SSH connection issue with Host Key Verification Strategy

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSH connection issue with Host Key Verification Strategy

Amedee Van Gasse
Current Host Key Verification Strategy is Non Verifying Verification Strategy.
This works, but is not secure.

The agent is created using Packer, and Ansible as provisioner, and then started with Terraform.

This Ansible playbook uploads the files id_ed25519 and id_ed25519.pub to the .ssh directory of user jenkins.

---

- name: Add the user 'jenkins'
user:
name: jenkins
create_home: yes
home: /home/jenkins

- name: Copy SSH keys
copy:
src: ./files/.ssh
dest: /home/jenkins/
owner: jenkins
mode: 0600

- name: Set permissions on private key
file:
path: /home/jenkins/.ssh/id_ed25519
mode: 0400

- name: Set authorized key taken from file
ansible.posix.authorized_key:
user: jenkins
key: "{{ lookup('file', './files/.ssh/id_ed25519.pub') }}"
state: present
exclusive: True


In Jenkins, Manage Jenkins, Manage Credentials I have added a "SSH Username with private key". In the field Private Key I have put the content of id_ed25519.

In Jenkins, Manage Jenkins, Manage Nodes I have added a node:
* Launch agents via SSH
* Host: DNS name I get from Terraform or AWS console
* Credentials: the SSH username + private key from the previous step
* Host Key Verification Strategy:
--> Non verifying: works, but is not secure
--> Known hosts file: I have no access to files on the server, so I cannot use this
--> Manually provided key: I paste the contents of id_ed25519.pub. Results in WARNING: The SSH key for this host does not match the key required in the connection configuration. Connections will be denied until the host key matches the configuration key. Key exchange was not finished, connection is closed.
--> Manually trusted key: works, but couldn't I theoretically have a man-in-the-middle attack on the very first connection of a new node?

My questions are:
* Is Manually trusted key Verification Strategy, without "Require manual verification of initial connection", more secure than Non verifying Verification Strategy?
* What are the downsides of Manually trusted key Verification Strategy?
* How come Manually provided key Verification Strategy didn't work?

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/654c1ca0-0e62-4ad2-af11-d5d725958fadn%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: SSH connection issue with Host Key Verification Strategy

kuisathaverat
>* Is Manually trusted key Verification Strategy, without "Require manual verification of initial connection", more secure than Non verifying Verification Strategy

Any verification strategy is more secure than none

>What are the downsides of Manually trusted key Verification Strategy?

You have to manually accept the key on the UI or check the auto accept in the first connection

>How come Manually provided key Verification Strategy didn't work?

I do not have enough data, but this configuration should work, I you think that can be and issue you could open and issue in Jira and I’ll take a look (see https://github.com/jenkinsci/ssh-slaves-plugin/blob/master/doc/TROUBLESHOOTING.md#common-info-needed-to-troubleshooting-a-bug)

For more info check the documentation

I will recommend you to use JCasC to inject the config, in this repo you have an example https://github.com/kuisathaverat/jenkins-issues/tree/master/kex-algorithms

El miércoles, 13 de enero de 2021 a las 3:13:58 UTC+1, [hidden email] escribió:
Current Host Key Verification Strategy is Non Verifying Verification Strategy.
This works, but is not secure.

The agent is created using Packer, and Ansible as provisioner, and then started with Terraform.

This Ansible playbook uploads the files id_ed25519 and id_ed25519.pub to the .ssh directory of user jenkins.

---

- name: Add the user 'jenkins'
user:
name: jenkins
create_home: yes
home: /home/jenkins

- name: Copy SSH keys
copy:
src: ./files/.ssh
dest: /home/jenkins/
owner: jenkins
mode: 0600

- name: Set permissions on private key
file:
path: /home/jenkins/.ssh/id_ed25519
mode: 0400

- name: Set authorized key taken from file
ansible.posix.authorized_key:
user: jenkins
key: "{{ lookup('file', './files/.ssh/id_ed25519.pub') }}"
state: present
exclusive: True


In Jenkins, Manage Jenkins, Manage Credentials I have added a "SSH Username with private key". In the field Private Key I have put the content of id_ed25519.

In Jenkins, Manage Jenkins, Manage Nodes I have added a node:
* Launch agents via SSH
* Host: DNS name I get from Terraform or AWS console
* Credentials: the SSH username + private key from the previous step
* Host Key Verification Strategy:
--> Non verifying: works, but is not secure
--> Known hosts file: I have no access to files on the server, so I cannot use this
--> Manually provided key: I paste the contents of id_ed25519.pub. Results in WARNING: The SSH key for this host does not match the key required in the connection configuration. Connections will be denied until the host key matches the configuration key. Key exchange was not finished, connection is closed.
--> Manually trusted key: works, but couldn't I theoretically have a man-in-the-middle attack on the very first connection of a new node?

My questions are:
* Is Manually trusted key Verification Strategy, without "Require manual verification of initial connection", more secure than Non verifying Verification Strategy?
* What are the downsides of Manually trusted key Verification Strategy?
* How come Manually provided key Verification Strategy didn't work?

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/c5ccbda7-2ea3-41aa-aac3-f2391b98d287n%40googlegroups.com.