Current Host Key Verification Strategy is Non Verifying Verification
Strategy.
This works, but is not secure.
The agent is created using Packer, and Ansible as provisioner, and then
started with Terraform.
This Ansible playbook uploads the files id_ed25519 and id_ed25519.pub to
the .ssh directory of user jenkins.
---
- name: Add the user 'jenkins'
user:
name: jenkins
create_home: yes
home: /home/jenkins
- name: Copy SSH keys
copy:
src: ./files/.ssh
dest: /home/jenkins/
owner: jenkins
mode: 0600
- name: Set permissions on private key
file:
path: /home/jenkins/.ssh/id_ed25519
mode: 0400
- name: Set authorized key taken from file
ansible.posix.authorized_key:
user: jenkins
key: "{{ lookup('file', './files/.ssh/id_ed25519.pub') }}"
state: present
exclusive: True
In Jenkins, Manage Jenkins, Manage Credentials I have added a "SSH Username
with private key". In the field Private Key I have put the content of
id_ed25519.
In Jenkins, Manage Jenkins, Manage Nodes I have added a node:
* Launch agents via SSH
* Host: DNS name I get from Terraform or AWS console
* Credentials: the SSH username + private key from the previous step
* Host Key Verification Strategy:
--> Non verifying: works, but is not secure
--> Known hosts file: I have no access to files on the server, so I cannot
use this
--> Manually provided key: I paste the contents of id_ed25519.pub. Results
in WARNING: The SSH key for this host does not match the key required in
the connection configuration. Connections will be denied until the host key
matches the configuration key. Key exchange was not finished, connection is
closed.
--> Manually trusted key: works, but couldn't I theoretically have a
man-in-the-middle attack on the very first connection of a new node?
My questions are:
* Is Manually trusted key Verification Strategy, without "Require manual
verification of initial connection", more secure than Non verifying
Verification Strategy?
* What are the downsides of Manually trusted key Verification Strategy?
* How come Manually provided key Verification Strategy didn't work?
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/654c1ca0-0e62-4ad2-af11-d5d725958fadn%40googlegroups.com.
