dokku clone failing because of ssh fingerprint

[iloveitaly]

When I tried to use dokku clone, the task hung indefinitely when it was run via ansible. There was no error or debugging output available when ansible was run with -vvvv so I attempted to run the same command directly via ssh.

I ran into this error:

The authenticity of host 'github.com (140.82.114.3)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.

It looks like there already exists a check to ensure github.com is added to known_hosts, but if a user has FingerprintHash md5 the known_hosts value is invalid.

I'm guessing what we need to do here is somehow check the FingerprintHash setting and change what line we are checking for in known_hosts, but my ansible knowledge isn't advanced enough to understand how to make this change. Any ideas? Happy to contribute if you push me in the right direction!

[josegonzalez]

Where is FingerprintHash md5 set?

[iloveitaly]

I don't understand openssl very well at all, but it looks like this can be defined on a per-host basis in ~/.ssh/config. I imagine there are a bunch of other places config could live, and I think it can be defined on a per-request basis as well.

I bet there's some sort of call you could make to query openssl configuration to ask what FingerprintHash method is used, but I wasn't able to find anything obvious with some googling.

[josegonzalez]

Maybe something like this? https://stackoverflow.com/a/38462337/1515875

[iloveitaly]

Something like that could work, but I wonder if there's a better way to check what fingerprints are used outside of checking config files. Then we could conditionally add a value to known_hosts and avoid having to update the scripts if openssl changes how/where the fingerprint configuration is stored.

[josegonzalez]

Well we could move the fingerprint to a variable and conditionally use one variable if the fingerprint is sha56 and another for md5 etc.?

[iloveitaly]

Yeah, I think that would work great. Just thinking about the best way to determine the fingerprint for github.com as it can be defined on a per-host basis. I guess we could just grep the whole file and trust that fingerprint is set once, that value is used consistently, but I'm hoping there's some sort of ssh/openssl command which can determine this config for us

[ltalirz]

Just letting you know that dokku_clone just moved to use the new dokku git:sync command under the hood #98

I guess this issue won't be solved by this, so this is just fyi

[fr3fou]

Is there any workaround to solve this temporarily?

[ltalirz]

I guess to configure sha256 as the hash algorithm for OpenSSL?

Haven't encountered the issue myself so far, so I don't know the best way to do this

[fr3fou]

How would I do that? I can't seem to understand the problem to be honest. I've been manually fixing it by ssh-ing into my VPS and cloning my repo just to hit yes here

then deleting the repo and re-running my playbook.

[ltalirz]

As I understand https://superuser.com/a/929567 it would be and ~/.ssh/config with

Host github.com
    FingerprintHash md5

[fr3fou]

As I understand https://superuser.com/a/929567 it would be and ~/.ssh/config with

Host github.com
    FingerprintHash md5

would this be for the dokku user?

[josegonzalez]

Something like this would work: https://gist.github.com/maxim/871e611d4bc02c633c67

Here are the fingerprints as documented by github: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints