>* Is Manually trusted key Verification Strategy, without "Require manual
verification of initial connection", more secure than Non verifying
Verification Strategy
Any verification strategy is more secure than none
>What are the downsides of Manually trusted key Verification Strategy?
You have to manually accept the key on the UI or check the auto accept in
the first connection
>How come Manually provided key Verification Strategy didn't work?
I do not have enough data, but this configuration should work, I you think
that can be and issue you could open and issue in Jira and I’ll take a look
(see
https://github.com/jenkinsci/ssh-slaves-plugin/blob/master/doc/TROUBLESHOOTING.md#common-info-needed-to-troubleshooting-a-bug
)
For more info check the documentation
https://github.com/jenkinsci/ssh-slaves-plugin/blob/master/doc/CONFIGURE.md#host-key-verification-strategy
I will recommend you to use JCasC to inject the config, in this repo you
have an example
https://github.com/kuisathaverat/jenkins-issues/tree/master/kex-algorithms
El miércoles, 13 de enero de 2021 a las 3:13:58 UTC+1, amedee@gmail.com
escribió:
> Current Host Key Verification Strategy is Non Verifying Verification
> Strategy.
> This works, but is not secure.
>
> The agent is created using Packer, and Ansible as provisioner, and then
> started with Terraform.
>
> This Ansible playbook uploads the files id_ed25519 and id_ed25519.pub to
> the .ssh directory of user jenkins.
>
> ---
>
> - name: Add the user 'jenkins'
> user:
> name: jenkins
> create_home: yes
> home: /home/jenkins
>
> - name: Copy SSH keys
> copy:
> src: ./files/.ssh
> dest: /home/jenkins/
> owner: jenkins
> mode: 0600
>
> - name: Set permissions on private key
> file:
> path: /home/jenkins/.ssh/id_ed25519
> mode: 0400
>
> - name: Set authorized key taken from file
> ansible.posix.authorized_key:
> user: jenkins
> key: "{{ lookup('file', './files/.ssh/id_ed25519.pub') }}"
> state: present
> exclusive: True
>
>
> In Jenkins, Manage Jenkins, Manage Credentials I have added a "SSH
> Username with private key". In the field Private Key I have put the content
> of id_ed25519.
>
> In Jenkins, Manage Jenkins, Manage Nodes I have added a node:
> * Launch agents via SSH
> * Host: DNS name I get from Terraform or AWS console
> * Credentials: the SSH username + private key from the previous step
> * Host Key Verification Strategy:
> --> Non verifying: works, but is not secure
> --> Known hosts file: I have no access to files on the server, so I cannot
> use this
> --> Manually provided key: I paste the contents of id_ed25519.pub. Results
> in WARNING: The SSH key for this host does not match the key required in
> the connection configuration. Connections will be denied until the host key
> matches the configuration key. Key exchange was not finished, connection is
> closed.
> --> Manually trusted key: works, but couldn't I theoretically have a
> man-in-the-middle attack on the very first connection of a new node?
>
> My questions are:
> * Is Manually trusted key Verification Strategy, without "Require manual
> verification of initial connection", more secure than Non verifying
> Verification Strategy?
> * What are the downsides of Manually trusted key Verification Strategy?
> * How come Manually provided key Verification Strategy didn't work?
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/c5ccbda7-2ea3-41aa-aac3-f2391b98d287n%40googlegroups.com.
