How do you get rid of this prompt when using site-deploy?
"Are you sure you want to continue connecting?"
I know this question has been asked multiple times (link, link), but the recommended solutions do not work for me and I will explain why.
Oh, and I posted pretty much the exact same question here
where the solution is to:
# Run this manually:
ssh -o UserKnownHostsFile=foo javadoc.foo.com
# Take that file and put it in your private DAV share, and then
ssh -o UserKnownHostsFile=/private/<account>/known_hosts javadoc.foo.com
Which has been working fine 99% of the time, but using this solution, every once in a while we get the following text over and over again in the logs:
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
3d:69:41:8a:ec:d1:4c:d9:75:ef:7d:71:b7:7d:61:d0.
Please contact your system administrator.
Add correct host key in known_hosts to get rid of this message.
Do you want to delete the old key and insert the new key? (yes/no)
So, back to my problem: in a nutshell, the problem is this:
When I run mvn site-deploy, it gets stuck in an infinite loop in Jenkins:
The authenticity of host 'javadoc.foo.com' can't be established.
RSA key fingerprint is 3d:69:41:8a:ec:d1:4c:d9:75:ef:7d:71:b7:7d:61:d0.
Are you sure you want to continue connecting? (yes/no)
The authenticity of host 'javadoc.foo.com' can't be established.
RSA key fingerprint is 3d:69:41:8a:ec:d1:4c:d9:75:ef:7d:71:b7:7d:61:d0.
Are you sure you want to continue connecting? (yes/no)
The machine that this occurs on is a CloudBees machine, so it's not a machine that we own. In other words, every time we do a build, a brand new machine is provisioned to us.
Our settings.xml has something like:
<server>
<id>javadoc.foo.com</id>
<username>username</username>
<password>password</password>
</server>
If it was a machine that we owned and controlled, we could manually ssh on there and run the ssh command just once so that this is fixed, but like I said, those machines are dynamically provisioned to us.
Since we are using maven 3 and not maven 2, we cannot add the following to our server section of the settings.xml:
<configuration>
<knownHostsProvider implementation="org.apache.maven.wagon.providers.ssh.knownhost.NullKnownHostProvider">
<hostKeyChecking>no</hostKeyChecking>
</knownHostsProvider>
</configuration>
Is there a way to either:
programmatically answer yes (this is not a free-style Jenkins job; this is Maven project.)
an alternative to site-deploy (ant code within the pom.xml?)
have site-deploy fail if this question does not get answered, so that the Jenkins build doesn't fill gigs of disk space with this question repeated over and over again.
tell the site-deploy plugin to set stricthostkeychecking to "no"
I would like to avoid any pre-build steps that could tweak ssh settings; I would prefer to either tweak the settings.xml, pom.xml, or maven options.
Nonetheless, I'm open to any suggestions.
You can manage to get it work using this settings.xml configuration :
<server>
<id>site</id>
<username>_your_login_user_</username>
<privateKey>_path_to_key_identify_file</privateKey>
<configuration>
<strictHostKeyChecking>no</strictHostKeyChecking>
<preferredAuthentications>publickey,password</preferredAuthentications>
<interactive>false</interactive>
</configuration>
</server>
along with the following pom.xml :
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.6</version>
<dependencies>
<dependency><!-- add support for ssh/scp -->
<groupId>org.apache.maven.wagon</groupId>
<artifactId>wagon-ssh</artifactId>
<version>2.12</version>
</dependency>
</dependencies>
</plugin>
An issue https://issues.apache.org/jira/browse/WAGON-467 has been addressing the wagon-ssh plugin for the strictHostKeyChecking parameter and has been solved in recent versions.
add a shell pre-build step to create ~/.ssh/config with content :
StrictHostKeyChecking no
echo yes | mvn site:deploy
Totally fixed this for me despite having tried many other routes.
I couldn't find a way round this. Using this didnt work: org.apache.maven.wagon.providers.ssh.knownhost.NullKnownHostProvider, which seems to be a known issue.
