Discussion:
Issues with SSH Host Key Verification
Harald Wellmann
2017-03-23 16:45:20 UTC
Permalink
After upgrading to SSH Slave Plugin 1.15 on Jenkins 2.32.3, I'm
getting warnings

about missing SSH key verification which I'm trying to fix.


I've configured Known hosts file verification strategy, I've manually ssh'ed

from my master to my slave, and I've checked there's an entry in my

.ssh/known_hosts on master which looks like


slave2.example.com ecdsa-sha2-nistp256 AAAA...v+2Uc0=


Despite that, I'm getting the following error when lauching the agent:


[03/23/17 13:10:38] [SSH] Opening SSH connection to slave2.example.com:22.
[03/23/17 13:10:38] [SSH] WARNING: No entry currently exists in the
Known Hosts file for this host. Connections will be denied until this
new host and its associated key is added to the Known Hosts file.
Key exchange was not finished, connection is closed.
java.io.IOException: There was a problem while connecting to
slave2.example.com:22
at com.trilead.ssh2.Connection.connect(Connection.java:818)
at com.trilead.ssh2.Connection.connect(Connection.java:687)
at com.trilead.ssh2.Connection.connect(Connection.java:601)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1265)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:790)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:785)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Key exchange was not finished,
connection is closed.
at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:93)
at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:230)
at com.trilead.ssh2.Connection.connect(Connection.java:770)
... 9 more
Caused by: java.io.IOException: The server hostkey was not accepted by
the verifier callback
at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:535)
at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:777)
at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:489)
... 1 more
[03/23/17 13:10:38] Launch failed - cleaning up connection
[03/23/17 13:10:38] [SSH] Connection closed.




Any ideas what's wrong here?

Thanks,
Harald
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAC-wabt7GXyv_3bh7txhzsofVVzYYVm07Hyn4n7sbHURWni2OA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Harriet Severino
2017-03-23 20:24:41 UTC
Permalink
Can you ssh from master to slave and back as the jenkins user? If not look
at you ssh setup. SSH is picky about the permissions of all the files under
~/.ssh.
After upgrading to SSH Slave Plugin 1.15 on Jenkins 2.32.3, I'm getting warnings
about missing SSH key verification which I'm trying to fix.
I've configured Known hosts file verification strategy, I've manually ssh'ed
from my master to my slave, and I've checked there's an entry in my
.ssh/known_hosts on master which looks like
slave2.example.com ecdsa-sha2-nistp256 AAAA...v+2Uc0=
[03/23/17 13:10:38] [SSH] Opening SSH connection to slave2.example.com:22.
[03/23/17 13:10:38] [SSH] WARNING: No entry currently exists in the Known Hosts file for this host. Connections will be denied until this new host and its associated key is added to the Known Hosts file.
Key exchange was not finished, connection is closed.
java.io.IOException: There was a problem while connecting to slave2.example.com:22
at com.trilead.ssh2.Connection.connect(Connection.java:818)
at com.trilead.ssh2.Connection.connect(Connection.java:687)
at com.trilead.ssh2.Connection.connect(Connection.java:601)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1265)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:790)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:785)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Key exchange was not finished, connection is closed.
at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:93)
at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:230)
at com.trilead.ssh2.Connection.connect(Connection.java:770)
... 9 more
Caused by: java.io.IOException: The server hostkey was not accepted by the verifier callback
at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:535)
at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:777)
at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:489)
... 1 more
[03/23/17 13:10:38] Launch failed - cleaning up connection
[03/23/17 13:10:38] [SSH] Connection closed.
Any ideas what's wrong here?
Thanks,
Harald
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7006ab93-7ca4-4063-baf6-7c844be60165%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Harald Wellmann
2017-03-24 08:31:18 UTC
Permalink
Yes, I can ssh both ways. The problem seems to be that the SSH lib used by
Jenkins does not support newer ciphers like ecdsa-sha2-nistp256.

After deleting the known_hosts entry and creating a new one via

ssh -o HostKeyAlgorithms=ssh-rsa slave2.example.com

Jenkins no longer complains.

I'm not a security expert, but it seems that I'm now using a less robust
cipher than before, so this is more of a workaround than a solution.

