Self-connecting via SSH on GitHub Actions

Question

I cannot find a way to use the running SSH server on GH Actions. When I try to connect to 127.0.0.1 via ssh, there is a server, and responds, but somehow ignores the configuration files in .ssh (or whatever the case may be).

Here is what script I used (the general setup does not seem to influence the results):

ssh-keygen -t ed25519 -f ~/.ssh/whatever -N ''
cat > ~/.ssh/config <<EOF
Host host.example
    User $USER
    HostName 127.0.0.1
    IdentityFile ~/.ssh/whatever
EOF
echo -n 'from="127.0.0.1" ' | cat - ~/.ssh/whatever.pub > ~/.ssh/authorized_keys
ssh -o 'StrictHostKeyChecking no' host.example id

I am not satisfied with the results, since I cannot reproduce the log locally (every machine I have behaves normally, i.e. allows to execute the command).

Generating public/private ed25519 key pair.
Created directory '/home/runner/.ssh'.
Your identification has been saved in /home/runner/.ssh/whatever.
Your public key has been saved in /home/runner/.ssh/whatever.pub.
The key fingerprint is:
SHA256:2ZCprVg5rZXp0IguQlCanUVTlCX7IFt2TPTnimdk0gM runner@fv-az60
The key's randomart image is:
+--[ED25519 256]--+
|  ..+o+++        |
| = o ..= +       |
|+ o . = E . .    |
|.    * @ O o     |
| .  o B S * .    |
|.  . o B = o     |
|. . o o o +      |
| . .     o       |
|                 |
+----[SHA256]-----+
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
[email protected]: Permission denied (publickey,password).
##[error]Process completed with exit code 255.

Answer 1

This is a permissions issue. By default, the permissions on the home folder in the container are too broad for the ssh daemon to accept (world/others read/write), so the server-side rejects your connection. Removing world/others read/write permission on your home directory fixes ths issue.

To fix, add the following to your script, just before the ssh call. This command removes the others read/write permission on the home directory:

chmod og-rw ~

Evidence:

name: ssh-example
on: [push]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Run a multi-line script
      run: |
        ssh-keygen -t ed25519 -f ~/.ssh/whatever -N ''
        cat > ~/.ssh/config <<EOF
          Host host.example
           User $USER
           HostName 127.0.0.1
           IdentityFile ~/.ssh/whatever
        EOF
        echo -n 'from="127.0.0.1" ' | cat - ~/.ssh/whatever.pub > ~/.ssh/authorized_keys
        echo "Before fixing permissions on authorized_keys, notice home directory is world read/write"
        ls -la ~/.ssh
        ssh -o 'StrictHostKeyChecking no' host.example id || echo "ssh failed as expected... trying to fix permissions"
        chmod og-rw ~
        echo "After fixing permissions on home folder ~ ..."
        ls -la ~/.ssh
        ssh -o 'StrictHostKeyChecking no' host.example id

Output from the Github Action:

Generating public/private ed25519 key pair.
Created directory '/home/runner/.ssh'.
Your identification has been saved in /home/runner/.ssh/whatever.
Your public key has been saved in /home/runner/.ssh/whatever.pub.
The key fingerprint is:
SHA256:vKl342+LK4YP7Kj00Eqm1Jnst/7ED3Pzu/6TPOiHoUc runner@fv-az76
The key's randomart image is:
+--[ED25519 256]--+
|                 |
|                 |
|                 |
|       .         |
|        S        |
|  o.o..  o E     |
| .==. o*ooo = .  |
|.=.+ +ooO.==.*   |
|. oo=o==.=B@Boo  |
+----[SHA256]-----+
Before fixing permissions on authorized_keys, notice home directory is world read/write
total 24
drwx------ 2 runner docker 4096 Feb 23 21:58 .
drwxrwxrwx 8 runner docker 4096 Feb 23 21:58 ..
-rw-r--r-- 1 runner docker  113 Feb 23 21:58 authorized_keys
-rw-r--r-- 1 runner docker   89 Feb 23 21:58 config
-rw------- 1 runner docker  411 Feb 23 21:58 whatever
-rw-r--r-- 1 runner docker   96 Feb 23 21:58 whatever.pub
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
[email protected]: Permission denied (publickey,password).
ssh failed as expected... trying to fix permissions
After fixing permissions on home folder ~ ...
total 28
drwx------ 2 runner docker 4096 Feb 23 21:58 .
drwx--x--x 8 runner docker 4096 Feb 23 21:58 ..
-rw-r--r-- 1 runner docker  113 Feb 23 21:58 authorized_keys
-rw-r--r-- 1 runner docker   89 Feb 23 21:58 config
-rw-r--r-- 1 runner docker  222 Feb 23 21:58 known_hosts
-rw------- 1 runner docker  411 Feb 23 21:58 whatever
-rw-r--r-- 1 runner docker   96 Feb 23 21:58 whatever.pub
uid=1001(runner) gid=115(docker) groups=115(docker)