Elastic beanstalk access private git repo

Question

I am trying to currently add an ssh key to my elastic beanstalk instances using .ebextensions commands.

The keys I have stored are in my application code and I try to copy them to the root .ssh folder so I can access them when doing a git+ssh clone later

here is an example of the config file in my .ebextensions folder

packages:
  yum:
    git: []

container_commands:
    01-move-ssh-keys:
        command: "cp .ssh/* ~root/.ssh/; chmod 400 ~root/.ssh/tca_read_rsa; chmod 400 ~root/.ssh/tca_read_rsa.pub; chmod 644 ~root/.ssh/known_hosts;"
    02-add-ssh-keys:
        command: "ssh-add ~root/.ssh/tca_read_rsa"

the problem is that I get is an error when attempting to clone the repo

Host key verification failed.

I have tried many ways of try to add the host to the known_hosts file but none have worked!

The command that is doing the clone is npm install as the repo points to a node module

From what I have ready you should be trying to add them to `authorized_keys` (but I can't get it to work either) — Ashley Coolman, Feb 04 '16 at 14:14
@AshleyCoolman if you add the public key to `authorized_keys` this will allow you to login to the server. But OP wants to connect to a different server — Jonathan, Nov 16 '18 at 08:51

score 1 · Answer 1 · answered May 04 '16 at 16:18

I added this to my ebextensions. This was what I used to connecting to code commit. I needed to specify the user and ignore host key checking. Hope this helps anybody stopping by...

commands:
    add_ssh_config:
        command: printf "Host git-codecommit.*.amazonaws.com\r\n  StrictHostKeyChecking no\r\n  User <name-of-user>\r\n  IdentityFile ~/.ssh/<name-of-key>.pem" > /home/ec2-user/.ssh/config"

score 0 · Answer 2 · answered Nov 16 '18 at 09:03

The host key verification means that the host itself can't be verified. When you first connect to a host using ssh, there is below question by ssh. This is the host-key verification.

The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be established.
RSA key fingerprint is a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9.
Are you sure you want to continue connecting (yes/no)?

To securely pass that you could use ssh-keyscan <repo-host> locally and create a known_hosts file with the output instead.

So for GitHub this would be

$ ssh-keyscan github.com
# github.com:22 SSH-2.0-babeld-f43b814b
# github.com:22 SSH-2.0-babeld-f43b814b
# github.com:22 SSH-2.0-babeld-f43b814b
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

So the ebextension would look something like this:

packages:
  yum:
    git: []

container_commands:
    01-move-ssh-keys:
        command: "cp .ssh/* ~root/.ssh/; chmod 400 ~root/.ssh/tca_read_rsa; chmod 400 ~root/.ssh/tca_read_rsa.pub; chmod 644 ~root/.ssh/known_hosts;"
    02-add-ssh-keys:
        command: "ssh-add ~root/.ssh/tca_read_rsa"
    03-add-known-hosts:
        command: "echo 'github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==' > ~root/.ssh/known_hosts"
    04-fix-perm:
        command: "chmod 400 ~root/.ssh/known_hosts"

Elastic beanstalk access private git repo

2 Answers2