Skip to main content

ssh fingerprint authenticity prompt

The authenticity of host can't be established

I faced a weird problem today:

  • A Jenkins post-build job is configured to deploy via scp to a target server
  • Jenkins runs as "integration" user
  • As "integration"  user, I already made sure the server is in "known_hosts", by manually SSH connected to it (when SSH-ing to it, I'm not prompted about the target server's identity anymore)
  • The Jenkins job is still prompted about the target server's identity
What was really weird:
  • From the Jenkins job, the target server's fingerprint is RSA based and is d9:fa:90:e6:2b:d2:f7:92:8b:28:3f:94:1e:bf:1b:fa.
  • From an SSH session, the target server's fingerprint is ECDSA based and is 0d:2a:c3:3b:8f:f1:e9:bc:1f:5d:68:d3:84:6d:71:a8.

This is because

  • The Jenkins SSH plugin I use is not up to date and still use weak and old fashioned algorithms: the negiciation stops at a weak one, DSA.
  • The SSH client (in SSH session) negociation ends up a stronger algorithm, ECDSA.

This is proven by these commands.

To force RSA algorithm:
ssh -o HostKeyAlgorithms=ssh-rsa-cert-v01@openssh.com,\
                         ssh-dss-cert-v01@openssh.com,\
                         ssh-rsa-cert-v00@openssh.com,\
                         ssh-dss-cert-v00@openssh.com,\
                         ssh-rsa,ssh-dss  integration@target-host.rktmb.org

The prompt is:

The authenticity of host 'target-host.rktmb.org (192.168.15.12)' can't be established.
RSA key fingerprint is d9:fa:90:e6:2b:d2:f7:92:8b:28:3f:94:1e:bf:1b:fa.

To let the negociation go on and end up with ECDSA:

ssh integration@target-host.rktmb.org

The prompt is:

The authenticity of host 'target-host.rktmb.org (192.168.15.12)' can't be established.
ECDSA key fingerprint is 0d:2a:c3:3b:8f:f1:e9:bc:1f:5d:68:d3:84:6d:71:a8.



So, in order to add the target host to the "known_hosts", I had to use the command forcing RSA to be used:

ssh -o HostKeyAlgorithms=ssh-rsa-cert-v01@openssh.com,\
                         ssh-dss-cert-v01@openssh.com,\
                         ssh-rsa-cert-v00@openssh.com,\
                         ssh-dss-cert-v00@openssh.com,\
                         ssh-rsa,ssh-dss  integration@target-host.rktmb.org

And then issue the "yes" confirmation.

This way the Jenkins job can smoothly SSH-connect to the target host in order to deploy.

Thanks to http://askubuntu.com/a/217066 and https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/

Popular posts from this blog

npm run build base-href

Using NPM to specify base-href When building an Angular application, people usually use "ng" and pass arguments to that invocation. Typically, when wanting to hard code "base-href" in "index.html", one will issue: ng build --base-href='https://ngx.rktmb.org/foo' I used to build my angular apps through Bamboo or Jenkins and they have a "npm" plugin. I got the habit to build the application with "npm run build" before deploying it. But the development team once asked me to set the "--base-href='https://ngx.rktmb.org/foo'" parameter. npm run build --base-href='https://ngx.rktmb.org/foo did not set the base href in indext.html After looking for a while, I found https://github.com/angular/angular-cli/issues/13560 where it says: You need to use −− to pass arguments to npm scripts. This did the job! The command to issue is then: npm run build -- --base-href='https://ngx.rktmb.org/foo&
Read more

Jenkins invalid privatekey

Publish over SSH, Message "invalid privatekey:" With quite recent (June-July 2020) installations of Jenkins and OpenSSH, I have the following error message when using the "Deploy overs SSH" Jenkins plug-in and publishing artifacts to the target overs SSH: jenkins.plugins.publish_over.BapPublisherException: Failed to add SSH key. Message [invalid privatekey: [B@d8d395a] This problem seems to be referenced here: https://issues.jenkins-ci.org/browse/JENKINS-57495 Just regenerate a key with the right parameters To solve it: ssh-keygen -t rsa -b 4096 Or ssh-keygen -t rsa -b 4096 -m PEM
Read more

AzureCLI Custom Python

Installing Azure CLI on Archlinux When trying to install Azure CLI on Archlinux, I follow the documentation, in the "script" tab , and it leads to the following errors: [mihamina@arch-00 ~]$ curl -L https://aka.ms/InstallAzureCli | bash [...] Running install script. -- Verifying Python version. -- Python version 3.11.3 okay. [...] -- Executing: ['/usr/bin/python3', 'virtualenv.py', '--python', '/usr/bin/python3', '/home/mihamina/lib/azure-cli'] /tmp/tmpn0w4l6w9/virtualenv-16.7.11/virtualenv.py:24: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives import distutils.spawn /tmp/tmpn0w4l6w9/virtualenv-16.7.11/virtualenv.py:25: DeprecationWarning: The distutils.sysconfig module is deprecated, use sysconfig instead import distutils.sysconfig Already using interpreter /u
Read more