knownhosts for Ant scp and sshexec tasks

5
votes

My question is similar to the one asked here: Ant scp task failure

BUILD FAILED com.jcraft.jsch.JSchException: reject HostKey: ....

My question is why are the keys not found in my knownhosts file?

No matter what kind of known_hosts file I have, the host key is rejected. Connecting via ssh works perfectly fine, and adds the relevant entries, but maybe jsch is unable to read known_hosts files generated by OpenSSH?

The Ant docs mention that the knownhosts file needs to be in SSH2 format, not SSH1. Ironically, the SSH2 format known_hosts file from OpenSSH is supposed to be ~/.ssh/known_hosts2, but the default value for knownhosts is ~/.ssh/known_hosts.

The known hosts files created by SSH2 are in ~/.ssh2/knownhosts/, so it's probably safe to count that out for the expected format. So far I've been unable to get OpenSSH to create a known_hosts2 file, and the man pages aren't much help there either. So what do the docs actually mean that the file needs to be in SSH2 format?

I've tried dsa and rsa keys, and neither work (both work with OpenSSH).

I've searched for two days and the only answers I've found are 'set trust="true'. Yes, that gets the task working, but not without turning a blind eye to security.

3
antsshbuild-automationjsch
I'm struggling with the exact same problem. I have a known_hosts file that works with earlier versions of Ant (or a later version with an earlier version of the Jsch library dropped in the lib folder), but I've not yet been able to figure out what exactly the later versions are looking for in the known_hosts file or knownhosts directory or whatever. - MB.
Finally I figured this out :) See my answer below. - MB.

3 Answers

2
votes

Here's a format I found that works with more recent versions of jch:

[xx.xx.xx.xx]:22 ssh-rsa .......

In older versions it was like:

xx.xx.xx.xx ssh-rsa ......

i.e. no square brackets and no port number. (Not sure if the port number is necessary if you're using port 22, but I tested it with a server with a non-default port assigned for SSH. And, in case it's not obvious, xx.xx.xx.xx should be the IP address of the server, or hostname or whatever.)

I found this format by getting the JCraft/jsch library to generate the known_hosts file for me. If you visit www.jcraft.com you can download a zip of the jsch source code, and some examples. Either build the source to make a jar, or download the ready-made jar as well. I unzipped the zip download and then plopped the jar file in that same directory.

There's an examples folder containing KnownHosts.java. You need to compile that file and then run it - it will ask you for your known_hosts file (just create an empty file in the default location first (~/.ssh/known_hosts) and select that. It will then ask you for details to connect to a server... Enter those, for example [email protected], and the program will try to connect and then fill the known_hosts file for you.

For convenience for blundering Windows users like me who can never remember how to do stuff from the command line, here's what you need to compile and run that KnownHosts.java file:

First, navigate to the directory (having unzipped it and put the jar file inside, as I described above).

Then run:

javac -cp jsch-0.1.49.jar examples/KnownHosts.java

to compile KnownHosts.java. And then:

java -cp "examples;jsch-0.1.49.jar" KnownHosts

to run it. Follow through the instructions above and you should have a working known_hosts file.

One final note: the KnownHosts program assumes a port of 22. I edited it to allow me to enter something like [email protected]:8888 so I could specify a server with a custom port and have it work as described above. In the source of KnownHosts.java I looked for a line like:

Session session=jsch.getSession(user, host, 22);

and replaced it with:

int port = 22;
final int colonIndex = host.indexOf(':');
if (colonIndex > -1) {
    final String[] split = host.split(":");
    host = split[0];
    port = Integer.parseInt(split[1]);
}
Session session=jsch.getSession(user, host, port);

and then compiled and ran as above.

1
votes

The sshexec ant task is looking for the file 'known_hosts' by default to ${user.home}/.ssh/known_hosts

Verify the value of 'user.home' system property. Probably it points to unsuspected place. Or provide the 'knownhosts' value explicitly in the ant task's property.

0
votes

There are two parameters you might be interested in:

  • trust: If set to true will trust unknown hosts. The default is set to false.
  • knownhosts: Set to the location of your known hosts file.

The first will allow you to set the tasks to not check whether or not it's a known host. The second will allow you to specify the file that contains the known hosts. This way, you could specify it as ${user.home}/.ssh/known_hosts2and override the default.

By the way, a good way to do this is to use properties for these values, and then use a property file to override those properties:

[...]
<property name="build.properties" value="build.properties"/>
<property file="${build.properties}"/>

<!-- Can be overridden via 'build.properies' file -->
<property name="knownhosts.file" value="${user.home}/.ssh/knownhosts"/>

<property name="remote.host" value="foo-system"/>
[...]

    <scp file="${copy.this.file}"
       todir="${user}@{host}:${remote.dir}"
       knownhosts="${knownhosts.file}"/>
[...]