Git stderr: Host key verification failed

HEAD" returned status code 128:
stdout:
stderr: Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists

See the git client plugin documentation section on host key verification. You have several choices:

  • If using supported operating systems for controller and agents (no Red Hat Enterprise Linux 7, no CentOS 7, no Oracle Linux 7, no Scientific Linux 7, no Amazon Linux 2, …), you can configure the “accept first” strategy to accept and remember the ssh host key on first connection
  • Provide the ssh host keys for the git repository hosts in the “manually provided keys” strategy
  • Place the ssh host keys in the ~/.ssh/known_hosts on all agents and use the “known hosts” strategy
  • Disable ssh host key verification with the “no verification” strategy (not recommended)

Hey I have also same issue. My Jenkins hosted on Kubernetes cluster using helm, I have set Git Host Key Verification Configuration as ‘known_hosts’ , ofcourse I have created configured SSH Username with private key in Jenkins UI. But Jenkins job thrown this error “Host key verification failed.
fatal: Could not read from remote repository.You’re using ‘Known hosts file’ strategy to verify ssh host keys, but your known_hosts file does not exist, please go to ‘Manage Jenkins’ → ‘Configure Global Security’ → ‘Git Host Key Verification Configuration’ and configure host key verification.”
Please help. Thanks.!!

The message says that the agent does not have the ~/.ssh/known_hosts file on its file system.

When you choose the known hosts strategy, you are responsible to place the known_hosts file on the agent file system. If you don’t have easy control of the contents of the agent file system, then you probably should choose a different strategy, like “accept first”. I prefer “accept first” for any case that does not involve CentOS 7 agents.

If you can’t avoid CentOS 7 agents, then you could use the manually provided key strategy and provide the list of keys. See the git client plugin documentation for the details of your choices and the impact of those choices.

1 Like

Thanks for reply. My requirement should choose the known hosts strategy, but i dont have control on agent file system. By the I could achieve with other options ‘accept first connection’ and ‘manually provide keys’. Getting issue only for “known hosts”

Then your requirement cannot be satisfied. If you can’t place the known_hosts file on the agent file system, then the known hosts strategy cannot work. The known hosts strategy requires a known_hosts file on the agent file system.

Either your requirement must change (my recommendation) or your control of the agent file system must change.

2 Likes

Thank you Mark for your suggestions.! will follow other than known_hosts file strategy

Refreshed my Jenkins environment with running Jenkins in Docker with dind. Configured dash>manage jenkins> security > git host key verification > accept first

Configured ‘multi-branch pipeline’ with credential using SSH private key.

Pipeline cannot access git with error that ignores security setting to accept git host key:

Scan Multibranch Pipeline Log

Started by user Peter Ziobrzynski
[Tue Apr 09 04:29:08 UTC 2024] Starting branch indexing…

git --version # timeout=10
git --version # ‘git version 2.39.2’
using GIT_SSH to set credentials
Verifying host key using known hosts file
You’re using ‘Known hosts file’ strategy to verify ssh host keys, but your known_hosts file does not exist, please go to ‘Manage Jenkins’ → ‘Security’ → ‘Git Host Key Verification Configuration’ and configure host key verification.
git ls-remote --symref – git@gitlab.com:zpzinet/bld.git # timeout=10
ERROR: [Tue Apr 09 04:29:08 UTC 2024] Could not update folder level actions from source 45d2e65d-d200-44b9-afa8-b7fb13cb3212
[Tue Apr 09 04:29:08 UTC 2024] Finished branch indexing. Indexing took 0.36 sec

Based on the next message, I think that the configuration change did not persist. Maybe you are using configuration as code and the setting that you made from the web page has been overridden?

That message indicates that you’re using “known hosts” and not using “accept first”.

After setting accept-first I restarted Jenkins. The accept-first is still there. Persistent for sure. Still the same error. Configuration is ignored.

I’ve not seen a case where the setting was ignored. It is probably best to submit a git client plugin issue with enough details so that others can duplicate the issue on a new installation of Jenkins. “How to report an issue” provides detailed instructions on the information that needs to be included in the bug report.

Since the output of git --version shows 2.39, I assume that neither the controller nor any of your agents are running an unsupported operating system like Red Hat Enterprise Linux 7, CentOS 7, Scientific Linux 7, Oracle Linux 7, or Amazon Linux 2. Those unsupported Linux operating systems have a version of OpenSSH that is too old to support the “accept first” configuration.

I managed to find a fix. Basically start from scratch by deleting Jenkins configuration and adding the configuration again. My configuration follows Jenkins docker based installation with two containers. I converted manual startup of the containers with the docker-compose. The starting over procedure is simple and done by shutting down the docker-compose with -v option that deletes all docker volumes:

cd /etc/docker/compose/jenkins
docker-compose down -v
docker-compose up -d

I have a theory what caused the know_hosts configuration issues. I aborted the initial pipeline run after the configuration of the pipeline. This must have left Jenkins configuration in some unknown state and resulted in that security option changes being ignored. For the record the jenkins container I am using is jenkins/jenkins:2.440.2-jdk17.

Where exactly does the known_host file need to be placed? Because my jenkins home is /var/lib/jenkins/ and I’ve placed a file there in .ssh/. I’ve also placed it in /etc/ssh/ssh_known_hosts and in /home/jenkins/.ssh/known_hosts. Jenkins still displays the warning:

You’re using ‘Known hosts file’ strategy to verify ssh host keys, but your known_hosts file does not exist, please go to ‘Manage Jenkins’ → ‘Security’ → ‘Git Host Key Verification Configuration’ and configure host key verification.

So I’m a bit stumped. Where else would it be?

I created a /etc/ssh/ssh_known_hosts file. This solves the hostkey verification issue. Thereafter I have to let jenkins access to the id_rsa file of the wanted user, i.e. chmod and chgrp of file and current directory.