But assuming you're on a unix box of some sort you can do this as a workaround to send yes when prompted if you don't want to change ssh config:
echo yes | mvn site:deploy
For the case that someone would not use StrictHostKeyChecking no and also if someone has this problem on Windows I have another solution:
Normaly your known_hosts could be found under
C:\Users\<YourUsername>\.ssh\known_hosts
For the Windows Service Installation of Jenkins you should copy your known_hosts to:
C:\Windows\System32\config\systemprofile\.ssh\
Or for the case of a Jenkins 64Bit version to:
C:\Windows\SysWOW64\config\systemprofile\.ssh\
For Unix/Linux systems use analog paths - copy the known_hosts (or only parts of it) from your account to Jenkins user.
Related
I have tried numerous options to add my ssh key for bitbucket to no avail.
When I reboot it ssh-add -L it says The agent has no identities.
I have tried using the following guides to add my ssh-key:
https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent
https://support.atlassian.com/bitbucket-cloud/docs/set-up-an-ssh-key/
I have tried several configurations of my config file including the following:
From BitBucket docs
Host *
UseKeychain yes
From Github docs
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/bitbucket
I tried using ssh-add -K ~/.ssh/bitbucket and ssh-add --apple-use-keychain ~/.ssh/bitbucket
I tried starting the agent 2 different ways
From BitBucket docs
eval `ssh-agent`
From GitHub Docs
eval "$(ssh-agent -s)"
When I run it, it works until I reboot. Sometimes it doesn't work when I switch terminals or use git operations in VSCode.
On reboot nothing works.
Looking for any solutions
I'm guessing from:
--apple-use-keychain
that you're on macOS (I added that to the tags). This matches up with another part of your question:
Sometimes it doesn't work when I switch terminals ...
There are two tricky bits that intertwine here:
It's possible to have more than one ssh-agent running (but generally you don't want this).
On macOS, when you boot up the system and log in—even before any Terminal windows open up—the system has started one ssh agent for you.
This second bullet point is specific to macOS. On other systems, it's usually the case that the system has not started an agent for you, and therefore you must start one. But on macOS the system has started one for you. You don't want to start a second one! So do not run eval `ssh-agent`.
If you do run it, you get a second agent, as requested, and then only that one Terminal window can talk to that agent. This results in other Terminal windows not working, as you observed, and could lead to other similar issues like the VSCode one, perhaps. (I don't use VSCode so this part is just a guess.)
You do have to run:
ssh-add ~/.ssh/bitbucket
or similar at least once; I do it after each reboot, to load the key into the agent. According to this question on apple.stackexchange.com, using -K will save the passphrase for the key, and on Sierra or later you must take an extra step as well; see that question and its answer for more.
(I switch OSes a lot so I tend to avoid depending too much on any one particular OS's features. The trick with Terminal and ssh-agent is actually kind of annoying, in that respect. 😀 But it is useful.)
Since manually executing steps of my plugin with demo projects takes some time, I'd like to execute it on a separate server using mvn hpi:run. To access Jenkins on my desktop, I'd like to tunnnel e.g. using ssh server -L 8080:server. Unfortunately, I cannot access the server with tunnelling and even on the server itself, curl localhost:8080 works and curl server:8080 does not work (and ssh server works, so it is not a connection problem).
Since ufw is disabled, I assume that the Jenkins which is run by maven usually only listens to 127.0.0.1. To change this, according to https://wiki.jenkins.io/display/JENKINS//Starting+and+Accessing+Jenkins, either setting --httpListenAddress=0.0.0.0 or setting $HTTP_HOST should be possible (https://serverfault.com/questions/408657/how-to-access-jenkins-remotely-on-ubuntu-12-04-server).
Unfortunately, both versions
mvn clean hpi:run -DhttpListenAddress=0.0.0.0
export HTTP_HOST=0.0.0.0 && mvn clean hpi:run
did not succeed. Additionally, I guessed -Djetty.host=0.0.0.0 could work (how to make jetty server accessible from LAN?) since the port of Jenkins can be set using -Djetty.port, but it also did not work:
mvn clean hpi:run -Djetty.host=0.0.0.0
Is there any option to make a Jenkins plugin directly remote accessible when using hpi:run, or is it necessary to deploy it to a local Jenkins server everytime?
