semaphore: SSH known_hosts read_passphrase: can\'t open /dev/tty: No such device or address\r\nHost key verification failed
Hi!
Not sure if this is a bug or if my config is wrong, but I have tried to both google it and different configurations so here goes:
SHA256****\r\ndebug3: hostkeys_foreach: reading file "/home/semaphore/.ssh/known_hosts"\r\ndebug1: read_passphrase: can\'t open /dev/tty: No such device or address\r\nHost key verification failed.\r\n')
The user on the server which is running semaphore, is named semaphore, hence the directory.
As I understand the error, the remote host is not in the known_hosts directory, and the ssh-agent is expecting input wether it should approve this remote host or not.
I have tried to mitigate this by telling ansible, and ssh, to not care about the host key by configuring the Environment.
{
"inventory_hosts": "staging",
"host_key_checking": "False",
"ENV": {
"ansible_ssh_common_args": "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
}
}
In debug run it captures host_key_checking, but it does not seem to catch the ENV key.
I have not found anything relevant in the log on the server for semaphore.
Running this localy using ansible-playbook, as user semaphore, presented the same problem but when asking SSH to not care about host key check it just accepted the host keys and put these into /home/semaphore/.ssh/authorized_keys
So yes, a solution would be to keep that file updated, but that would require some more automation implemented for whenever the inventory is updated, feels like a work around but maybe it’s the solution?
Any help appreciated!
Thanks!
About this issue
- Original URL
- State: open
- Created 3 years ago
- Comments: 18
@1024jon Keep in mind that this disables a core security feature of SSH. It’s the same as if your browser wouldn’t check any authenticity of a website’s TLS certificate and accepts all certificates (self-signed, wrong domains, etc).
I can confirm this issue with semaphore v2.8.79 in docker. If I enter into container using
docker exec -it semaphore-semaphore-1 shand create by hand/home/semaphore/.ssh/know_hostsfile issue still exists. Only after connect to remote hosts withssh -l username hostnamefrom container and accepting host key by hand it works. But I have many hosts and adding every is problem. Workaround with disabling key checking is not very good I think, so it will be good to fix this issue. If any information or help from me is needed I ready to questions.FWIW, I’m running the newest version in docker(2.8.53) and I haven’t run into this issue anymore…I just have “ANSIBLE_HOST_KEY_CHECKING: “false”” included in my docker-compose.
@fiftin I’ve got this bug as well, when running semaphore in docker.
host_key_checking = Falsesolves the issue and connects and stores the host key in/home/semaphore/.ssh/known_hosts, also when adding the flags in the inventory file:ansible_ssh_common_args: '-o StrictHostKeyChecking=no'There are multiple solutions and workarounds and I would advocate against the general use of
host_key_checking = False.@KasperSkytte & @fiftin I couldn’t find any ssh flag, that accepts hostkeys of unknown hosts, but fails otherwise. Using the helper
yes | ssh (....)would probably work, though.My favorite solution, which isn’t a workaround as it enables you a fine-grained control over the host keys, is to mount a known_hosts file from the host into the docker contain in read only mode, in my case the
known_hostsfrom my server user.But you can also hand-craft a separate
known_hostsfile with ssh-keyscanAdditional workaround:
Create an special inventory file just to learn host keys. Accept in the inventory all host Keys and use Ping as no op command: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/ping_module.html to connect to all remove hosts. In your actual playbooks, you then can leave host key checking active, as your known_hosts file is now filled.
@luismsousa, try to add this to your inventory file It can be set for whole inventory, not only for one host as in this example