• Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major Major
    • ec2-plugin
    • None
    • Jenkins: 2.387.2
      ec2: 2.0.7
      OS: Linux - 4.14.311-233.529.amzn2.x86_64
      Java: 11.0.16 - Amazon.com Inc. (OpenJDK 64-Bit Server VM)

      Steps to reproduce

      1. Create a ed25519 key pair in ec2
      2. Add generated key to Jenkins credentials
      3. In ec2 cloud configuration set "EC2 Key Pair's Private Key" field to use the 2d25519 key
      4. Try to run a job using an ec2 agent

      Expected result
      Agent starts without problems

      Actual result
      Agent fails to start. Following error can be seen in Jenkins logs:

      SlaveTemplate{description='node', labels='ec2'}. Exception during provisioning
      java.io.IOException: unrecognised object: OPENSSH PRIVATE KEY
      	at org.bouncycastle.openssl.PEMParser.readObject(Unknown Source)
      	at jenkins.bouncycastle.api.PEMEncodable.decode(PEMEncodable.java:170)
      	at jenkins.bouncycastle.api.PEMEncodable.decode(PEMEncodable.java:150)
      	at hudson.plugins.ec2.EC2PrivateKey.getFingerprint(EC2PrivateKey.java:82)
      	at hudson.plugins.ec2.EC2PrivateKey.find(EC2PrivateKey.java:113)
      	at hudson.plugins.ec2.SlaveTemplate.getKeyPair(SlaveTemplate.java:1620)
      	at hudson.plugins.ec2.SlaveTemplate.provisionSpot(SlaveTemplate.java:1379)
      	at hudson.plugins.ec2.SlaveTemplate.provision(SlaveTemplate.java:904)
      	at hudson.plugins.ec2.EC2Cloud.getNewOrExistingAvailableSlave(EC2Cloud.java:718)
      	at hudson.plugins.ec2.EC2Cloud.provision(EC2Cloud.java:744)
      	at hudson.slaves.Cloud.provision(Cloud.java:210)
      	at hudson.slaves.NodeProvisioner$StandardStrategyImpl.apply(NodeProvisioner.java:726)
      	at hudson.slaves.NodeProvisioner.update(NodeProvisioner.java:325)
      	at hudson.slaves.NodeProvisioner$NodeProvisionerInvoker.doRun(NodeProvisioner.java:823)
      	at hudson.triggers.SafeTimerTask.run(SafeTimerTask.java:92)
      	at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:67)
      	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
      	at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
      	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
      	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
      	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
      	at java.base/java.lang.Thread.run(Thread.java:829)
      Can't raise nodes for SlaveTemplate{description='node', labels='ec2'}
      

          [JENKINS-71284] Can't use an ed25519 key to connect to agent

          Mark Waite added a comment -

          The EC2 plugin documentation notes that an RSA private key is needed. The plugin does not yet support ED25519 private keys.

          Mark Waite added a comment - The EC2 plugin documentation notes that an RSA private key is needed. The plugin does not yet support ED25519 private keys.

          Pawel added a comment -

          Amazon Linux 2023 comes with support for RSA keys disabled by default as RSA keys are treated as not secure enough. So one can't use Amazon Linux 2023 based AMIs as agents with this plugin without changing the ssh deamon configuration right now

          Pawel added a comment - Amazon Linux 2023 comes with support for RSA keys disabled by default as RSA keys are treated as not secure enough. So one can't use Amazon Linux 2023 based AMIs as agents with this plugin without changing the ssh deamon configuration right now

          Mark Waite added a comment -

          That is an interesting choice by Amazon Linux 2023. See https://docs.aws.amazon.com/linux/al2023/ug/ssh-host-keys-disabled.html for instructions on how to enable RSA host keys on Amazon Linux 2023.

          Mark Waite added a comment - That is an interesting choice by Amazon Linux 2023. See https://docs.aws.amazon.com/linux/al2023/ug/ssh-host-keys-disabled.html for instructions on how to enable RSA host keys on Amazon Linux 2023.

          Pawel added a comment -

          Not really a choice by Amazon Linux 2023. Recent versions of OpenSSH do the same.

          I've seen those Amazon docs, but what they omit to mention is that LEGACY crypto policies also enable TLS1.0 and 1.1 which is against many corporate security standards.

          I'm testing other ways to just enable RSA keys, but ultimately lack of ed25519 support in the ec2 plugin will be a pain for anyone trying to use latest official Amazon images as agents

          Pawel added a comment - Not really a choice by Amazon Linux 2023. Recent versions of OpenSSH do the same. I've seen those Amazon docs, but what they omit to mention is that LEGACY crypto policies also enable TLS1.0 and 1.1 which is against many corporate security standards. I'm testing other ways to just enable RSA keys, but ultimately lack of ed25519 support in the ec2 plugin will be a pain for anyone trying to use latest official Amazon images as agents

          Mark Waite added a comment -

          I thought that RSA-SHA-256 and RSA-SHA-512 were still valid RSA with most recent OpenSSH releases. However, I'm not an expert on the different forms of RSA and how they are used with the EC2 plugin. Would certainly love to have a pull request that provides ED25519 support in the EC2 plugin.

          Mark Waite added a comment - I thought that RSA-SHA-256 and RSA-SHA-512 were still valid RSA with most recent OpenSSH releases. However, I'm not an expert on the different forms of RSA and how they are used with the EC2 plugin. Would certainly love to have a pull request that provides ED25519 support in the EC2 plugin.

          Andrii Petrenko added a comment - - edited

          even generate RSA key by

          ssh-keygen -t rsa -b 4096  -f aws-sandbox-us-jenkins-rsa

          generate the key with 

           

          ----BEGIN OPENSSH PRIVATE KEY----
          

          in the header.

           

          $ ssh -V
          OpenSSH_9.4p1, LibreSSL 3.3.6
          

           

          MacOS Sonoma. 

          Andrii Petrenko added a comment - - edited even generate RSA key by ssh-keygen -t rsa -b 4096  -f aws-sandbox-us-jenkins-rsa generate the key with    ----BEGIN OPENSSH PRIVATE KEY---- in the header.   $ ssh -V OpenSSH_9.4p1, LibreSSL 3.3.6   MacOS Sonoma. 

            thoulen FABRIZIO MANFREDI
            pawelus Pawel
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: