Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-75214

Launching EC2 slaves can fail if multiple host keys are present

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • ec2-plugin
    • None
    • Operating System: AWS EC2, Ubuntu 22.04.5 LTS
      JRE/JDK: openjdk version "21.0.5" 2024-10-15
      Jenkins version: 2.479.3
      Amazon EC2 plugin version: 1823.v828850f7f155
      Amazon Web Services SDK version: 1.12.772-477.v650d756dcf6d

      SSH launching fails with host key mismatch

      Jan 30, 2025 5:27:23 PM hudson.plugins.ec2.EC2Cloud WARNING: The SSH key (redacted-fingerprint-1) presented by the instance has changed since first saved (redacted-fingerprint-2). The connection to EC2 (redacted-hostname) - IntegrationTest (i-redacted) is closed to prevent a possible man-in-the-middle attack Jan 30, 2025 5:27:23 PM hudson.plugins.ec2.EC2Cloud WARNING: Authentication failed. Trying again...

      Interrogating the known hosts on the built-in node with `ssh-keygen -l -E md5 -F ip-address` reveals that both the presented key (ECDSA), and the previously saved key (ED25519) are present in known hosts, along with a third key (RSA). The keys are on consecutive lines, with the ED25519 key first, the RSA second, and the ECDSA key third.

      Manual ssh to the node ec2 instance is successful, tested via `ssh -v ubuntu@ip-address hostname`

      It should be noted that this particular node ec2 instance is long-lived (unlike most nodes which are ephemeral) for reasons. As such it previously had extended uptimes prior to upgrading to the latest version / ec2 plugin et al.

       

       

       

          [JENKINS-75214] Launching EC2 slaves can fail if multiple host keys are present

          Graham added a comment - - edited

          Rebooting the node instance has not changed matters. According to the log, the ECDSA key is presented, but not accepted, as the ec2 plugin appears to insist on the ED25519 key.

          Downgrading the ec2 plugin from 1823.v828850f7f155 to 1801.v526399543dca_ has restored functionality.

          Graham added a comment - - edited Rebooting the node instance has not changed matters. According to the log, the ECDSA key is presented, but not accepted, as the ec2 plugin appears to insist on the ED25519 key. Downgrading the ec2 plugin from 1823.v828850f7f155 to 1801.v526399543dca_ has restored functionality.

          Mark Waite added a comment -

          jmdesprez I think this may also be related to the changes in handling of the SSH key.

          Mark Waite added a comment - jmdesprez I think this may also be related to the changes in handling of the SSH key.

          Jean-Marc Desprez added a comment -

          markewaite Yes, I think it's related

          Jean-Marc Desprez added a comment - markewaite Yes, I think it's related

            jmdesprez Jean-Marc Desprez
            maharg101 Graham
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: