Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

What and how to add a Known hosts ?

Joery Lemmens July 12, 2018

I am setting up automatic deployments with Bitbucket Pipelines and a custom Docker image.

- I have a deployment step in bitbucket-pipelines.yml that runs an SSH command like this (for testing if ssh connection works):

ssh $SSH_USERNAME@$SSH_HOST -p 17177 ls -l /home

 - The command results in: Host key verification failed.

- If I run the same command from my pc, with the variables replaced by the exact variables that I have put in as environment variables on bitbucket, the ssh connection and command work

- I have a public key in the bitbucket repo SSH settings

- I have added this public key on the host I am trying to ssh to

- If I manually check the ~/.ssh/authorized_keys file on the host, the public key is indeed there

 

- What does not work is adding a Known host in the bitbucket SSH Key settings, and I am probably doing something wrong or forgetting something, but I could not find it after long hours of testing stuff. Since I can locally connect to my host via SSH with myusername@am1.fcomet.com I thought the value that I should enter in the 'Host address' field would be 'am1.fcomet.com' but if I click on 'Fetch' I get the error:
'Unable to fetch fingerprints, check host SSH connection and try again'

 

So I am wrong ? Should I enter something different in the Host address field ?

Or does the problem lies in the fact that I need to ssh to my host over a specific port and is that the reason I cannot add the host address ?

Or should it work even without a Known host normally ?

Did I forget a step somewhere ? Like should I somehow add the public key from bitbucket into my docker image, if so how ? The docker image right now just installs openssh via 'RUN apk add --update openssh' so it knows the 'ssh' command, but it is possible I should also take extra steps in my docker image that I am not aware of.

3 answers

3 votes
twobyte March 19, 2021

Boom 💥 adding the correct port helps (127.0.0.1:21098) – why is this not documented on the page?

Thanks @cwaldau you hero..

1 vote
Anonymous Coward July 17, 2018

Simon says:

" SSH can authenticate hosts as well as users. The verification step that is failing on your setup is the host authentication one. You have two options at this point:

- instruct the SSH client to skip host authentication by using the option StrictHostKeyChecking=no either in the ~/.ssh/config or as an argument to the ssh command. Using this option you are telling the SSH client that you do not care to which host you are connecting to as long as the hostname resolves and there is an SSH server listening on the default port.

- do a keyscan before running the ssh command so that you obtain the host key and add it to the ssh client ~/.ssh/known_hosts. For keeping things tidy you can use the sequence of commands (the first one cleans up existing keys for the SSH server host, the second scans and adds the host keys):

ssh-keygen -R <SSH server hostname>

ssh-keyscan -H <SSH server hostname> >> ~/.ssh/known_hosts

 

If in doubt reading the man page of ssh will give you more details."

Simon out.

flyke July 18, 2018

Hi,

I think you really pointed me to the correct direction. I found another thread now which suggest to add:

RUN ssh-keyscan github.com >> ~/.ssh/known_hosts

to the docker image.

So I think I need to at least do a keyscan in my docker image. I'm not sure if I should replace 'github.com' with 'bitbucket.org' or the host i'm trying to ssh into.

I do not believe I should be making a new key into docker, as thats what the bitbucket ssh key is supposed to be used for somehow. I am still hoping on an actual usable answer from Atlassian with this.

Your first option sounds less secure, so I'm hoping that I dont need to resolve to this, but at this point I am willing to take less secure over not being able to deploy at all.

flyke July 18, 2018

I tried the ssh-keygen and ssh-keyscan commands both in my docker file as in my bitbucket-pipelines.yml but it did not work.

So for now I disabled the StrictHostKeyChecking in my ssh commands and that works great:

- ssh -o StrictHostKeyChecking=no $SSH_USERNAME@$SSH_HOST -p $SSH_PORT ls -l /home/
Like Christopher Hahn likes this
0 votes
Gary
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 17, 2018

Hi Joery,

Simon's directions will work, but we also have a built in feature for this.  

Pipelines provides a way for you to store, and inspect, the fingerprint of a remote host, along with the host address. This allows you to visually verify that the public key presented by a remote host actually matches the identity of that host, to help you detect spoofing and man-in-the-middle attacks. It also means that future communications with that host can be automatically verified.

In the repository Settings, go to SSH keys, and add the address for the known host. Click Fetch to see the host's fingerprint.

See https://confluence.atlassian.com/bitbucket/use-ssh-keys-in-bitbucket-pipelines-847452940.html.

Cheers,

Gary

flyke July 18, 2018

Hi Gary from Atlassian.

I really appreciate you replying to my issue. I would have appreciated it even more if you would have actually read my main issue:

What does not work is adding a Known host in the bitbucket SSH Key settings, and I am probably doing something wrong or forgetting something, but I could not find it after long hours of testing stuff. Since I can locally connect to my host via SSH with myusername@am1.fcomet.com I thought the value that I should enter in the 'Host address' field would be 'am1.fcomet.com' but if I click on 'Fetch' I get the error:
'Unable to fetch fingerprints, check host SSH connection and try again'

The step you are describing in your reply which I should do: Click Fetch to see the host's fingerprint.

Is not working at all, and is the reason why I created this issue. If I click Fetch, I get 'Unable to fetch fingerprints, check host SSH connection and try again'

 

Please read my entire post carefully, so that you know exactly what I am asking you and what the problem is, and then please reply. I am looking forward to an answer from you or your team which will finally help me.

Like # people like this
Lucas Morgan December 4, 2018

On the off chance this is your (or anyone else's) issue with the fingerprint too, try adding a port number (22 is default) to your host address when using the fingerprint fetch tool.

Like # people like this
cwaldau March 27, 2020

To extend on this for those like me that were confused at first, if your SSH port is not 22 (default) add it to your IP address such as `127.0.0.1:21098` where 21098 is the SSH port open to connections.

Thanks for pointing me in the right direction when I was confused as to why I was getting an error using the built in known_hosts feature.

Like # people like this
Justin Jones March 3, 2023

This and these features need better documentation. Thank you for sorting this out a few years before I ran into it. I admit it still took me an hour and a half to sort out jus the fingerprint after finding these posts.

Like cwaldau likes this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events