Ssh plugin 1.16 requires needs a host verification strategy set.

[chazzly]

Cookbook version

5.0.0

Chef-client version

12.18

Platform Details

Jekins 2.32
ssh-slaves plugin 1.16

Scenario:

Adding ssh Slaves

Steps to Reproduce:

Create an ssh with version 1.15 or higher of the ssh-slaves plug-in

Expected Result:

Slave created with no errors or warnings

Actual Result:

Slave is created successfully, but Jenkins posts a Security warning saying:

SSH Host Key Verifiers are not configured for all SSH slaves on this Jenkins instance. This could leave these slaves open to man-in-the-middle attacks. Update your slave configuration to resolve this.

[cheeseplus]

Is there is a link to the change in the upstream code we could reference?

[jamesbjackson]

I found the following links in case they would be useful.

Jenkins Bug Report

• https://issues.jenkins-ci.org/browse/JENKINS-43062

SSH Slave Plugin Update

• jenkinsci/ssh-agents-plugin@677cf06

[josh-barker]

There is a new method definition for new hudson.plugins.sshslaves.SSHLauncher
https://github.com/jenkinsci/ssh-slaves-plugin/blob/master/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java#L518-L520

I've been able to patch https://github.com/chef-cookbooks/jenkins/blob/master/libraries/slave_ssh.rb#L103-L120 to the below, which changes the default configuration for the agent.

 def launcher_groovy
  <<-EOH.gsub(/ ^{8}/, '')
    import hudson.plugins.sshslaves.verifiers.*

    #{credential_lookup_groovy('credentials')}
    launcher =
      new hudson.plugins.sshslaves.SSHLauncher(
        #{convert_to_groovy(new_resource.host)},
        #{convert_to_groovy(new_resource.port)},
        credentials,
        #{convert_to_groovy(new_resource.jvm_options)},
        #{convert_to_groovy(new_resource.java_path)},
        null, // jdkInstaller parameter
        #{convert_to_groovy(new_resource.command_prefix)},
        #{convert_to_groovy(new_resource.command_suffix)},
        #{convert_to_groovy(new_resource.launch_timeout)},
        #{convert_to_groovy(new_resource.ssh_retries)},
        #{convert_to_groovy(new_resource.ssh_wait_retries)},
        new KnownHostsFileKeyVerificationStrategy()
      )
  EOH
end

We could create a property for the Verification Strategy (and possibly jdkInstaller) and translate that into the class name, instead of the new KnownHostsFileKeyVerificationStrategy() line.

[damnski]

Howdy,

Is there any update on this? It would be helpful in my environment; I'd rather not keep around a local monkey-patched jenkins cookbook.

Thanks much,
Best,
-dkw

[github-daniel-stoian]

Hello,

This issue is still active, preventing creation on new jenkins agent.
We used patching solution provided above by josh-barker, but SSHLauncher constructor is not called correctly and we are suspecting that credentialsId send from https://github.com/chef-cookbooks/jenkins/blob/master/libraries/slave_ssh.rb#L110 is not a string as defined here https://github.com/jenkinsci/ssh-slaves-plugin/blob/master/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java#L251

Can you please look on this problem?
Thank you.

ERROR: Unexpected exception occurred while performing groovy command.
groovy.lang.GroovyRuntimeException: Could not find matching constructor for: hudson.plugins.sshslaves.SSHLauncher(java.lang.String, java.lang.Integer, com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl, null, null, null, null, null, null, null, hudson.plugins.sshslaves.verifiers.NonVerifyingKeyVerificationStrategy)
at groovy.lang.MetaClassImpl.invokeConstructor(MetaClassImpl.java:1732)
at groovy.lang.MetaClassImpl.invokeConstructor(MetaClassImpl.java:1532)
at org.codehaus.groovy.runtime.callsite.MetaClassConstructorSite.callConstructor(MetaClassConstructorSite.java:49)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:60)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:235)
at RemoteClass.run(RemoteClass:75)
at groovy.lang.GroovyShell.runScriptOrMainOrTestOrRunnable(GroovyShell.java:263)
at groovy.lang.GroovyShell.run(GroovyShell.java:518)
at groovy.lang.GroovyShell.run(GroovyShell.java:497)
at hudson.cli.GroovyCommand.run(GroovyCommand.java:71)
at hudson.cli.CLICommand.main(CLICommand.java:251)
at org.jenkinsci.main.modules.sshd.CLICommandAdapter$1.run(CLICommandAdapter.java:37)
at org.jenkinsci.main.modules.sshd.AsynchronousCommand$1.run(AsynchronousCommand.java:112)
at java.lang.Thread.run(Thread.java:745)

[sekberg37]

As an FYI I tried many things to get the example that Josh provided to work for me. Also, thank you Josh!

Posting this below in case that helps anyone. See . In my case it was failing because of the "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl" I just directly set the credId and that seemed to at least get me unblocked.

`def launcher_groovy
<<-EOH.gsub(/ ^{8}/, '')
import hudson.plugins.sshslaves.verifiers.*

    #{credential_lookup_groovy('credentials')}
    launcher =
      new hudson.plugins.sshslaves.SSHLauncher(
        #{convert_to_groovy(new_resource.host)},
        #{convert_to_groovy(new_resource.port)},
        '<YOUR CRED ID HERE>',
        #{convert_to_groovy(new_resource.jvm_options)},
        #{convert_to_groovy(new_resource.java_path)},
        #{convert_to_groovy(new_resource.command_prefix)},
        #{convert_to_groovy(new_resource.command_suffix)},
        #{convert_to_groovy(new_resource.launch_timeout)},
        #{convert_to_groovy(new_resource.ssh_retries)},
        #{convert_to_groovy(new_resource.ssh_wait_retries)},
        new KnownHostsFileKeyVerificationStrategy()
      )
  EOH
end`