Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45650

CLI known_hosts support fails on non-standard SSH ports

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: cli
    • Labels:
      None
    • Environment:
      Jenkins 2.60.1 cli on RedHat Enterprise Linux 7
    • Similar Issues:

      Description

      When using CLI to connect with SSH protocol to Jenkins master, CLI tries to load known_hosts file. When it encounters entries with custom ports, the parsing fails and the file is not loaded.

      $ java -jar jenkins-cli.jar -s https://server:8443/jenkins -ssh -user userid who-am-i
      Jul 19, 2017 3:17:48 PM org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier acceptIncompleteHostKeys
      WARNING: Failed (StreamCorruptedException) to reload server keys from /home/userid/.ssh/known_hosts: Failed (IllegalArgumentException) to parse line #94 '[server]:55999,[10.171.40.57]:55999 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXA0S0x3vxR/lXan6EKBwc5rN4Omij2UpkvtiWqDOm5B4m8d+Exn59EJMKgiez+zCITm0bRa22pEvjPu2AD7EXz4rMoW5S042Fqv7iQYMiGsmSz4y7J4+kSnNemUe1wH04VTKZ/BNes4FcTGzCN0ah2q6nIb0gEbVeXHnWhEdFccRyLdCAXV//v4p+xkzegJM6nJDE1qwTl2SLicDfc++8B5kYfDG90nSeYtxsBWTxpILOO4Nsln4aeMkL4KwtHfgBhYc1vE6jyuf08KIgmJ3jdRf/foeZjB5aVR1GycF9e0cvTb81Xo6eBa9YCjCYWZXP1jMuPn4LhD1CyFma+FsX': Invalid host pattern char in [server]:55999
      Jul 19, 2017 3:17:48 PM hudson.cli.SSHCLI$1 verifyServerKey
      WARNING: Unknown host key for server/10.171.40.57:55999
      Authenticated as: userid
      Authorities:
        authenticated
      

      When offending line is removed, the things are even worse since the parsing succeeds, but gets regular server SSH key (from port 22) instead of Jenkins one (from 55999) and the connection fails:

      $ java -jar jenkins-cli.jar -s https://server:8443/jenkins -ssh -user userid who-am-i
      Jul 19, 2017 3:09:55 PM org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier acceptModifiedServerKey
      WARNING: acceptModifiedServerKey(ClientSessionImpl[userid@server/10.171.40.57:55999]) mismatched keys presented by server/10.171.40.57:55999 for entry=server ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6Z9rzxO2B847/BfIeCHTniW+sKlOwp/y7gAAZsIqo4iBi3IjjQkCAk22S9AAMLN1pJ23LnlWPYkbHMg9WoO/pbTYalsoGmeXnNYHw9zq+1ky3fF82Q7qQib3s0gVMdYIyjPq8axOEEMKTvE165MkH9M+38WzLzIo/KgZ760Q18TjTE6Or3agYijUfocIL4cYZ8T8T5U314RIhZ7CleYvfeCJJhFTcbfU1u1JQjBCVI43oCrTCg0U+B/IziAG+UQxtr4QmHn1B4gb4RlWh1/bslnioYzS4RMSOcKbilIZeecUR3wEyIA36MHcdQ8yg9E1eMgqyGsOux4o9vU9+tobKw==: expected=ssh-rsa-SHA256:ISYrqAqAcAsbKg9qKWEBRnro3cNrzrVjvwp0QUkooUA, actual=ssh-rsa-SHA256:Ii0dTlky9upQj6lgvXfDQL1CqUPB6RnvDntzkc+DaF0
      Jul 19, 2017 3:09:55 PM org.apache.sshd.common.session.helpers.AbstractSession exceptionCaught
      WARNING: exceptionCaught(ClientSessionImpl[userid@server/10.171.40.57:55999])[state=Opened] SshException: Server key did not validate
      Jul 19, 2017 3:09:55 PM org.apache.sshd.common.session.helpers.AbstractSession disconnect
      INFO: Disconnecting(ClientSessionImpl[userid@server/10.171.40.57:55999]): SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE - Server key did not validate
      org.apache.sshd.common.SshException: Server key did not validate
              at org.apache.sshd.client.session.AbstractClientSession.checkKeys(AbstractClientSession.java:543)
              at org.apache.sshd.common.session.helpers.AbstractSession.handleKexMessage(AbstractSession.java:580)
              at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:528)
              at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:463)
              at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1325)
              at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:424)
              at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:67)
              at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:285)
              at org.apache.sshd.common.io.nio2.Nio2Session$2.onCompleted(Nio2Session.java:265)
              at org.apache.sshd.common.io.nio2.Nio2Session$2.onCompleted(Nio2Session.java:262)
              at org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:37)
              at java.security.AccessController.doPrivileged(Native Method)
              at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:34)
              at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
              at sun.nio.ch.Invoker$2.run(Invoker.java:218)
              at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at java.lang.Thread.run(Thread.java:745)
      

