execute(ResourceController.java:107)
	at hudson.model.Executor.run(Executor.java:449)
Caused by: hudson.plugins.git.GitException: Command "git fetch --tags --force --progress -- ssh://gituser@rpi4-1/mnt/500go/GitRepo/kawa-base/ +refs/heads/*:refs/remotes/origin/*" returned status code 128:
stdout: 
stderr: hostkeys_find_by_key_hostfile: hostkeys_foreach failed for /var/lib/jenkins/.ssh/known_hosts: Permission denied
Host key verification failed.
fatal : Impossible de lire le dépôt distant.

Veuillez vérifier que vous avez les droits d'accès
et que le dépôt existe.

	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2697)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2111)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$500(CliGitAPIImpl.java:87)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:623)
	at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:1004)
	... 11 more
ERROR: Error fetching remote repo 'origin'
Started calculate disk usage of build
Finished Calculation of disk usage of build in 0 seconds
Started calculate disk usage of workspace
Finished Calculation of disk usage of workspace in 0 seconds
Finished: FAILURE

i do not understand how to fix this, i am gone into mydomain.com/manage/configureSecurity/ to set Git Host Key Verification Configuration to No verification
but this change nothing…
If i change the hostname `rpi4-1’ by the server ip, this change nothing

Now i despair.
Does anybody can help me ?

Since you’re using ssh private key authentication, you’re using command line ssh to authenticate. The command line ssh configuration is helping you by verifying the ssh host key of the git repository server. That verification failed because it does not know the ssh host key of the git repository server.

See the “Host key verification” section of the git client plugin documentation for more details and for the choices that you can make:

1 Like

Manually, i try this :

  • Let it blank
    this give to me this error message in the configuration of the job :

Failed to connect to repository : Command “git ls-remote -h – ssh://gituser@lrpi4-1:/mnt/500go/GitRepo/kawa-base/ HEAD” returned status code 128:
stdout:
stderr: No ED25519 host key is known for 192.168.0.11 and you have requested strict checking.
Host key verification failed.
fatal : Impossible de lire le dépôt distant.

Veuillez vérifier que vous avez les droits d’accès
et que le dépôt existe.

So for now this message is normal !

  • Write this :
security:
  gitHostKeyVerificationConfiguration:
    sshHostKeyVerificationStrategy:
      manuallyProvidedKeyVerificationStrategy:
        approvedHostKeys: |-
          192.168.0.X ssh-ed25519 AAAAC3NzaC1lZDI1NTA5AABAIBGg4+j2cVpE6aZZE26SmB2H1Xt3RzSfZFnONPjkje2

the message about known hosts disapear in the job’s configuration. But the build fail with the message :

Host key verification failed

So i try to ‘use known hosts file’ but where should i put it exactly ? because when i copy/paste my known_hosts from my desktop (because i am sure it work) to my jenkins server into /var/lib/jenkins /.ssh/known_hosts this didn’t work too, always the same error.

Something strange, it’s that the error message in the configuration page, appear only in manually mode if it do not write the host in.

last month, this jobs was working perfectly, now it don’t…

I forgot to say, i am on archlinux, with jenkins-lts 2.361.2 .

So yes, something is wrong with my known hosts, it’s perfectly clear, and it’s why i am asking help here, i do not find/understand what is wrong with me and the known hosts file :slight_smile:

If you revert your git client plugin and your git plugin to the versions you were running last month, it will likely work perfectly again. You’ll also have plugin versions that have known vulnerabilities to man in the middle attacks on the SSH connection between the controller and the repository server and between the agent and the repository server. I recommend against revert to the older version.

Put it in the location that the ssh client on that account and computer expects to find it. Be sure it has the correct permissions. Or, use the “accept first key” strategy and allow that the first access will define the ssh host key that will be used. Or, use the manually provided key strategy and provide the ssh host key for the repository server. Or,

I like the “accept first key” strategy because it is smooth for users and better than the old state. Unfortunately, it can’t be the default because Red Hat Linux 7 is still supported and it delivers a very old version of command line ssh along with a very old version of command line git. The command line ssh version on Red Hat Enterprise Linux 7 is old enough that it does not understand the “accept first” argument.

That is surprising if you were using manually provided host keys strategy. The host key should be provided automatically to the needed location. You may want to check the ownership and permissions of the ~/.ssh/known_hosts file and its parent directory. The permissions may be wrong and command line ssh is then refusing to read the contents of a file with the wrong permissions or wrong ownership.