Following worked for me:
mvn -Dhost=0.0.0.0 hpi:run
I'm using a series of commands for deploying my files to production,This is done manually currently.Is it possible to make these commands to an executable file,So that i don't have to copy paste these commands each and every time.
When the first line is executed ie, connecting to the root server it will ask for the password and have to paste the password: xxxxxxxxxxxxxx
I'm using mac system.
if you have any idea please let me know?
ssh root#server
pwd: xxxxxxxxxxxxxx
ssh-agent bash
ssh-add bi-master
cd /home/trans/bimaster
git status
git pull git#bitbucket.org:xxxxxxxxx/bimaster.git master
Yes it is possible, normally people use services like Jenkins (free) or bamboo (not free) to run deployment tasks, then you can save credentials on the bamboo/Jenkins server and write a deployment script or pipeline to do the deployment steps.
You should also consider setting up ssh keys on your local machine (public private keypair with ssh-keygen) and the remote (just the public key - ssh-copy-id can do this IIRC) so you don't have to rely on password logins on the remote login. generally, ssh keys are considered more secure and practical than using passwords.
Also, don't do things as the root user unless you have no other choice or you're just testing. Running things as root in production is asking for trouble.
Trying to run a simple
svn list svn+ssh://...
from within jenkins on os X, as an execute shell step. The job is not linked to a SVN repository - I am trying to do an svn list manually on the tags folder without having jenkins downloading a copy of each tag.
but other jobs are connected to svn and jenkins checks out code fine.
I have downloaded jenkins from here which runs jenkins as a daemon
The problem is ssh keys. After a few iterations, here where I am at.
In /Library/LaunchDaemons/org.jenkins-ci.plist I have set JENKINS_HOME as /Users/Shared/Jenkins/Home (that's where jenkins gets installed), and in there I have created ssh keys, without passphrase (for now)
The actual command I am running is
svn --config-dir=/Users/Shared/Jenkins/Home/.subversion list svn+ssh://...
to get around jenkins running shell steps as root without actually having root permissions (not sure why - jenkins is launched by loading /Library/LaunchDaemons/org.jenkins-ci.plist) and causing a permission error when it tires to read /var/root/.servers
in --config-dir=/Users/Shared/Jenkins/Home/.subversion/config I have added
ssh = $SVN_SSH ssh -v -i /Users/Shared/Jenkins/Home/.ssh/id_rsa
so ssh can connect to the server. The last missing step now is that the shell expects the passphrase and cannot get it from Keychain (obviously)
debug1: read_passphrase: can't open /dev/tty: Device not configured
I thought leaving an empty passphrase would do the job, but it doesn't. Any clues? Thanks in advance.
I don't think there is a workaround to "read_passphrase: can't open /dev/tty: Device not configured" - the command expects terminal input and can't get it, nor can it get Keychain to provide it. It's all tied in with running as a daemon.
In the end I downloaded the latest version of the jenkins installer and re-installed to run manually and not as a daemon, so it runs as me instead of some weird flavour of root, and the problem disappeared.
Problem
We have a server over which we have FULL control
We have a long, complicated shell script that interacts with this server via SCP and SSH
We have an Ant Target that runs the script
simplified example:
<target name="run-script">
<exec executable="/path/to/script_that_runs_ssh_cmds.sh" />
</target>
This target fails with the following exception:
ssh_askpass: exec(/usr/libexec/ssh-askpass): No such file or directory
Question
After researching a bit, I think this can be fixed by generating public/private key pairs. That way, the ssh command doesn't have to prompt for passwords. Assuming this solution will work, how do you go about making it so that SSH calls on the system use keys in lieu of prompting for passwords? Is it possible to set this up in a way that anyone on our team can run the Ant target successfully from their laptop?
Note: We're all running OS X 10.6 (Leopard) and physically connected to the same LAN as the server.
You can just install the private key under ~/.ssh and ssh will automatically look into that directory and use the key you installed.
In the server side, add the public key to ~/.ssh/authorized_keys