Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

What and how to add a Known hosts ?

Edited

I am setting up automatic deployments with Bitbucket Pipelines and a custom Docker image.

- I have a deployment step in bitbucket-pipelines.yml that runs an SSH command like this (for testing if ssh connection works):

ssh $SSH_USERNAME@$SSH_HOST -p 17177 ls -l /home

 - The command results in: Host key verification failed.

- If I run the same command from my pc, with the variables replaced by the exact variables that I have put in as environment variables on bitbucket, the ssh connection and command work

- I have a public key in the bitbucket repo SSH settings

- I have added this public key on the host I am trying to ssh to

- If I manually check the ~/.ssh/authorized_keys file on the host, the public key is indeed there

 

- What does not work is adding a Known host in the bitbucket SSH Key settings, and I am probably doing something wrong or forgetting something, but I could not find it after long hours of testing stuff. Since I can locally connect to my host via SSH with myusername@am1.fcomet.com I thought the value that I should enter in the 'Host address' field would be 'am1.fcomet.com' but if I click on 'Fetch' I get the error:
'Unable to fetch fingerprints, check host SSH connection and try again'

 

So I am wrong ? Should I enter something different in the Host address field ?

Or does the problem lies in the fact that I need to ssh to my host over a specific port and is that the reason I cannot add the host address ?

Or should it work even without a Known host normally ?

Did I forget a step somewhere ? Like should I somehow add the public key from bitbucket into my docker image, if so how ? The docker image right now just installs openssh via 'RUN apk add --update openssh' so it knows the 'ssh' command, but it is possible I should also take extra steps in my docker image that I am not aware of.

3 answers

Boom 💥 adding the correct port helps (127.0.0.1:21098) – why is this not documented on the page?

Thanks @cwaldau you hero..

Simon says:

" SSH can authenticate hosts as well as users. The verification step that is failing on your setup is the host authentication one. You have two options at this point:

- instruct the SSH client to skip host authentication by using the option StrictHostKeyChecking=no either in the ~/.ssh/config or as an argument to the ssh command. Using this option you are telling the SSH client that you do not care to which host you are connecting to as long as the hostname resolves and there is an SSH server listening on the default port.

- do a keyscan before running the ssh command so that you obtain the host key and add it to the ssh client ~/.ssh/known_hosts. For keeping things tidy you can use the sequence of commands (the first one cleans up existing keys for the SSH server host, the second scans and adds the host keys):

ssh-keygen -R <SSH server hostname>

ssh-keyscan -H <SSH server hostname> >> ~/.ssh/known_hosts

 

If in doubt reading the man page of ssh will give you more details."

Simon out.

Hi,

I think you really pointed me to the correct direction. I found another thread now which suggest to add:

RUN ssh-keyscan github.com >> ~/.ssh/known_hosts

to the docker image.

So I think I need to at least do a keyscan in my docker image. I'm not sure if I should replace 'github.com' with 'bitbucket.org' or the host i'm trying to ssh into.

I do not believe I should be making a new key into docker, as thats what the bitbucket ssh key is supposed to be used for somehow. I am still hoping on an actual usable answer from Atlassian with this.

Your first option sounds less secure, so I'm hoping that I dont need to resolve to this, but at this point I am willing to take less secure over not being able to deploy at all.

I tried the ssh-keygen and ssh-keyscan commands both in my docker file as in my bitbucket-pipelines.yml but it did not work.

So for now I disabled the StrictHostKeyChecking in my ssh commands and that works great:

- ssh -o StrictHostKeyChecking=no $SSH_USERNAME@$SSH_HOST -p $SSH_PORT ls -l /home/
Like Christopher Hahn likes this
0 votes
Gary Atlassian Team Jul 17, 2018

Hi Joery,

Simon's directions will work, but we also have a built in feature for this.  

Pipelines provides a way for you to store, and inspect, the fingerprint of a remote host, along with the host address. This allows you to visually verify that the public key presented by a remote host actually matches the identity of that host, to help you detect spoofing and man-in-the-middle attacks. It also means that future communications with that host can be automatically verified.

In the repository Settings, go to SSH keys, and add the address for the known host. Click Fetch to see the host's fingerprint.

See https://confluence.atlassian.com/bitbucket/use-ssh-keys-in-bitbucket-pipelines-847452940.html.

Cheers,

Gary

Hi Gary from Atlassian.

I really appreciate you replying to my issue. I would have appreciated it even more if you would have actually read my main issue:

What does not work is adding a Known host in the bitbucket SSH Key settings, and I am probably doing something wrong or forgetting something, but I could not find it after long hours of testing stuff. Since I can locally connect to my host via SSH with myusername@am1.fcomet.com I thought the value that I should enter in the 'Host address' field would be 'am1.fcomet.com' but if I click on 'Fetch' I get the error:
'Unable to fetch fingerprints, check host SSH connection and try again'

The step you are describing in your reply which I should do: Click Fetch to see the host's fingerprint.

Is not working at all, and is the reason why I created this issue. If I click Fetch, I get 'Unable to fetch fingerprints, check host SSH connection and try again'

 

Please read my entire post carefully, so that you know exactly what I am asking you and what the problem is, and then please reply. I am looking forward to an answer from you or your team which will finally help me.

Like # people like this

On the off chance this is your (or anyone else's) issue with the fingerprint too, try adding a port number (22 is default) to your host address when using the fingerprint fetch tool.

Like cwaldau likes this

To extend on this for those like me that were confused at first, if your SSH port is not 22 (default) add it to your IP address such as `127.0.0.1:21098` where 21098 is the SSH port open to connections.

Thanks for pointing me in the right direction when I was confused as to why I was getting an error using the built in known_hosts feature.

Like # people like this

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

New improvements to user management in Bitbucket Cloud 👥

Hey Community! We’re willing to wager that quite a few of you not only use Bitbucket, but administer it too. Our team is excited to share that we’ll be releasing improvements throughout this month of...

3,736 views 10 16
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you