Issues with SSH Host Key Verification

[Harald Wellmann]

After upgrading to SSH Slave Plugin 1.15 on Jenkins 2.32.3, I'm getting warnings 

about missing SSH key verification which I'm trying to fix.

I've configured Known hosts file verification strategy, I've manually ssh'ed 

from my master to my slave, and I've checked there's an entry in my 

.ssh/known_hosts on master which looks like

slave2.example.com ecdsa-sha2-nistp256 AAAA...v+2Uc0=

Despite that, I'm getting the following error when lauching the agent:

[03/23/17 13:10:38] [SSH] Opening SSH connection to slave2.example.com:22.
[03/23/17 13:10:38] [SSH] WARNING: No entry currently exists in the Known Hosts file for this host. Connections will be denied until this new host and its associated key is added to the Known Hosts file.
Key exchange was not finished, connection is closed.
java.io.IOException: There was a problem while connecting to slave2.example.com:22
	at com.trilead.ssh2.Connection.connect(Connection.java:818)
	at com.trilead.ssh2.Connection.connect(Connection.java:687)
	at com.trilead.ssh2.Connection.connect(Connection.java:601)
	at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1265)
	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:790)
	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:785)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Key exchange was not finished, connection is closed.
	at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:93)
	at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:230)
	at com.trilead.ssh2.Connection.connect(Connection.java:770)
	... 9 more
Caused by: java.io.IOException: The server hostkey was not accepted by the verifier callback
	at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:535)
	at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:777)
	at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:489)
	... 1 more
[03/23/17 13:10:38] Launch failed - cleaning up connection
[03/23/17 13:10:38] [SSH] Connection closed.



Any ideas what's wrong here?

Thanks,
Harald

[Harriet Severino]

Can you ssh from master to slave and back as the jenkins user? If not look at you ssh setup. SSH is picky about the permissions of all the files under ~/.ssh.

[Harald Wellmann]

Yes, I can ssh both ways. The problem seems to be that the SSH lib used by Jenkins does not support newer ciphers like ecdsa-sha2-nistp256.

After deleting the known_hosts entry and creating a new one via

ssh -o HostKeyAlgorithms=ssh-rsa slave2.example.com

Jenkins no longer complains. 

I'm not a security expert, but it seems that I'm now using a less robust cipher than before, so this is more of a workaround than a solution.

Regards,

Harald

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7006ab93-7ca4-4063-baf6-7c844be60165%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Steven R. Loomis]

Thank you! I added this workaround to https://issues.jenkins-ci.org/browse/JENKINS-42959

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.

[Brian Wilson]

I logged in to the Master server in a command line shell and sudo'd (sudo -su <user>) to the user running the Jenkins war file. I ran the ssh command to connect to each of the Jenkins Agent machines and had no issue connecting. I did this with both the machine name and the fully qualified domain name (e.g. machine1, and machine1.company-name.com). From what I could see the ssh ~/.ssh/known_hosts file contained valid information on the Agent machines and had correct permissions of 644.

On the Jenkins Master web page, I went to the Nodes, Agent, Configure page (http://<master>:8080/computer/<agent>/) and switched from the "Known hosts file Verification Strategy" to the "Manually trusted key Verification Strategy" then brought the Agents online with no issues. I then switched the Agent configuration back to the "Known hosts file Verification Strategy", took the Agents offline and brought them back online again with no issues.

I looked at the time stamp on the ~/.ssh/known_hosts file and verified its contents hadn't changed. Its almost as if the known_hosts file being checked isn't the file for the user id executing the Jenkins war file. Either way, this is an issue that needs to be addressed sooner rather than later.

[Derek Hazell]

Thanks Harald.

Your post was very helpful - I was coming across the same issue where our Windows Jenkins host could not connect to our Linux slaves.

"ssh -o HostKeyAlgorithms=ssh-rsa ..." fixed our issue

It seems that our Jenkins server (2.46.3) doesn't like me using ecdsa-sha2-nistp256 cipher whereas use of ssh-rsa cipher allows Jenkins to talk to the slaves 

regards

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7006ab93-7ca4-4063-baf6-7c844be60165%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

This email may contain information that is confidential. If you receive an email in error please delete it immediately.