HEAD" returned status code 128:
stdout:
stderr: Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists
See the git client plugin documentation section on host key verification. You have several choices:
- If using supported operating systems for controller and agents (no Red Hat Enterprise Linux 7, no CentOS 7, no Oracle Linux 7, no Scientific Linux 7, no Amazon Linux 2, âŚ), you can configure the âaccept firstâ strategy to accept and remember the ssh host key on first connection
- Provide the ssh host keys for the git repository hosts in the âmanually provided keysâ strategy
- Place the ssh host keys in the
~/.ssh/known_hostson all agents and use the âknown hostsâ strategy - Disable ssh host key verification with the âno verificationâ strategy (not recommended)
Hey I have also same issue. My Jenkins hosted on Kubernetes cluster using helm, I have set Git Host Key Verification Configuration as âknown_hostsâ , ofcourse I have created configured SSH Username with private key in Jenkins UI. But Jenkins job thrown this error âHost key verification failed.
fatal: Could not read from remote repository.Youâre using âKnown hosts fileâ strategy to verify ssh host keys, but your known_hosts file does not exist, please go to âManage Jenkinsâ â âConfigure Global Securityâ â âGit Host Key Verification Configurationâ and configure host key verification.â
Please help. Thanks.!!
The message says that the agent does not have the ~/.ssh/known_hosts file on its file system.
When you choose the known hosts strategy, you are responsible to place the known_hosts file on the agent file system. If you donât have easy control of the contents of the agent file system, then you probably should choose a different strategy, like âaccept firstâ. I prefer âaccept firstâ for any case that does not involve CentOS 7 agents.
If you canât avoid CentOS 7 agents, then you could use the manually provided key strategy and provide the list of keys. See the git client plugin documentation for the details of your choices and the impact of those choices.
1 Like
Thanks for reply. My requirement should choose the known hosts strategy, but i dont have control on agent file system. By the I could achieve with other options âaccept first connectionâ and âmanually provide keysâ. Getting issue only for âknown hostsâ
Then your requirement cannot be satisfied. If you canât place the known_hosts file on the agent file system, then the known hosts strategy cannot work. The known hosts strategy requires a known_hosts file on the agent file system.
Either your requirement must change (my recommendation) or your control of the agent file system must change.
2 Likes
Thank you Mark for your suggestions.! will follow other than known_hosts file strategy
Refreshed my Jenkins environment with running Jenkins in Docker with dind. Configured dash>manage jenkins> security > git host key verification > accept first
Configured âmulti-branch pipelineâ with credential using SSH private key.
Pipeline cannot access git with error that ignores security setting to accept git host key:
Scan Multibranch Pipeline Log
Started by user Peter Ziobrzynski
[Tue Apr 09 04:29:08 UTC 2024] Starting branch indexingâŚgit --version # timeout=10
git --version # âgit version 2.39.2â
using GIT_SSH to set credentials
Verifying host key using known hosts file
Youâre using âKnown hosts fileâ strategy to verify ssh host keys, but your known_hosts file does not exist, please go to âManage Jenkinsâ â âSecurityâ â âGit Host Key Verification Configurationâ and configure host key verification.
git ls-remote --symref â git@gitlab.com:zpzinet/bld.git # timeout=10
ERROR: [Tue Apr 09 04:29:08 UTC 2024] Could not update folder level actions from source 45d2e65d-d200-44b9-afa8-b7fb13cb3212
[Tue Apr 09 04:29:08 UTC 2024] Finished branch indexing. Indexing took 0.36 sec
Based on the next message, I think that the configuration change did not persist. Maybe you are using configuration as code and the setting that you made from the web page has been overridden?
That message indicates that youâre using âknown hostsâ and not using âaccept firstâ.
After setting accept-first I restarted Jenkins. The accept-first is still there. Persistent for sure. Still the same error. Configuration is ignored.
Iâve not seen a case where the setting was ignored. It is probably best to submit a git client plugin issue with enough details so that others can duplicate the issue on a new installation of Jenkins. âHow to report an issueâ provides detailed instructions on the information that needs to be included in the bug report.
Since the output of git --version shows 2.39, I assume that neither the controller nor any of your agents are running an unsupported operating system like Red Hat Enterprise Linux 7, CentOS 7, Scientific Linux 7, Oracle Linux 7, or Amazon Linux 2. Those unsupported Linux operating systems have a version of OpenSSH that is too old to support the âaccept firstâ configuration.
I managed to find a fix. Basically start from scratch by deleting Jenkins configuration and adding the configuration again. My configuration follows Jenkins docker based installation with two containers. I converted manual startup of the containers with the docker-compose. The starting over procedure is simple and done by shutting down the docker-compose with -v option that deletes all docker volumes:
cd /etc/docker/compose/jenkins
docker-compose down -v
docker-compose up -d
I have a theory what caused the know_hosts configuration issues. I aborted the initial pipeline run after the configuration of the pipeline. This must have left Jenkins configuration in some unknown state and resulted in that security option changes being ignored. For the record the jenkins container I am using is jenkins/jenkins:2.440.2-jdk17.
Where exactly does the known_host file need to be placed? Because my jenkins home is /var/lib/jenkins/ and Iâve placed a file there in .ssh/. Iâve also placed it in /etc/ssh/ssh_known_hosts and in /home/jenkins/.ssh/known_hosts. Jenkins still displays the warning:
So Iâm a bit stumped. Where else would it be?
I created a /etc/ssh/ssh_known_hosts file. This solves the hostkey verification issue. Thereafter I have to let jenkins access to the id_rsa file of the wanted user, i.e. chmod and chgrp of file and current directory.