Regards,
Harald
Post by Harriet Severino
Can you ssh from master to slave and back as the jenkins user? If not look
at you ssh setup. SSH is picky about the permissions of all the files under
~/.ssh.
After upgrading to SSH Slave Plugin 1.15 on Jenkins 2.32.3, I'm getting warnings
about missing SSH key verification which I'm trying to fix.
I've configured Known hosts file verification strategy, I've manually ssh'ed
from my master to my slave, and I've checked there's an entry in my
.ssh/known_hosts on master which looks like
slave2.example.com ecdsa-sha2-nistp256 AAAA...v+2Uc0=
[03/23/17 13:10:38] [SSH] Opening SSH connection to slave2.example.com:22.
[03/23/17 13:10:38] [SSH] WARNING: No entry currently exists in the Known Hosts file for this host. Connections will be denied until this new host and its associated key is added to the Known Hosts file.
Key exchange was not finished, connection is closed.
java.io.IOException: There was a problem while connecting to slave2.example.com:22
at com.trilead.ssh2.Connection.connect(Connection.java:818)
at com.trilead.ssh2.Connection.connect(Connection.java:687)
at com.trilead.ssh2.Connection.connect(Connection.java:601)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1265)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:790)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:785)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Key exchange was not finished, connection is closed.
at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:93)
at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:230)
at com.trilead.ssh2.Connection.connect(Connection.java:770)
... 9 more
Caused by: java.io.IOException: The server hostkey was not accepted by the verifier callback
at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:535)
at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:777)
at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:489)
... 1 more
[03/23/17 13:10:38] Launch failed - cleaning up connection
[03/23/17 13:10:38] [SSH] Connection closed.
Any ideas what's wrong here?
Thanks,
Harald
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit https://groups.google.com/d/
msgid/jenkinsci-users/7006ab93-7ca4-4063-baf6-7c844be60165%40googlegroups.
com
<https://groups.google.com/d/msgid/jenkinsci-users/7006ab93-7ca4-4063-baf6-7c844be60165%40googlegroups.com?utm_medium=email&utm_source=footer>
.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAC-wabtccnb2JKWH7r773kiQ7vgMSv56pqDbnLo-veTihK0Bjw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Steven R. Loomis
2017-03-29 17:24:29 UTC
Permalink
Thank you! I added this workaround
to https://issues.jenkins-ci.org/browse/JENKINS-42959
Post by Harald Wellmann
Yes, I can ssh both ways. The problem seems to be that the SSH lib used by
Jenkins does not support newer ciphers like ecdsa-sha2-nistp256.
After deleting the known_hosts entry and creating a new one via
ssh -o HostKeyAlgorithms=ssh-rsa slave2.example.com
Jenkins no longer complains.
I'm not a security expert, but it seems that I'm now using a less robust
cipher than before, so this is more of a workaround than a solution.
Regards,
Harald
Post by Harriet Severino
Can you ssh from master to slave and back as the jenkins user? If not
look at you ssh setup. SSH is picky about the permissions of all the files
under ~/.ssh.
After upgrading to SSH Slave Plugin 1.15 on Jenkins 2.32.3, I'm getting warnings
about missing SSH key verification which I'm trying to fix.
I've configured Known hosts file verification strategy, I've manually ssh'ed
from my master to my slave, and I've checked there's an entry in my
.ssh/known_hosts on master which looks like
slave2.example.com ecdsa-sha2-nistp256 AAAA...v+2Uc0=
[03/23/17 13:10:38] [SSH] Opening SSH connection to slave2.example.com:22.
[03/23/17 13:10:38] [SSH] WARNING: No entry currently exists in the Known Hosts file for this host. Connections will be denied until this new host and its associated key is added to the Known Hosts file.
Key exchange was not finished, connection is closed.
java.io.IOException: There was a problem while connecting to slave2.example.com:22
at com.trilead.ssh2.Connection.connect(Connection.java:818)
at com.trilead.ssh2.Connection.connect(Connection.java:687)
at com.trilead.ssh2.Connection.connect(Connection.java:601)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1265)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:790)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:785)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Key exchange was not finished, connection is closed.
at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:93)
at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:230)
at com.trilead.ssh2.Connection.connect(Connection.java:770)
... 9 more
Caused by: java.io.IOException: The server hostkey was not accepted by the verifier callback
at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:535)
at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:777)
at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:489)
... 1 more
[03/23/17 13:10:38] Launch failed - cleaning up connection
[03/23/17 13:10:38] [SSH] Connection closed.
Any ideas what's wrong here?
Thanks,
Harald
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/7006ab93-7ca4-4063-baf6-7c844be60165%40googlegroups.com
<https://groups.google.com/d/msgid/jenkinsci-users/7006ab93-7ca4-4063-baf6-7c844be60165%40googlegroups.com?utm_medium=email&utm_source=footer>
.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/bcb3b1f9-b12f-4faa-b16f-e1fd3bacc4cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
'Derek Hazell' via Jenkins Users
2017-06-05 03:53:17 UTC
Permalink
Thanks Harald.

Your post was very helpful - I was coming across the same issue where our
Windows Jenkins host could not connect to our Linux slaves.