      Also in this case CLI adds Jenkins SSH key to known_hosts without port, so the entry is conflicting with regular SSH key.

      Please add support for custom port in known_hosts. This is perfectly valid according to sshd(8):

      SSH_KNOWN_HOSTS FILE FORMAT
      ...
      A hostname or address may optionally be enclosed within `[' and `]' brackets then followed by `:' and a non-standard port number.

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          Michael Clarke Is this related to your recent work? CC Oleg Nenashev

          Show
          danielbeck Daniel Beck added a comment - Michael Clarke Is this related to your recent work? CC Oleg Nenashev
          Hide
          mc1arke Michael Clarke added a comment -

          Daniel Beck I don't think my changes would have done this: it seems to be failing whilst matching the key identifier rather than key value. I suspect it's the SSHD bump that's caused this, but wont be able to take a closer look until this weekend.

          Show
          mc1arke Michael Clarke added a comment - Daniel Beck I don't think my changes would have done this: it seems to be failing whilst matching the key identifier rather than key value. I suspect it's the SSHD bump that's caused this, but wont be able to take a closer look until this weekend.
          Hide
          mc1arke Michael Clarke added a comment -

          If Krzysztof Malinowski's report is correct, this is impacting Jenkins 2.60.1, which uses SSHD-Module 1.11 and therefore SSHD 0.14.0. This would mean that a change for SSHD-747 isn't included in SSHD, SSHD-module or consequently in this version of Jenkins.

          I believe a fix for this is included in the version of SSHD (1.6.0) included in the latest SSHD-module (2.0) and included in Jenkins 2.69 and above.

          Show
          mc1arke Michael Clarke added a comment - If Krzysztof Malinowski 's report is correct, this is impacting Jenkins 2.60.1, which uses SSHD-Module 1.11 and therefore SSHD 0.14.0. This would mean that a change for SSHD-747 isn't included in SSHD, SSHD-module or consequently in this version of Jenkins. I believe a fix for this is included in the version of SSHD (1.6.0) included in the latest SSHD-module (2.0) and included in Jenkins 2.69 and above.
          Hide
          zeton3 Zeton added a comment -

          Hi

           

          I'm using Jenkins ver 2.107.1 and this issue is still present.

           

          /Seba

          Show
          zeton3 Zeton added a comment - Hi   I'm using Jenkins ver 2.107.1 and this issue is still present.   /Seba
          Hide
          saml Samuel Lopez added a comment -

          Hello Folks,

           

          We are seeing this issue as well on:

          Jenkins 2.121.1

          Running on  Ubuntu 16.04

          SSH Plugin 2.6.1

           

          /Sam

          Show
          saml Samuel Lopez added a comment - Hello Folks,   We are seeing this issue as well on: Jenkins 2.121.1 Running on  Ubuntu 16.04 SSH Plugin 2.6.1   /Sam
          Hide
          giorgiosironi Giorgio Sironi added a comment -

          I think I have fixed this by removing the offending key from my .ssh/known_hosts. It may be related to an old key recorded there that has changed after the Jenkins server was updated.

          Show
          giorgiosironi Giorgio Sironi added a comment - I think I have fixed this by removing the offending key from my .ssh/known_hosts . It may be related to an old key recorded there that has changed after the Jenkins server was updated.
          Hide
          amdokamal S. Panchenko added a comment - - edited

          Giorgio Sironi removing the offending key from my .ssh/known_hosts works for me. Thank you!

           

          Show
          amdokamal S. Panchenko added a comment - - edited Giorgio Sironi removing the offending key from my .ssh/known_hosts works for me. Thank you!  

            People

            • Assignee:
              Unassigned
              Reporter:
              raspy Krzysztof Malinowski
            • Votes:
              3 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

              • Created:
                Updated: