Php exec git pull 脚本与 ssh 不起作用，但手动执行它是有效的

Question

I'm trying to make a script where I can Git pull on my ubuntu server after push to Bitbucket repository. I've setup ssh keys to Bitbucket and it works to do git pull command on the repository but it doesn't work when I try it from php exec.

I've tried chmod commands like /.ssh/bitbucket_rsa like 775 and 777 and chown -R www-data:www-data/.ssh without any luck.

Response:

array (
 0 => 'Host key verification failed.',
 1 => 'fatal: Could not read from remote repository.',
 2 => '',
 3 => 'Please make sure you have the correct access rights',
 4 => 'and the repository exists.',
 )  

Code:

    public function gitPull() {
    try {
        exec("cd " . env("REPO_PATH") . " && git pull 2>&1", $output);
        Log::info($output);
    } catch (\Exception $e) {
        Log::error($e);
    }
    http_response_code(200);
}

Answer 1

I guess you are stuck with the fact that the user www-data can not establish the SSH connection to the git server. I think the simplest was is to create a home directory for the www-data user and create a .ssh directory with the proper permissions, a config file and the key file in there. You could always test the setup as root with

# su - www-data
$ cd <to your repository>
$ git pull

Google for "SSH connections without password" to set it up correctly. And also be aware that SSH refuses to use a key file if the permissions are to loose.

Answer 2

Host key verification failed.

means that ssh could not verify the host key, most likely because there's no known_hosts file in www-data's home/.ssh directory that contains the expected host key for your repo's server.

There's at least two ways to fix that:

• Use ssh-keyscan as described over on Serverfault.se :

   ssh-keyscan -H [hostname] >> /path/to/www-data's_home_directory/.ssh/known_hosts

  You only need to do that once (unless the key changes), but you should check that the key is indeed correct after you run ssh-keyscan .

• Set the GIT_SSH_COMMAND environment variable before running git . You can use this to have ssh use a different known_hosts file:

   export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/path/to/known_hosts"

  Note that the above assumes shell syntax (eg Bash), you may need to adjust for PHP, particularly the export GIT_SSH_COMMAND= part.

Answer 3

I stack with the same problem working with github:

ssh-keyscan -t rsa github.com | tee github-key-temp | ssh-keygen -lf -
cat github-key-temp >> ~/.ssh/known_hosts
cat github-key-temp >> /etc/ssh/ssh_known_hosts

But that is not all, with next command you can check what is goes wrong (run it throught exec or shell_exec (save out put to some log):

ssh -vT git@github.com 2>&1

So, with help of privious command, i understand that in my case: cron run's command via php script, but duaring ssh connection it could not find my keysfile (i have custom name for that file):

cd /etc/ssh/ssh_config.d/
sudo touch <some_name>.conf
sudo echo 'IdentityFile ~/.shh/<custom_key_file_name>' > <some_name>.conf

Or try to add full path to location of your keyfile (~/ = current user home dir). You can check cron user by runing, this can helps to:

shell_exec('whoami');

PS I have no idea if this solution is enough secure. but i think fine.