Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56804

RSA Keys larger than 4096 bits do not work with ansible playbooks


      I recently created an SSH rsa key that was 8192 bits in size and stored it in the credentials repository. I found that Ansible playbooks did not work with a key of this size.



      09:50:52  [Install - Nagios Core] $ ansible-playbook "/var/lib/jenkins/workspace/Install - Nagios Core/ansible/prepare_os.yml" --private-key "/var/lib/jenkins/workspace/Install - Nagios Core/ssh581441855617245626.key" -u root -i core-057, -e "target=core-057, product=nagios os_name=fedora os_version=29 os_version_minor= ansible_become_pass="
      09:50:52  PLAY [Prepare Operating System] ************************************************
      09:50:52  TASK [Gathering Facts] *********************************************************
      09:50:52  fatal: [core-057]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added 'core-057,2001:44b8:3132:25:10:25:5:190' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", "unreachable": true}
      09:50:52  	to retry, use: --limit @/var/lib/jenkins/workspace/Install - Nagios Core/ansible/prepare_os.retry



      I could confirm from the command line that if I created the keyfile I was able to execute the ansible-playbook command and it worked. So it's not an ansible issue with keyfiles of that size, it's something to do with Jenkins creating that keyfile (I think).


      After some trial and error I found that an 4096 bit key worked but anything larger failed (like 4097).



      ssh-keygen -b 4097



      I know this is an edge case, bit I've spent about 3 hours getting to the root cause of the issue so hopefully it'll help someone else.

            sirot Jean-Christophe Sirot
            box293 Troy Lea
            0 Vote for this issue
            1 Start watching this issue