{"id":658,"date":"2023-06-26T22:00:00","date_gmt":"2023-06-26T20:00:00","guid":{"rendered":"https:\/\/www.dont-panic.cc\/capi\/?p=658"},"modified":"2023-10-04T00:21:21","modified_gmt":"2023-10-03T22:21:21","slug":"add-ssh-host-key-fingerprint-to-jenkins-for-git-checkouts","status":"publish","type":"post","link":"https:\/\/www.dont-panic.cc\/capi\/2023\/06\/26\/add-ssh-host-key-fingerprint-to-jenkins-for-git-checkouts\/","title":{"rendered":"Add SSH host key fingerprint to Jenkins for Git checkouts"},"content":{"rendered":"\n<p>I have a self-hosted <a href=\"https:\/\/gitea.io\" data-type=\"URL\" data-id=\"https:\/\/gitea.io\" target=\"_blank\" rel=\"noreferrer noopener\">Gitea<\/a> instance, and also operate my own <a href=\"https:\/\/www.jenkins.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">Jenkins<\/a> instance. On the Jenkins instance, strict host-key checking is enabled. When adding the first reference to a Git repository hosted on my server, the following error appears:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Failed to connect to repository : Command \"git ls-remote -h -- ssh:\/\/git@&lt;myserver&gt;:22222\/martin\/jenkins-test-docker-pipeline.git HEAD\" returned status code 128:\nstdout:\nstderr: No ECDSA host key is known for &#91;myserver]:22222 and you have requested strict checking.\nHost key verification failed.\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.<\/code><\/pre>\n\n\n\n<p>The reason is that since it&#8217;s the first time I&#8217;m accessing a repository on this server, so the SSH host fingerprint is not in the <code>known_hosts<\/code> file for this SSH connection. Since I run this installation of Jenkins inside a Docker container and I don&#8217;t want to manually edit files in the file-system, I rely on setting the appropriate settings in <code>Manage Jenkins &gt; Security &gt; Git Host Key Verification Configuration<\/code>.  This is set to <code>Manually Provided Keys<\/code>.<\/p>\n\n\n\n<p>The easy solution is to set it to <code>Accept First Connection<\/code>. But I want to be stay on the manual mode. The easiest way to get the SSH host fingerprint via <code>ssh-keyscan<\/code> (<code>-p 2222<\/code> is for specifying the SSH server port, which is a non-standard port in my case):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh-keyscan -p 22222 myserver<\/code><\/pre>\n\n\n\n<p>The output looks like this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># myserver:22222 SSH-2.0-OpenSSH_9.1\n&#91;myserver]:22222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC085ixMnTlpr0pxXmkeJ6X479mbW\/9PGDeUvD8hnG7EVUn3WsnnSG8yZkmU+jzg2W+xmFd7WIdaYLt6UcGvCS3RZIye68+qu64UToKX6CdTQOWyj6z9kd8tLoPBobsBd7tRyGaXU4c4UkCR5M44KhYtbQz0bgL7u+sL0z+R3lbOVyXaYPiSmUf\/Wsd8fA2VcdWHkXJx0MMNMSVj\/hgkZR7RfHzP4SZSqRLhn\/AzIdx4DDuyGyPbVxu1ppnFtumRwlBkgat9UpMWkelREhcUdJtrZO1KPpA6DOkxIH8X\/WtXyWToS9EjPb8FVTvzdjG2C4Zi0DkogH3no9vQcXLiihz\n# myserver:22222 SSH-2.0-OpenSSH_9.1\n&#91;myserver]:22222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDfTT9eEpDmd7ToGAorTW1X9uuJVhZl+KX9phmTpTy2e8U7l31jWn2TnKlXOp5oKgivpQ2cVjcTyazyrFB7MhgI=\n# myserver:22222 SSH-2.0-OpenSSH_9.1\n&#91;myserver]:22222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoEzPpEWApszceLM\/jWHvAbrTppjsTzftw79yTSS5Po\n# myserver:22222 SSH-2.0-OpenSSH_9.1\n# myserver:22222 SSH-2.0-OpenSSH_9.1<\/code><\/pre>\n\n\n\n<p>It only makes sense to copy the non-comment lines (the ones <em>not<\/em> starting with a <code>#<\/code> to the configuration).<\/p>\n\n\n\n<p>Now Git checkouts to this repository should work, once you have configured the appropriate credentials.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have a self-hosted Gitea instance, and also operate my own Jenkins instance. On the Jenkins instance, strict host-key checking is enabled. When adding the first reference to a Git repository hosted on my server, the following error appears: The reason is that since it&#8217;s the first time I&#8217;m accessing a repository on this server, &hellip; <a href=\"https:\/\/www.dont-panic.cc\/capi\/2023\/06\/26\/add-ssh-host-key-fingerprint-to-jenkins-for-git-checkouts\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Add SSH host key fingerprint to Jenkins for Git checkouts&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,4,10],"tags":[245,227,244],"class_list":["post-658","post","type-post","status-publish","format-standard","hentry","category-computer","category-development","category-sysadmin","tag-jenkins","tag-security","tag-ssh"],"_links":{"self":[{"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/posts\/658","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/comments?post=658"}],"version-history":[{"count":4,"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/posts\/658\/revisions"}],"predecessor-version":[{"id":662,"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/posts\/658\/revisions\/662"}],"wp:attachment":[{"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/media?parent=658"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/categories?post=658"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/tags?post=658"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}