Skip to content

Update README.md - Jenkinsfile Example - With keyscan to prevent "Host key verification failed" errors#57

Merged
jglick merged 4 commits intojenkinsci:masterfrom
mcsage:jenkinsfile-example
Jun 14, 2021
Merged

Update README.md - Jenkinsfile Example - With keyscan to prevent "Host key verification failed" errors#57
jglick merged 4 commits intojenkinsci:masterfrom
mcsage:jenkinsfile-example

Conversation

@mcsage
Copy link
Contributor

@mcsage mcsage commented Jun 10, 2021
edited
Loading

Added Jenkinsfile example to README - With keyscan to prevent "Host key verification failed" errors

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

mcsage added 2 commits June 10, 2021 16:40
@mcsage
Update README.md
3af0192 
Jenkinsfile Example - With keyscan to prevent "Host key verification failed" errors
@mcsage
Update README.md
2c135f0
jglick
jglick reviewed Jun 14, 2021
View reviewed changes
jglick
jglick reviewed Jun 14, 2021
View reviewed changes
README.md Outdated
steps {
sshagent (credentials: ['ssh-credentials-id']) {
sh '[ -d ~/.ssh ] || mkdir ~/.ssh && chmod 0700 ~/.ssh'
sh 'echo "$(ssh-keyscan -t rsa,dsa example.com)" >> ~/.ssh/known_hosts'
Copy link
Member

@jglick jglick Jun 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this something that ought to be a direct feature of the plugin?

Copy link
Member

@jglick jglick Jun 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

compare

ssh-agent-plugin/src/main/resources/com/cloudbees/jenkins/plugins/sshagent/SSHAgentStep/help.html

Line 4 in 11a5b88

sh 'ssh -o StrictHostKeyChecking=no -l cloudbees 192.168.1.106 uname -a'

Copy link
Contributor Author

@mcsage mcsage Jun 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jglick, yes indeed - instead of setting StrictHostKeyChecking=no the plugin should get an feature to manage/automatically import hosts keys to known_hosts file/store.

Copy link
Member

@jglick jglick Jun 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. Please file this in Jira, though I do not plan to spend time on such a feature.

Copy link

@joel-schaal joel-schaal Mar 1, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sh 'echo "$(ssh-keyscan -t rsa,dsa example.com)" >> ~/.ssh/known_hosts'

This is actually circumventing the actual host verification: if there is a man-the-middle, ssh-keyscan -t rsa,dsa example.com will actually return that machine's fingerprint instead of the one from example.com.
If we already have the appropriate entry in known_hosts, this is mitigated by the fact that ssh will complain about multiple entries, but still it is a bit of a bad workaround.
What is actually needed, is to provide a static reference of the official fingerprints (config file or something similar, ideally)

Copy link
Member

@jglick jglick Mar 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could hard-code such fingerprints, or use the config-file-provider plugin, etc.

Feel free to file an amending PR explaining what you think is a safer practice.

mcsage and others added 2 commits June 14, 2021 21:59
@mcsage @jglick
Update README.md
7fb5773 
Co-authored-by: Jesse Glick <jglick@cloudbees.com>
@mcsage @jglick
Update README.md
60b493f 
Co-authored-by: Jesse Glick <jglick@cloudbees.com>
jglick
jglick approved these changes Jun 14, 2021
View reviewed changes
README.md Outdated
steps {
sshagent (credentials: ['ssh-credentials-id']) {
sh '[ -d ~/.ssh ] || mkdir ~/.ssh && chmod 0700 ~/.ssh'
sh 'echo "$(ssh-keyscan -t rsa,dsa example.com)" >> ~/.ssh/known_hosts'
Copy link
Member

@jglick jglick Jun 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. Please file this in Jira, though I do not plan to spend time on such a feature.

@jglick jglick merged commit 918c01b into jenkinsci:master Jun 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jglick jglick jglick approved these changes

+1 more reviewer

@joel-schaal joel-schaal joel-schaal left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mcsage @jglick @joel-schaal