Jenkins Host key verification failed

Question

I have a problem with jenkins, setting "git", shows the following error:

Failed to connect to repository : Command "git ls-remote -h https://person@bitbucket.org/person/projectmarket.git HEAD" returned status code 128:
stdout:
stderr: fatal: Authentication failed

I have tested with ssh:

git@bitbucket.org:person/projectmarket.git

This is error:

Failed to connect to repository : Command "git ls-remote -h git@bitbucket.org:person/projectmarket.git HEAD" returned status code 128:
stdout:
stderr: Host key verification failed.
fatal: The remote end hung up unexpectedly

I've also done these steps with "SSH key".

Login under Jenkins

sudo su jenkins

Copy your github key to Jenkins .ssh folder

cp ~/.ssh/id_rsa_github* /var/lib/jenkins/.ssh/

Rename the keys

mv id_rsa_github id_rsa
mv id_rsa_github.pub id_rsa.pub

but still not working git repository in jenkins.

thanks by help!.

Answer 1

Change to the jenkins user and run the command manually:

git ls-remote -h git@bitbucket.org:person/projectmarket.git HEAD

You will get the standard SSH warning when first connecting to a new host via SSH:

The authenticity of host 'bitbucket.org (207.223.240.181)' can't be established.
RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40.
Are you sure you want to continue connecting (yes/no)?

Type yes and press Enter. The host key for bitbucket.org will now be added to the ~/.ssh/known_hosts file and you won't get this error in Jenkins anymore.

Answer 2

Jenkins is a service account, it doesn't have a shell by design. It is generally accepted that service accounts. shouldn't be able to log in interactively.

To resolve "Jenkins Host key verification failed", do the following steps. I have used mercurial with jenkins.

1)Execute following commands on terminal

             $ sudo su -s /bin/bash jenkins

provide password

2)Generate public private key using the following command:

              ssh-keygen

you can see output as ::

Generating public/private rsa key pair. 
Enter file in which to save the key (/var/lib/jenkins/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 

3)Press Enter --> Do not give any passphrase--> press enter

             Key has been generated

4) go to --> cat /var/lib/jenkins/.ssh/id_rsa.pub

5) Copy key from id_rsa.pub

6)Exit from bash

7) ssh@yourrepository

8) vi .ssh/authorized_keys

9) Paste the key

10) exit

11)Manually login to mercurial server

Note: Pls do manually login otherwise jenkins will again give error "host verification failed"

12)once manually done, Now go to Jenkins and give build

Enjoy!!!

Good Luck

Answer 3

Or you can use:

ssh -oStrictHostKeyChecking=no host

This will be insecure (man in the middle attacks) but easiest solution.

The better way to do that is to generate correct mappings between host and ip address, so ssh will not complain:

#!/bin/bash

for domain in "github.com" "bitbucket.org"; do
    sed -i "/$domain/d" ~/.ssh/known_hosts
    line=$(ssh-keyscan $domain,`nslookup $domain | awk '/^Address: / { print $2 ; exit }'`)
    echo $line >> ~/.ssh/known_hosts
done

Excerpt from gist.

Answer 4

I think, that many people didnt recognize, at least available since jenkins 2.361:

btw. No Verification is for sure not the best option.

Answer 5

Had same problem, i fix it like that :

reset permission on id_rsa* only for current user no group no other

chmod o-rwx ~/.ssh/id*
chmod G-rwx ~/.ssh/id*

ls -lart ~/.ssh/


-rw-------  1 jenkins nogroup  398 avril  3 09:34 id_rsa.pub
-rw-------  1 jenkins nogroup 1675 avril  3 09:34 id_rsa

And clear ~/.ssh/know_hosts

Now Connect as jenkins

sudo su jenkins

Try the jenkins commands

git ls-remote -h git@bitbucket.org:user/project.git HEAD

If no problem appears, now jenkins will be able to connect the repo (for me ^^ at least)

Answer 6

As for the workaround (e.g. Windows slave), define the following environment variable in global properties:

GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"

Note: If you don't see the option, you probably need EnvInject plugin for it.

Answer 7

1. Login as jenkins using: sudo su -s /bin/bash jenkins
2. git clone the desired repo which causes the key error
3. It will ask you to add the key by showing Yes/No (enter yes or y)

That's it!

You can now re-run the Jenkins job.

Answer 8

using https://bitbucket.org/YYYY/XX.git

you shoud delete username@

Answer 9

• Make sure we are not editing any of the default sshd_config properties to skip the error

• Host Verification Failed - Definitely a missing entry of hostname in known_hosts file

• Login to the server where the process is failing and do the following:

  1. Sudo to the user running the process

  2. ssh-copy-id destinationuser@destinationhostname

  3. It will prompt like this for the first time, say yes and it will also ask password for the first time:

     The authenticity of host 'sample.org (205.214.640.91)' can't be established.
     RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40.
     Are you sure you want to continue connecting (yes/no)? *yes*
     

     Password prompt ? give password

  4. Now from the server where process is running, do ssh destinationuser@destinationhostname. It should login without a password.

