Host key verification failed on SFTP Pipeline

Ricardo November 28, 2021

Hello,

I'm trying to deploy to an testing server. As my server can't be accessed from internet, I’m using a self.hosted runner to copy my files and deploy inside my network

As my server is on a local network, I use cat command to add my know_host information but i always get a Host Key Verification Fail.  I'ts like the sftp pipeline doesn't read from the same know_host file.

Any help will be appreciated.

YML File

yaml.png

Cat Log

cat.png

Error:

error.png

2 answers

0 votes
Caleb L_ Power January 29, 2024

I'm going to bring this ancient post back up because the current Atlassian devs haven't seen fit to actually make a super usable workflow for this yet and I'm tired of burning fifty pipelines each time I forget about this thing and try to debug it. I swear that's the business model.

Anyhow, Igor's solution worked for me when using the `ssh-run` but it did not work for me when using the `sftp-deploy` pipe. In addition to the custom privkey step, I had to explicitly turn off strict key host checking. Here's an example. Note the different version, I don't know if it's relevant here but know that the issues don't get any better with the version bumps.

- pipe: atlassian/sftp-deploy:0.9.0
variables:
USER: '$USER'
SERVER: '$ADDRESS'
REMOTE_PATH: '$WEBDIR'
LOCAL_PATH: '${BITBUCKET_CLONE_DIR}/*'
EXTRA_ARGS: '-o StrictHostKeyChecking=no'
SSH_KEY: $SSH_PRIVKEY
DEBUG: 'true'

Some of the folks on here may boo me for turning off that extra check, but using something like `ssh-keyscan` doesn't work for whatever reason (the pipe never reads any of the known_hosts or known_hosts2 files properly in my case), and even if that worked out, you're still pulling in the fingerprint at runtime which is basically security theater at that point. If you're using a local runner, it doesn't really matter anyhow--if you've got a spoofed host at this point, you've got bigger problems than a runner deploying to the wrong box.

Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 30, 2024

@Caleb L_ Power. It is worked in shh-run, because StrictHostKeyChecking is set to no by default there.
So you think it is a good idea to add this behaviour to the sftp-deploy pipe too?

Also you should put your known_hosts file here: /opt/atlassian/pipelines/agent/ssh
according to logic

Regards, Igor



Like Caleb L_ Power likes this
Caleb L_ Power January 31, 2024

I think the standards should be consistent, at the very least, so that the fixes for one pipe aren't different from another. My recommendations in the short term would be to set it to "yes" actually on both repositories (it's probably safer to have users opt out of security), and then to improve the documentation on the actual ssh-run and sftp-deploy repos. The documentation should include two options:

  • Option one, to explicitly set the fingerprint in a secret deployment variable and to add it to the correct known_hosts file, and
  • Option two, to explicitly set the EXTRA_ARGS flag to skip strict host key checking

I would think that the documentation should explicitly include examples in both instances. However, in general the hack-and-slash method of redirecting secret deployment variables into those files isn't super user-friendly (esp. if the users have to go hunt around in the code for that), so long-term I'd recommend having a pipe or something similar to do that automatically. Something like this would be nice:

pipe: atlassian/add-host:0.0.1
USER: $USER # remote username
KEY: $SSH_PRIVKEY # base64 private key representation
HOST: $HOST_IP # remote IP address
PORT: $HOST_PORT # remote port
FINGERPRINT: $FINGERPRINT # optional, to verify fingerprint

That long-term idea would be to add a host on the fly to known_hosts (and match against the queried fingerprint), add the new private key wherever it needs to go, etc.

Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 2, 2024

@Caleb L_ Power . Our team will investigate this and notify you when this feature will become available.

Regards, Igor

0 votes
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 3, 2021

@Ricardo hi. Thanks for your question.

Currently our team are working on supporting the default ssh_key for self hosted runner.

Please, for now use your custom created ssh key. See how to generate encoded ssh_key under the section:

Use multiple SSH keys in your pipeline

pass the output in base64 format into bitbucket repository variables with name i.e SSH_KEY and use it in your pipe:

script:
  - pipe: atlassian/sftp-deploy:0.5.8
    variables:
      USER: <your user>
      SERVER: <your host>
      REMOTE_PATH: '/var/www/build/'
      LOCAL_PATH: 'build'
      SSH_KEY: $SSH_KEY
      DEBUG: 'true'

Regards, Igor.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events