Bitbucket Pipelines: pipe ssh-run works but scp-deploy doesn't

Jessica Zalzman July 21, 2023

A few months back, I created a pipeline to deploy files from bitbucket to a remote server (Dreamhost). It was working up until Dreamhost automatically changed our server name and address. I thought it would just be a matter of reconfiguring ssh keys, but I've been troubleshooting for days and can't seem to figure out what the solution is.

In my pipeline, I'm able to run the ssh-run pipe just fine and am able to create an empty directory on the remote Dreamhost server (which makes me think this isn't an ssh issue?). However, the next step uses scp-deploy to try to ADD files to that newly created directory (which exists), and the pipeline fails there.

Has anyone else had trouble with scp-deploy and/or does anyone have an alternative way to deploy files to a remote server in pipelines? 


Here are the two steps I'm referring to (with sensitive information removed):

Screenshot 2023-07-21 at 10.53.57 AM.png


And the error I get is: "Host key verification failed."


Other notes:

  • I'm unable to fetch the fingerprint of the remote host in the 'SSH KEYS' section of the repository settings
  • I've tried adding my own SSH key (which works when I SSH through terminal) as a repository variable and using it in the pipeline
  • I've added bitbucket to Dreamhosts's known hosts file and have also ensured that the SSH Keys I'm using have been added to Dreamhosts authorized keys file

1 answer

0 votes
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 25, 2023

Hi Jessica and welcome to the community!

The error message "Host key verification failed." doesn't have anything to do with the SSH keys you set up to connect to your server. When connecting to a server over SSH, one of the first things that SSH will do is to verify if the server's fingerprint matches with any entry on the local known_hosts file (in this case in Pipelines's known hosts), unless the flag StrictHostKeyChecking=no is used.

The pipe ssh-run uses this flag, which is why it is able to connect to your server. However, the pipe scp-deploy does not use this flag and, since your server's fingerprint has not been added to the Known Hosts (from Repository settings), it fails.

You mentioned that you are unable to fetch the fingerprint of the remote host in the 'SSH KEYS' section of the Repository settings. What error do you get when you try to do that? Please keep in mind that if you use a custom port for SSH, you need to specify that as well when fetching the fingerprint.

Kind regards,
Theodora

Jessica Zalzman July 25, 2023

Theodora,

Thank you for your response!

When I'm unable to fetch the fingerprint, all the error message says is: "Unable to fetch fingerprints, check host SSH connection and try again". I've tried using the Dreamhost hostname, ip address, and the ip address with the port on the end as well, but sadly no luck with any of those. 

I also just tried adding " EXTRA_ARGS: ['StrictHostKeyChecking=no']" to the scp-deploy pipe but I still get the same error message as before. Shouldn't scp-deploy work with that flag if ssh-run is working?

-Jessica Zalzman

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 26, 2023

Hi Jessica,

Instead of disabling StrictHostKeyChecking, I would suggest the following:

Add in the script of your bitbucket-pipelines.yml file the following command before the scp-deploy pipe:

- ssh-keyscan your.domain >> ~/.ssh/known_hosts

where your.domain replace with the domain name of your server. Since the ssh-run pipe can connect to your server from the build, this command should be successful and it should add the fingerprint of your server in the known_hosts file of the Pipelines build. Then, the scp-deploy pipe should work.

I believe the EXTRA_ARGS variable should be

EXTRA_ARGS: ['-o', 'StrictHostKeyChecking=no']

However, I would not recommend doing that.

You can also create a ticket with the support team to look into why the fingerprint cannot be fetched from the website, when the Pipelines build can access your server via SSH. If you want to create the ticket yourself you can create it via https://support.atlassian.com/contact/#/, in "What can we help you with?" select "Technical issues and bugs" and then Bitbucket Cloud as product. Otherwise, let me know and I can create the ticket for you.

Kind regards,
Theodora

Jessica Zalzman July 26, 2023

@Theodora Boudale ,

I tried both of those methods and neither worked :/ I'm still getting a "Host Key Verification failed" error. If you could create this ticket for me, that would be very much appreciated! Let me know what you need from me, if anything.

Thank you for all of your help!

Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 27, 2023

@Jessica Zalzman hi. Have you tried to connect via scp without pipe usage?
Also take a look at this articles:
host-key-verification-failed-when-i-use-scp , fix-host-key-verification-failed 

Regards, Igor

Jessica Zalzman July 27, 2023

@Igor Stoyanov Thank you for your suggestion! Unfortunately, I've already removed the old server name from my known hosts. However, I'm under the impression that this only affects my local server (I run that ssh-keygen -R command in my own terminal on my computer), and not the bitbucket server. I'm not sure how to manually modify the known_hosts file for Bitbucket. Any thoughts on this?

As for running this all without pipelines, it's doable but not the type of automation we want. We had pipelines firing with every pull request and on certain pushes to specific branches. We don't want to have to run a local script manually anytime we want to deploy.

Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 27, 2023
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 28, 2023

Hi Jessica,

I see that you already created a support ticket for this issue, so the engineer working on it can review your Pipelines build log and investigate further.

Kind regards,
Theodora

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events