GitPython - cloning with ssh key - Host key verification failed

Asked 1/10, 2018 at 14:5 Answered 16/10, 2020 at 16:26

i have a problem with cloning git repository in my application.

KEY_FILE = "/opt/app/.ssh/id_rsa"

def read_git_branch(config_id, branch):
    config = RepoConfig.objects.get(id=config_id)
    save_rsa_key(Credentials.objects.get(id=1).key)
    git_ssh_identity_file = os.path.expanduser(KEY_FILE)
    git_ssh_cmd = 'ssh -i %s' % git_ssh_identity_file
    with Git().custom_environment(GIT_SSH_COMMAND=git_ssh_cmd):
        with tempfile.TemporaryDirectory() as tmpdir:
            repo = Repo.clone_from(config.url, tmpdir, branch=branch)
            branch_obj, _ = Branch.objects.get_or_create(name=branch)
            ....

def save_rsa_key(key):
    if not os.path.exists(os.path.dirname(KEY_FILE)):
        try:
            os.makedirs(os.path.dirname(KEY_FILE))
        except OSError as exc:
            if exc.errno != errno.EEXIST:
                raise
    with open(KEY_FILE, 'w') as id_rsa:
        id_rsa.write(key)
        os.chmod(KEY_FILE, 0o600)

Expected result is to clone repository to temporary directory, do something with it and delete all files.
Instead I'm getting:

DEBUG/ForkPoolWorker-2] AutoInterrupt wait stderr: b'Host key verification failed.\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n'

git.exc.GitCommandError: Cmd('git') failed due to: exit code(128) cmdline: git clone --branch=master -v [email protected]:bar/project.git /tmp/tmpi_w2xhgt stderr: 'Host key verification failed.

When i try to connect to the same repo directly from machine with key file created by code above with:

ssh-agent bash -c 'ssh-add /opt/app/.ssh/id_rsa; git clone [email protected]:bar/project.git'

Repo is cloned without problems + host is added to known_hosts. After doing that my code works as expected...

It has to be something with known_hosts. Anyone had similar problem?

Thanks for your help.

Thrombus answered 1/10, 2018 at 14:5 Comment(1)

It's a security feature. Relevant how-to-add-hostname-to-known-hosts-using-python and paramiko-add-host-key-to-known-hosts-permanently – Samos 1/10, 2018 at 15:0

You should use env of clone_from.

with Git().custom_environment(GIT_SSH_COMMAND=git_ssh_cmd):
    repo = Repo.clone_from(config.url, tmpdir, branch=branch)

→

git.Repo.clone_from(url, repo_dir, env={"GIT_SSH_COMMAND": 'ssh -i /PATH/TO/KEY'})

Psittacine answered 21/2, 2019 at 8:32 Comment(1)

This answer should be upvoted more. I was mislead by another answer here which didnt work for the clone_from case. – Cismontane 9/8, 2019 at 13:54

This variant:

git.Repo.clone_from("[email protected]:user/coolrepo.git", r"..\coolrepo", env=dict(GIT_SSH_COMMAND="ssh -i id_rsa"))

works fine for me!

Chronicles answered 24/1, 2020 at 14:49 Comment(0)

While the existing answers cover cases where missing the SSH env was the issue, I had a scenario where the remote host key would only be accepted via GitPython, and the environment wasn't able to be modified to include that host key in known hosts.

To ensure host key mismatches never break your code, disable strict host key checks through manipulation of the ssh command:

git.Repo.clone_from(
    url, 
    repo_dir, 
    env={
        "GIT_SSH_COMMAND": "ssh -o StrictHostKeyChecking=no -i /path/to/key"
    }
)

Intersect answered 16/10, 2020 at 16:26 Comment(0)

Recommended topics

Hot tags