Codeberg/Community
54
325
Fork
You've already forked Community
12

Push mirror by ssh key fails when remote host changes IP #2067

Closed
opened 2025年08月06日 00:44:50 +02:00 by mattdm · 6 comments

Comment

My host provider migrated my system to a different host, and the IP changed. I have a Codeberg repo set up to push mirror on commit to the host. (Actual hostname replaced with example.org below.)

push failed: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:oV9BA0yBGsARD4JOD8DxQ4AlGBJtF0o0rsYHmE4chOo.
Please contact your system administrator.
Add correct host key in /home/git/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/git/.ssh/known_hosts:37
 remove with:
 ssh-keygen -f '/home/git/.ssh/known_hosts' -R 'example.org'
Host key for example.org has changed and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
 - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:oV9BA0yBGsARD4JOD8DxQ4AlGBJtF0o0rsYHmE4chOo.
Please contact your system administrator.
Add correct host key in /home/git/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/git/.ssh/known_hosts:37
 remove with:
 ssh-keygen -f '/home/git/.ssh/known_hosts' -R 'example.org'
Host key for example.org has changed and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
 - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:oV9BA0yBGsARD4JOD8DxQ4AlGBJtF0o0rsYHmE4chOo.
Please contact your system administrator.
Add correct host key in /home/git/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/git/.ssh/known_hosts:37
 remove with:
 ssh-keygen -f '/home/git/.ssh/known_hosts' -R 'example.org'
Host key for example.org has changed and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.

I can't find any way to clear this. The manual "Synchronize Now" button doesn't do it. Removing and replacing the sync config doesn't help either.

I worked around the issue by using a different hostname that resolves to the same IP, but that's not really a great solution.

### Comment My host provider migrated my system to a different host, and the IP changed. I have a Codeberg repo set up to push mirror on commit to the host. (Actual hostname replaced with `example.org` below.) ``` push failed: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ED25519 key sent by the remote host is SHA256:oV9BA0yBGsARD4JOD8DxQ4AlGBJtF0o0rsYHmE4chOo. Please contact your system administrator. Add correct host key in /home/git/.ssh/known_hosts to get rid of this message. Offending ED25519 key in /home/git/.ssh/known_hosts:37 remove with: ssh-keygen -f '/home/git/.ssh/known_hosts' -R 'example.org' Host key for example.org has changed and you have requested strict checking. Host key verification failed. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ED25519 key sent by the remote host is SHA256:oV9BA0yBGsARD4JOD8DxQ4AlGBJtF0o0rsYHmE4chOo. Please contact your system administrator. Add correct host key in /home/git/.ssh/known_hosts to get rid of this message. Offending ED25519 key in /home/git/.ssh/known_hosts:37 remove with: ssh-keygen -f '/home/git/.ssh/known_hosts' -R 'example.org' Host key for example.org has changed and you have requested strict checking. Host key verification failed. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ED25519 key sent by the remote host is SHA256:oV9BA0yBGsARD4JOD8DxQ4AlGBJtF0o0rsYHmE4chOo. Please contact your system administrator. Add correct host key in /home/git/.ssh/known_hosts to get rid of this message. Offending ED25519 key in /home/git/.ssh/known_hosts:37 remove with: ssh-keygen -f '/home/git/.ssh/known_hosts' -R 'example.org' Host key for example.org has changed and you have requested strict checking. Host key verification failed. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ``` I can't find any way to clear this. The manual "Synchronize Now" button doesn't do it. Removing and replacing the sync config doesn't help either. I worked around the issue by using a different hostname that resolves to the same IP, but that's not really a great solution.

@mattdm wrote in #2067 (comment):

My host provider migrated my system to a different host, and the IP changed

The SSH host keys aren't bound to IP. It does mean that your host provider didn't migrate the SSH host keys to the new host which is quite bad.

Removing a SSH host key is quite serious, however as no other push mirror is configured to that remote address I will remove it.

@mattdm wrote in https://codeberg.org/Codeberg/Community/issues/2067#issue-2004469: > My host provider migrated my system to a different host, and the IP changed The SSH host keys aren't bound to IP. It does mean that your host provider didn't migrate the SSH host keys to the new host which is quite bad. Removing a SSH host key is quite serious, however as no other push mirror is configured to that remote address I will remove it.

It's removed.

It's removed.
Author
Copy link

Thank you! Unfortunately, it's common for budget hosting providers to do this. They just do a whole reinstall, and often when they do a hardware refresh they consolidate more small sites on a single system. Is the underlying known-hosts file shared across codeberg, or is it per repo?

Thank you! Unfortunately, it's common for budget hosting providers to do this. They just do a whole reinstall, and often when they do a hardware refresh they consolidate more small sites on a single system. Is the underlying known-hosts file shared across codeberg, or is it per repo?

It's shared across codeberg.

It's shared across codeberg.
Author
Copy link

Ah, then, the concern makes sense. I'm not familiar enough with the architecture to make a meaningful suggestion, but it seems like maybe UserKnownHostsFile could be set to a repo-specific value or something...

Anyway, thank you for your help!

Ah, then, the concern makes sense. I'm not familiar enough with the architecture to make a meaningful suggestion, but it seems like maybe UserKnownHostsFile could be set to a repo-specific value or something... Anyway, thank you for your help!

Forgejo tries to mitigate SSH's trust on first use security model as much as possible by sharing the SSH hostkeys between all repositories. An admin needing to remove the host key is more or less what should have happened in this situation.

Forgejo tries to mitigate SSH's trust on first use security model as much as possible by sharing the SSH hostkeys between all repositories. An admin needing to remove the host key is more or less what should have happened in this situation.
Sign in to join this conversation.
No Branch/Tag specified
main
No results found.
Labels
Clear labels
accessibility

Reduces accessibility and is thus a "bug" for certain user groups on Codeberg.
bug

Something is not working the way it should. Does not concern outages.
bug
infrastructure
Errors evidently caused by infrastructure malfunctions or outages
Codeberg

This issue involves Codeberg's downstream modifications and settings and/or Codeberg's structures.
contributions welcome

Please join the discussion and consider contributing a PR!
docs

No bug, but an improvement to the docs or UI description will help
duplicate

This issue or pull request already exists
enhancement

New feature
infrastructure

Involves changes to the server setups, use `bug/infrastructure` for infrastructure-related user errors.
legal

An issue directly involving legal compliance
licence / ToS

involving questions about the ToS, especially licencing compliance
please chill
we are volunteers
Please consider editing your posts and remember that there is a human on the other side. We get that you are frustrated, but it's harder for us to help you this way.
public relations

Things related to Codeberg's external communication
question

More information is needed
question
user support
This issue contains a clearly stated problem. However, it is not clear whether we have to fix anything on Codeberg's end, but we're helping them fix it and/or find the cause.
s/Forgejo

Related to Forgejo. Please also check Forgejo's issue tracker.
s/Forgejo/migration

Migration related issues in Forgejo
s/Pages

Issues related to the Codeberg Pages feature
s/Weblate

Issue is related to the Weblate instance at https://translate.codeberg.org
s/Woodpecker

Woodpecker CI related issue
security

involves improvements to the sites security
service

Add a new service to the Codeberg ecosystem (instead of implementing into Gitea)
upstream

An open issue or pull request to an upstream repository to fix this issue (partially or completely) exists (i.e. Gitea, Forgejo, etc.)
wontfix

Codeberg's current set of contributors are not planning to spend time on delegating this issue.
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Codeberg/Community#2067
Reference in a new issue
Codeberg/Community
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?