Jenkins fails to checkout Git repository - Host key verification failed

Question

My previously working Jenkins jobs are now failing with an error when checking out the Jenkinsfile from Git, with the message

Checking out git git@github.com:org/repo into C:\Program Files (x86)\Jenkins\workspace\blah@script to read Jenkinsfile
No credentials specified
..... several lines detailing Git operations ....
ERROR: Error fetching remote repo 'origin'
hudson.plugins.git.GitException: Failed to fetch from git@github.com:org/repo
.... more trace log ....
stderr: Host key verification failed.
fatal: Could not read from remote repository.

Authentication is via SSH key. Jenkins is running as my local user (visible in the Manage Jenkins > System Information tab, via user.name and user.home, which is correctly set to the directory holding the .ssh directory.

The known_hosts file contains the key for GitHub.

A run of ssh -vT git@github.com produces the following output (with minor substitutions for posting):

local-user>ssh -vT git@github.com
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Connecting to github.com [192.30.255.112] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\local-user/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\local-user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\local-user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\local-user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\local-user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\local-user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\local-user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\local-user/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\local-user/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\local-user/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version babeld-3e010779
debug1: no match: babeld-3e010779
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:<key, possibly public but removed>
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in C:\\Users\\local-user/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:<key, probably my public key> C:\\Users\\local-user/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to github.com ([192.30.255.112]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
Hi <MyGitName>! You've successfully authenticated, but GitHub does not provide shell access.
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2560, received 2236 bytes, in 0.3 seconds
Bytes per second: sent 9884.1, received 8633.2
debug1: Exit status 1

The same Jenkinsfile, server configuration and key all worked fine last week. What should I be looking at having accidentally changed? I assume Jenkins is either not finding a key, or finding a wrong key, but I can't see why.

I already checked repository permissions on GitHub, this key's user has Write permission now, but previously it worked even with only Read.

Answer 1

Jenkins was notifying me that a new version was available, so I installed and restarted the instance, and now the problem has disappeared.

For others' reference, the versions were as follows (although this may not have been the problem/solution - perhaps the environment somehow became messed up and the restart was the solution):

Previous: 2.171

New: 2.172

Git plugin version: 2.7.6

Changelog :

What's new in 2.172 (2019-04-10) 
 Security fixes. (security advisory) 
What's new in 2.171 (2019-04-07) 
Community reported issues: 2×JENKINS-43995 2×JENKINS-39203 
 Expose the minimum supported version of remoting to allow future releases to reject incompatible agent connections. (issue 50095) 
 The setup wizard did not properly escape passwords, resulting in errors with certain special characters. (issue 56856) 
 Revert accidental change to hashCode computation of jenkins.util.TreeString in 2.168. (pull 3930) 
 Developer: Add Jelly UI component f:secretTextarea for multi-line secrets analogous to f:password for single-line. (pull 3967, Storing Secrets in Jenkins) 
 Developer: Deprecated Run.getLogFile(), as it is not compatible with JEP-210. (pull 3963)

Security advisory mentioned as the only change in 2.172 links here: security advisory .