"ssh -o HostKeyAlgorithms=ssh-rsa ..." fixed our issue

It seems that our Jenkins server (2.46.3) doesn't like me using
ecdsa-sha2-nistp256 cipher whereas use of ssh-rsa cipher allows Jenkins to
talk to the slaves

regards
Post by Harald Wellmann
Yes, I can ssh both ways. The problem seems to be that the SSH lib used by
Jenkins does not support newer ciphers like ecdsa-sha2-nistp256.
After deleting the known_hosts entry and creating a new one via
ssh -o HostKeyAlgorithms=ssh-rsa slave2.example.com
Jenkins no longer complains.
I'm not a security expert, but it seems that I'm now using a less robust
cipher than before, so this is more of a workaround than a solution.
Regards,
Harald
Post by Harriet Severino
Can you ssh from master to slave and back as the jenkins user? If not
look at you ssh setup. SSH is picky about the permissions of all the files
under ~/.ssh.
After upgrading to SSH Slave Plugin 1.15 on Jenkins 2.32.3, I'm getting warnings
about missing SSH key verification which I'm trying to fix.
I've configured Known hosts file verification strategy, I've manually ssh'ed
from my master to my slave, and I've checked there's an entry in my
.ssh/known_hosts on master which looks like
slave2.example.com ecdsa-sha2-nistp256 AAAA...v+2Uc0=
[03/23/17 13:10:38] [SSH] Opening SSH connection to slave2.example.com:22.
[03/23/17 13:10:38] [SSH] WARNING: No entry currently exists in the Known Hosts file for this host. Connections will be denied until this new host and its associated key is added to the Known Hosts file.
Key exchange was not finished, connection is closed.
java.io.IOException: There was a problem while connecting to slave2.example.com:22
at com.trilead.ssh2.Connection.connect(Connection.java:818)
at com.trilead.ssh2.Connection.connect(Connection.java:687)
at com.trilead.ssh2.Connection.connect(Connection.java:601)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1265)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:790)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:785)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Key exchange was not finished, connection is closed.
at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:93)
at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:230)
at com.trilead.ssh2.Connection.connect(Connection.java:770)
... 9 more
Caused by: java.io.IOException: The server hostkey was not accepted by the verifier callback
at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:535)
at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:777)
at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:489)
... 1 more
[03/23/17 13:10:38] Launch failed - cleaning up connection
[03/23/17 13:10:38] [SSH] Connection closed.
Any ideas what's wrong here?
Thanks,
Harald
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/7006ab93-7ca4-4063-baf6-7c844be60165%40googlegroups.com
<https://groups.google.com/d/msgid/jenkinsci-users/7006ab93-7ca4-4063-baf6-7c844be60165%40googlegroups.com?utm_medium=email&utm_source=footer>
.
For more options, visit https://groups.google.com/d/optout.
--
*This email may contain information that is confidential. If you receive an
email in error please delete it immediately.*
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/e4021a4c-33c7-429e-97b7-f2e532111a19%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Brian Wilson
2017-03-31 18:02:00 UTC
Permalink
I logged in to the Master server and sudo (sudo -su <user>) to the user
running the Jenkins war file. I ran the ssh command to connect to each of
the Jenkins Agent machines and had no issue connecting. I did this with
both the machine name and the fully qualified domain name (e.g. machine1,
and machine1.company-name.com). From what I could see the ssh
~/.ssh/known_hosts file contained valid information on the Agent machines
and had correct permissions of 644.

On the Jenkins Master, I went to the Nodes, Agent, Configure page and
switched from the "Known hosts file Verification Strategy" to the "Manually
trusted key Verification Strategy" then brought the Agents online with no
issues. I then switched the Agent configuration back to the "Known hosts
file Verification Strategy", took the Agents offline and brought them back
online again with no issues.

I looked at the time stamp on the ~/.ssh/known_hosts file and verified its
contents hadn't changed. Its almost as if the known_hosts file being
checked isn't the file for the user id executing the Jenkins war file.
Either way, this is an issue that needs to be addressed sooner rather than
later.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/49069de1-61ee-453c-9d5d-03977fca16a3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Brian Wilson
2017-03-31 18:28:31 UTC
Permalink
I logged in to the Master server in a command line shell and sudo'd (sudo
-su <user>) to the user running the Jenkins war file. I ran the ssh command
to connect to each of the Jenkins Agent machines and had no issue
connecting. I did this with both the machine name and the fully qualified
domain name (e.g. machine1, and machine1.company-name.com). From what I
could see the ssh ~/.ssh/known_hosts file contained valid information on
the Agent machines and had correct permissions of 644.

On the Jenkins Master web page, I went to the Nodes, Agent, Configure page
(http://<master>:8080/computer/<agent>/) and switched from the "Known hosts
file Verification Strategy" to the "Manually trusted key Verification
Strategy" then brought the Agents online with no issues. I then switched
the Agent configuration back to the "Known hosts file Verification
Strategy", took the Agents offline and brought them back online again with
no issues.

I looked at the time stamp on the ~/.ssh/known_hosts file and verified its
contents hadn't changed. Its almost as if the known_hosts file being
checked isn't the file for the user id executing the Jenkins war file.
Either way, this is an issue that needs to be addressed sooner rather than
later.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/443c989d-8383-4f0e-b4de-1c4381831d80%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Continue reading on narkive:
Search results for 'Issues with SSH Host Key Verification' (Questions and Answers)
6
replies
what is wireless B+G lan?
started 2006-03-14 17:54:04 UTC
laptops & notebooks
Loading...