kai-server outbound SSH:22 to github.com blocked - GitHub mirror push fan-out fails #173

New issue

Closed

opened 2026-05-28 12:55:15 +00:00 by coilysiren · 1 comment

coilysiren commented

2026-05-28 12:55:15 +00:00

Owner

Summary

kai-server cannot push to GitHub over SSH: ssh: connect to host github.com port 22: Connection timed out. Outbound SSH:22 to github.com is blocked/timing out from kai-server, while HTTPS to github.com works fine (curl returns 200).

This surfaced while reconciling the infra mirror in coilysiren/infrastructure#172: the canonical clone's origin fans out push to both Forgejo (HTTPS, succeeded) and GitHub (SSH git@github.com, timed out). As a result the GitHub mirror of coilysiren/infrastructure is lagging at 3441f82 while Forgejo is at 43468a0 (a clean fast-forward, so not a divergence hazard - just stale).

Impact

The GitHub push fan-out silently fails for any repo on kai-server that mirrors to GitHub over SSH:22. Forgejo (primary) stays correct, but GitHub mirrors drift.

Options to fix

Switch GitHub remotes on kai-server to SSH over port 443 (ssh.github.com:443) via ~/.ssh/config Host alias - GitHub officially supports this for networks that block 22.
Or switch the GitHub push URL to HTTPS with a token credential helper.
Or unblock outbound TCP:22 to GitHub at the network layer (if the block is unintentional - need to determine whether it's home-network / ISP / firewall).

Likely #1 is the lowest-friction fix and matches the "mirror to GitHub" intent without touching network policy.

Repro

timeout 15 curl -s -o /dev/null -w "%{http_code}\n" https://github.com   # -> 200
git push origin main   # in a GitHub-SSH-remote repo -> ssh: connect to host github.com port 22: Connection timed out

Found by claude-linux-kai-server while working coilysiren/infrastructure#172.

## Summary kai-server cannot push to GitHub over SSH: `ssh: connect to host github.com port 22: Connection timed out`. Outbound **SSH:22 to github.com is blocked/timing out** from kai-server, while HTTPS to github.com works fine (curl returns 200). This surfaced while reconciling the infra mirror in coilysiren/infrastructure#172: the canonical clone's `origin` fans out push to both Forgejo (HTTPS, succeeded) and GitHub (SSH `git@github.com`, timed out). As a result the **GitHub mirror of `coilysiren/infrastructure` is lagging** at `3441f82` while Forgejo is at `43468a0` (a clean fast-forward, so not a divergence hazard - just stale). ## Impact - The GitHub push fan-out silently fails for any repo on kai-server that mirrors to GitHub over SSH:22. Forgejo (primary) stays correct, but GitHub mirrors drift. ## Options to fix 1. Switch GitHub remotes on kai-server to **SSH over port 443** (`ssh.github.com:443`) via `~/.ssh/config` Host alias - GitHub officially supports this for networks that block 22. 2. Or switch the GitHub push URL to **HTTPS** with a token credential helper. 3. Or unblock outbound TCP:22 to GitHub at the network layer (if the block is unintentional - need to determine whether it's home-network / ISP / firewall). Likely #1 is the lowest-friction fix and matches the "mirror to GitHub" intent without touching network policy. ## Repro ``` timeout 15 curl -s -o /dev/null -w "%{http_code}\n" https://github.com # -> 200 git push origin main # in a GitHub-SSH-remote repo -> ssh: connect to host github.com port 22: Connection timed out ``` Found by claude-linux-kai-server while working coilysiren/infrastructure#172.

coilysiren commented

2026-05-28 12:57:19 +00:00

Author

Owner

Resolved - GitHub switched to SSH over port 443

Added a ~/.ssh/config Host alias on kai-server routing github.com through GitHub's official ssh.github.com:443 fallback:

Host github.com
  HostName ssh.github.com
  Port 443
  User git

Pre-seeded ~/.ssh/known_hosts with GitHub's host keys for [ssh.github.com]:443, pulled from the HTTPS-authenticated https://api.github.com/meta ssh_keys field (not blind TOFU). Backed up the prior known_hosts first.

Verified

git push origin main from the canonical clone now reaches GitHub over 443: 8eb5b40..43468a0 main -> main.
git ls-remote git@github.com:... refs/heads/main returns 43468a0... - the GitHub mirror is now reconciled with Forgejo (both at 43468a0).

This also closes the lagging-mirror remainder noted in #172. Outbound SSH:22 to github.com is still blocked at the network layer, but the 443 fallback sidesteps it; no network-policy change needed.

## Resolved - GitHub switched to SSH over port 443 Added a `~/.ssh/config` Host alias on kai-server routing `github.com` through GitHub's official `ssh.github.com:443` fallback: ``` Host github.com HostName ssh.github.com Port 443 User git ``` Pre-seeded `~/.ssh/known_hosts` with GitHub's host keys for `[ssh.github.com]:443`, pulled from the HTTPS-authenticated `https://api.github.com/meta` `ssh_keys` field (not blind TOFU). Backed up the prior known_hosts first. ### Verified - `git push origin main` from the canonical clone now reaches GitHub over 443: `8eb5b40..43468a0 main -> main`. - `git ls-remote git@github.com:... refs/heads/main` returns `43468a0...` - the GitHub mirror is now reconciled with Forgejo (both at `43468a0`). This also closes the lagging-mirror remainder noted in #172. Outbound SSH:22 to github.com is still blocked at the network layer, but the 443 fallback sidesteps it; no network-policy change needed.

coilysiren closed this issue

2026-05-28 12:57:29 +00:00

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-flight-deck/infrastructure#173

No description provided.

Rows
Columns