SSH host verification errors when `dev`ing a package from GitHub Enterprise with Julia 1.6.1

DanielIngraham · June 30, 2021, 10:46am

I’m able to dev a package from my workplace’s GitHub Enterprise with Julia 1.5.4:

$ julia
               _
   _       _ _(_)_     |  Documentation: https://docs.julialang.org
  (_)     | (_) (_)    |
   _ _   _| |_  __ _   |  Type "?" for help, "]?" for Pkg help.
  | | | | | | |/ _` |  |
  | | |_| | | | (_| |  |  Version 1.5.4 (2021-03-11)
 _/ |\__'_|_|_|\__'_|  |  Official https://julialang.org/ release
|__/                   |

(@v1.5) pkg> activate .
 Activating new environment at `~/projects/julia_issues_and_tips/pkg_developer_troubles/1.5.4-no_prefix/Project.toml`

(1.5.4-no_prefix) pkg> dev --local git@developer.foobar.gov:dingraha/MyTestPackage.git
    Cloning git-repo `git@developer.foobar.gov:dingraha/MyTestPackage.git`
Private key location for 'git@developer.foobar.gov' [/home/dingraha/.ssh/id_rsa]:
Passphrase for /home/dingraha/.ssh/id_rsa:
  Resolving package versions...
Updating `~/projects/julia_issues_and_tips/pkg_developer_troubles/1.5.4-no_prefix/Project.toml`
  [e51a849f] + MyTestPackage v0.1.0 `dev/MyTestPackage`
Updating `~/projects/julia_issues_and_tips/pkg_developer_troubles/1.5.4-no_prefix/Manifest.toml`
  [e51a849f] + MyTestPackage v0.1.0 `dev/MyTestPackage`

(1.5.4-no_prefix) pkg>

But doing the same thing from 1.6.1 fails with a SSH host verification error:

$ julia
               _
   _       _ _(_)_     |  Documentation: https://docs.julialang.org
  (_)     | (_) (_)    |
   _ _   _| |_  __ _   |  Type "?" for help, "]?" for Pkg help.
  | | | | | | |/ _` |  |
  | | |_| | | | (_| |  |  Version 1.6.1 (2021-04-23)
 _/ |\__'_|_|_|\__'_|  |  Official https://julialang.org/ release
|__/                   |

(@v1.6) pkg> activate .
  Activating new environment at `~/projects/julia_issues_and_tips/pkg_developer_troubles/1.6.1-no_prefix/Project.toml`

(1.6.1-no_prefix) pkg> dev --local git@developer.foobar.gov:dingraha/MyTestPackage.git
     Cloning git-repo `git@developer.foobar.gov:dingraha/MyTestPackage.git`
SSH host verification: the identity of the server `developer.foobar.gov:22` does not match its known hosts record. Someone could be trying to man-in-the-middle your connection. It is also possible that the server has changed its key, in which case you should check with the
server administrator and if they confirm that the key has been changed, update your known hosts file.
ERROR: failed to clone from git@developer.foobar.gov:dingraha/MyTestPackage.git, error: GitError(Code:ERROR, Class:Net, user cancelled hostkey check)

(1.6.1-no_prefix) pkg>

I can manually clone the repository from the shell without a problem:

$ julia
               _
   _       _ _(_)_     |  Documentation: https://docs.julialang.org
  (_)     | (_) (_)    |
   _ _   _| |_  __ _   |  Type "?" for help, "]?" for Pkg help.
  | | | | | | |/ _` |  |
  | | |_| | | | (_| |  |  Version 1.6.1 (2021-04-23)
 _/ |\__'_|_|_|\__'_|  |  Official https://julialang.org/ release
|__/                   |

shell> ls

shell> git clone git@developer.foobar.gov:dingraha/MyTestPackage.git
Cloning into 'MyTestPackage'...
Warning: Permanently added the ECDSA host key for IP address 'xxx.xxx.xxx.xxx' to the list of known hosts.
Enter passphrase for key '/home/dingraha/.ssh/id_rsa':
remote: Enumerating objects: 5, done.
remote: Counting objects: 100% (5/5), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 5 (delta 0), reused 5 (delta 0), pack-reused 0
Receiving objects: 100% (5/5), 547 bytes | 0 bytes/s, done.

shell>

Any ideas on how to fix this?

fredrikekre · June 30, 2021, 11:59am

Some pointers: Pkg.jl#2485, Pkg.jl#2428, Pkg.jl#2334, Pkg.jl#2333 so I think you can fix this by adjusting the known_hosts file.

You should also be able to opt out entirely from host verification by setting JULIA_NO_VERIFY_HOST (or just JULIA_SSH_NO_VERIFY_HOSTS), see NetworkOptions.jl.

DanielIngraham · June 30, 2021, 2:07pm

Excellent, thanks for the links.

Adding the host (developer.foobar.gov in my example) to JULIA_SSH_NO_VERIFY_HOSTS worked fine as a workaround.
I tried moving my ~/.ssh/known_hosts file away, then ran dev --local again and got this error message:

 (1.6.1-no_prefix) pkg> dev --local git@developer.foobar.gov:dingraha/MyTestPackage.git
     Cloning git-repo `git@developer.foobar.gov:dingraha/MyTestPackage.git`
SSH host verification: the server `developer.foobar.gov:22` is not a known host. Please run `ssh-keyscan developer.foobar.gov:22 >> /home/dingraha/.ssh/known_hosts` in order to add the server to your known hosts file and then try again.
ERROR: failed to clone from git@developer.foobar.gov:dingraha/MyTestPackage.git, error: GitError(Code:ERROR, Class:Net, user cancelled hostkey check)

Then I ran ssh-keyscan developer.foobar.gov >> /home/dingraha/.ssh/known_hosts, which appears to fix the issue.

Thanks again!

Daniel

Xing_Shi_Cai · October 13, 2022, 1:50pm

I had this problem with github.com. This workaround solved it.

jling · October 13, 2022, 2:05pm

eh, are you being MITM attacked by the government? because that’s why a different host would show up between you and github