SSH Host Key Verification Failed inside GitLab CI

Question

Local Setup

I created a public and private SSH key via the ssh-keygen command.

I decided to setup the private key locally first

Answer 1

A server can have multiple signatures in case of load balanced server. Ideal way is to change

- echo "$SSH_KNOWN_HOSTS" >> /.ssh/known_hosts

to

- ssh-keyscan www.gitlab.com >> /.ssh/known_hosts

Answer 2

I wouldn't recommend using the same private key. Both for security reasons and because it might cause other problems. Also, make sure the authorized_keys file contains the public key on the server you want to access, otherwise the whole thing can't work. I'm assuming you've followed a guide along the lines of this one?

Hope this does something.

Answer 3

You may need to try setting the mode to 644 rather than 700. 644 is what is suggested in the Verifying the SSH host keys documentation, and is also what SSH uses for this file by default. Some parts of SSH are very particular about this - I'm not sure if known_hosts is particular.

The docs also mention you should set the value of SSH_KNOWN_HOSTS variable to the entire output of ssh-keyscan since there are multiple keys.

EDIT:

The following .gitlab-ci.yml worked for me on GitLab.com. Note the use of ~/.ssh/ rather than /.ssh/.

image: ubuntu:latest

test_job:
  script:
  - apt-get update
  - apt-get install openssh-client git-core -y
  - eval $(ssh-agent -s)
  - echo "$SSH_DEPLOY_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
  - mkdir -p ~/.ssh && touch ~/.ssh/known_hosts
  - echo "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
  - git clone git@gitlab.com:gitlab-org/gitlab-ce.git