     Note: Do not change the default permissions of files in the user's .ssh directory, you will end up with different issues

Answer 10

Best way you can just use your "git url" in 'https" URL format in the Jenkinsfile or wherever you want.

git url: 'https://github.com/jglick/simple-maven-project-with-tests.git'

Answer 11

Copy host keys from both bitbucket and github:

ssh root@deployserver 'echo "$(ssh-keyscan -t rsa,dsa bitbucket.org)" >> /root/.ssh/known_hosts'
ssh root@deployserver 'echo "$(ssh-keyscan -t rsa,dsa github.com)" >> /root/.ssh/known_hosts'

Answer 12

I ran into this issue and it turned out the problem was that the jenkins service wasn't being run as the jenkins user. So running the commands as the jenkins user worked just fine.

Answer 13

SSH

If you are trying it with SSH, then the Host key Verification error can come due to several reasons.Follow these steps to overcome all the reasons.

1. Set the Environment variable as HOME and provide the address as the root directory of .ssh folder. e.g:- If your .ssh is kept inside Name folder. C:/Users/Name.
2. Now make sure that the public SSH key is being provided in the repository link also. Either it is github or bitbucket or any other.
3. Open git bash. And try cloning the project from the repository. This will help in adding your repository URL in the known_host file, which is being auto created in the .ssh folder.
4. Now open jenkins and create a new job. Then click on configure.
5. provide the cloning URL in Source code management under Git. The URL should be start with git@github.com/......... or ssh://proje........
6. Under the Credential you need to add the username and password of your repository form which you are cloning the project. Select that credential.
7. And now apply and save the configuration.
8. Bingo! Start building the project. I hope now you will not get any Host Key verification error!

Answer 14

Try

ssh-keygen -R hostname

-R hostname Removes all keys belonging to hostname from a known_hosts file. This option is useful to delete hashed hosts

Answer 15

Use ssh-keyscan should be much more easier:

ssh-keyscan bitbucket.org >> ~/.ssh/known_hosts

This command will put all required hosts to ~/.ssh/known_hosts. You will need to run this command inside your Jenkins machine. You can also create a job and put that command into the "Execute shell" section of the Configure of that job and then execute the job.

Answer 16

There is a safe and (relative easy) way to accomplish this, which should also work if you have separate worker nodes/clouds (like docker/kubernetes).

Adding host keys to Jenkins configuration

• First go to a console and execute ssh-keyscan your_git_server.url
• Copy the output of that command
• Then navigate to https://YOUR_JENKINS_URL/manage/configureSecurity/
• Scroll down to Git Host Key Verification Configuration
• Paste the output of the command into the window. it should look like this:

Both bitbucket and github have pages about their keys and servers. Read them and ensure that you are adding the proper keys and not some random keys

Getting the ssh-keyscan via your Jenkins installation

If you for some reason do not have ssh-keyscan, you can go to the script console ( https://YOUR_JENKINS_URL/manage/script ) and paste in the following script:

def sout = new StringBuilder(), serr = new StringBuilder()
def proc = 'ssh-keyscan bitbucket.org'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "copy this to jenkins>\n$sout"
//println "err> $serr"

Answer 17

In Jenkins, you can manage strict host checking behavior in "Global security" parameters

Answer 18

issue is with the /var/lib/jenkins/.ssh/known_hosts. It exists in the first case, but not in the second one. This means you are running either on different system or the second case is somehow jailed in chroot or by other means separated from the rest of the filesystem (this is a good idea for running random code from jenkins).

Next steps are finding out how are the chroots for this user created and modify the known hosts inside this chroot. Or just go other ways of ignoring known hosts, such as ssh-keyscan, StrictHostKeyChecking=no or so.

Answer 19

After ssh-keygen probably one only needs to copy the public key to remote host with:

ssh-copy-id -i ~/.ssh/mykey user@host

Answer 20

I had the same problem. I had the ssh key setup in both the server and github. I can run ssh -T git@github.com without problem. When I manually run the following command, I had no problem.

git ls-remote -h git@github.com:jessy-3/vanilla.git HEAD

But when I configure it with Jenkins, I got the problem. It worked when "Host Key Verification Strategy" in "Configure Global Security" set to "No verification" but not on "Known hosts file".

The final solution is to go to cd ~/.ssh then chmod 644 privatekeyfile.