Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45650

CLI known_hosts support fails on non-standard SSH ports

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • cli
    • None
    • Jenkins 2.60.1 cli on RedHat Enterprise Linux 7

      When using CLI to connect with SSH protocol to Jenkins master, CLI tries to load known_hosts file. When it encounters entries with custom ports, the parsing fails and the file is not loaded.

      $ java -jar jenkins-cli.jar -s https://server:8443/jenkins -ssh -user userid who-am-i
Jul 19, 2017 3:17:48 PM org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier acceptIncompleteHostKeys
WARNING: Failed (StreamCorruptedException) to reload server keys from /home/userid/.ssh/known_hosts: Failed (IllegalArgumentException) to parse line #94 '[server]:55999,[10.171.40.57]:55999 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXA0S0x3vxR/lXan6EKBwc5rN4Omij2UpkvtiWqDOm5B4m8d+Exn59EJMKgiez+zCITm0bRa22pEvjPu2AD7EXz4rMoW5S042Fqv7iQYMiGsmSz4y7J4+kSnNemUe1wH04VTKZ/BNes4FcTGzCN0ah2q6nIb0gEbVeXHnWhEdFccRyLdCAXV//v4p+xkzegJM6nJDE1qwTl2SLicDfc++8B5kYfDG90nSeYtxsBWTxpILOO4Nsln4aeMkL4KwtHfgBhYc1vE6jyuf08KIgmJ3jdRf/foeZjB5aVR1GycF9e0cvTb81Xo6eBa9YCjCYWZXP1jMuPn4LhD1CyFma+FsX': Invalid host pattern char in [server]:55999
Jul 19, 2017 3:17:48 PM hudson.cli.SSHCLI$1 verifyServerKey
WARNING: Unknown host key for server/10.171.40.57:55999
Authenticated as: userid
Authorities:
  authenticated

      When offending line is removed, the things are even worse since the parsing succeeds, but gets regular server SSH key (from port 22) instead of Jenkins one (from 55999) and the connection fails:

      $ java -jar jenkins-cli.jar -s https://server:8443/jenkins -ssh -user userid who-am-i
Jul 19, 2017 3:09:55 PM org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier acceptModifiedServerKey
WARNING: acceptModifiedServerKey(ClientSessionImpl[userid@server/10.171.40.57:55999]) mismatched keys presented by server/10.171.40.57:55999 for entry=server ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6Z9rzxO2B847/BfIeCHTniW+sKlOwp/y7gAAZsIqo4iBi3IjjQkCAk22S9AAMLN1pJ23LnlWPYkbHMg9WoO/pbTYalsoGmeXnNYHw9zq+1ky3fF82Q7qQib3s0gVMdYIyjPq8axOEEMKTvE165MkH9M+38WzLzIo/KgZ760Q18TjTE6Or3agYijUfocIL4cYZ8T8T5U314RIhZ7CleYvfeCJJhFTcbfU1u1JQjBCVI43oCrTCg0U+B/IziAG+UQxtr4QmHn1B4gb4RlWh1/bslnioYzS4RMSOcKbilIZeecUR3wEyIA36MHcdQ8yg9E1eMgqyGsOux4o9vU9+tobKw==: expected=ssh-rsa-SHA256:ISYrqAqAcAsbKg9qKWEBRnro3cNrzrVjvwp0QUkooUA, actual=ssh-rsa-SHA256:Ii0dTlky9upQj6lgvXfDQL1CqUPB6RnvDntzkc+DaF0
Jul 19, 2017 3:09:55 PM org.apache.sshd.common.session.helpers.AbstractSession exceptionCaught
WARNING: exceptionCaught(ClientSessionImpl[userid@server/10.171.40.57:55999])[state=Opened] SshException: Server key did not validate
Jul 19, 2017 3:09:55 PM org.apache.sshd.common.session.helpers.AbstractSession disconnect
INFO: Disconnecting(ClientSessionImpl[userid@server/10.171.40.57:55999]): SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE - Server key did not validate
org.apache.sshd.common.SshException: Server key did not validate
        at org.apache.sshd.client.session.AbstractClientSession.checkKeys(AbstractClientSession.java:543)
        at org.apache.sshd.common.session.helpers.AbstractSession.handleKexMessage(AbstractSession.java:580)
        at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:528)
        at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:463)
        at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1325)
        at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:424)
        at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:67)
        at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:285)
        at org.apache.sshd.common.io.nio2.Nio2Session$2.onCompleted(Nio2Session.java:265)
        at org.apache.sshd.common.io.nio2.Nio2Session$2.onCompleted(Nio2Session.java:262)
        at org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:37)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:34)
        at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
        at sun.nio.ch.Invoker$2.run(Invoker.java:218)
        at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)

      Also in this case CLI adds Jenkins SSH key to known_hosts without port, so the entry is conflicting with regular SSH key.

      Please add support for custom port in known_hosts. This is perfectly valid according to sshd(8):

      SSH_KNOWN_HOSTS FILE FORMAT
      ...
      A hostname or address may optionally be enclosed within `[' and `]' brackets then followed by `:' and a non-standard port number.

            Unassigned Unassigned
            raspy Krzysztof Malinowski
            Votes:
            3 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated: