SSH connection issue with Host Key Verification Strategy
81 views
Skip to first unread message
Amedee Van Gasse
Jan 12, 2021, 9:13:58 PM1/12/21
to Jenkins Users
Current Host Key Verification Strategy is Non Verifying Verification Strategy.
This works, but is not secure.
The agent is created using Packer, and Ansible as provisioner, and then started with Terraform.
This Ansible playbook uploads the files id_ed25519 and id_ed25519.pub to the .ssh directory of user jenkins.
---
- name: Add the user 'jenkins'
user:
name: jenkins
create_home: yes
home: /home/jenkins
- name: Copy SSH keys
copy:
src: ./files/.ssh
dest: /home/jenkins/
owner: jenkins
mode: 0600
- name: Set permissions on private key
file:
path: /home/jenkins/.ssh/id_ed25519
mode: 0400
- name: Set authorized key taken from file
ansible.posix.authorized_key:
user: jenkins
key: "{{ lookup('file', './files/.ssh/id_ed25519.pub') }}"
state: present
exclusive: True
- name: Add the user 'jenkins'
user:
name: jenkins
create_home: yes
home: /home/jenkins
- name: Copy SSH keys
copy:
src: ./files/.ssh
dest: /home/jenkins/
owner: jenkins
mode: 0600
- name: Set permissions on private key
file:
path: /home/jenkins/.ssh/id_ed25519
mode: 0400
- name: Set authorized key taken from file
ansible.posix.authorized_key:
user: jenkins
key: "{{ lookup('file', './files/.ssh/id_ed25519.pub') }}"
state: present
exclusive: True
In Jenkins, Manage Jenkins, Manage Credentials I have added a "SSH Username with private key". In the field Private Key I have put the content of id_ed25519.
In Jenkins, Manage Jenkins, Manage Nodes I have added a node:
* Launch agents via SSH
* Launch agents via SSH
* Host: DNS name I get from Terraform or AWS console
* Credentials: the SSH username + private key from the previous step
* Host Key Verification Strategy:
--> Non verifying: works, but is not secure
--> Known hosts file: I have no access to files on the server, so I cannot use this
--> Manually provided key: I paste the contents of id_ed25519.pub. Results in WARNING: The SSH key for this host does not match the key required in the connection configuration. Connections will be denied until the host key matches the configuration key.
Key exchange was not finished, connection is closed.
--> Manually trusted key: works, but couldn't I theoretically have a man-in-the-middle attack on the very first connection of a new node?
My questions are:
* Is Manually trusted key Verification Strategy, without "Require manual verification of initial connection", more secure than Non verifying Verification Strategy?
* What are the downsides of Manually trusted key Verification Strategy?
* How come Manually provided key Verification Strategy didn't work?
Ivan Fernandez Calvo
Jan 13, 2021, 3:14:08 PM1/13/21
to Jenkins Users
>* Is Manually trusted key Verification Strategy, without "Require manual verification of initial connection", more secure than Non verifying Verification Strategy
Any verification strategy is more secure than none
>What are the downsides of Manually trusted key Verification Strategy?
You have to manually accept the key on the UI or check the auto accept in the first connection
>How come Manually provided key Verification Strategy didn't work?
I do not have enough data, but this configuration should work, I you think that can be and issue you could open and issue in Jira and I’ll take a look (see https://github.com/jenkinsci/ssh-slaves-plugin/blob/master/doc/TROUBLESHOOTING.md#common-info-needed-to-troubleshooting-a-bug)
For more info check the documentation
I will recommend you to use JCasC to inject the config, in this repo you have an example https://github.com/kuisathaverat/jenkins-issues/tree/master/kex-algorithms
Reply all
Reply to author
Forward
0 new messages