maven 3 site-deploy gets stuck in authentication prompt in Jenkins build

Question

How do you get rid of this prompt when using site-deploy? "Are you sure you want to continue connecting?"

I know this question has been asked multiple times (link, link), but the recommended solutions do not work for me and I will explain why.

Oh, and I posted pretty much the exact same question here

where the solution is to:

# Run this manually:
ssh -o UserKnownHostsFile=foo javadoc.foo.com

# Take that file and put it in your private DAV share, and then
ssh -o UserKnownHostsFile=/private/<account>/known_hosts javadoc.foo.com

Which has been working fine 99% of the time, but using this solution, every once in a while we get the following text over and over again in the logs:

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
3d:69:41:8a:ec:d1:4c:d9:75:ef:7d:71:b7:7d:61:d0.
Please contact your system administrator.
Add correct host key in known_hosts to get rid of this message.
Do you want to delete the old key and insert the new key? (yes/no)

So, back to my problem: in a nutshell, the problem is this: When I run mvn site-deploy, it gets stuck in an infinite loop in Jenkins:

The authenticity of host 'javadoc.foo.com' can't be established.
RSA key fingerprint is 3d:69:41:8a:ec:d1:4c:d9:75:ef:7d:71:b7:7d:61:d0.
Are you sure you want to continue connecting? (yes/no)
The authenticity of host 'javadoc.foo.com' can't be established.
RSA key fingerprint is 3d:69:41:8a:ec:d1:4c:d9:75:ef:7d:71:b7:7d:61:d0.
Are you sure you want to continue connecting? (yes/no)

The machine that this occurs on is a CloudBees machine, so it's not a machine that we own. In other words, every time we do a build, a brand new machine is provisioned to us.

Our settings.xml has something like:

<server>
    <id>javadoc.foo.com</id>
    <username>username</username>
    <password>password</password>
</server>

If it was a machine that we owned and controlled, we could manually ssh on there and run the ssh command just once so that this is fixed, but like I said, those machines are dynamically provisioned to us.

Since we are using maven 3 and not maven 2, we cannot add the following to our server section of the settings.xml:

<configuration>
    <knownHostsProvider implementation="org.apache.maven.wagon.providers.ssh.knownhost.NullKnownHostProvider">
        <hostKeyChecking>no</hostKeyChecking>
    </knownHostsProvider>
</configuration>

Is there a way to either:

1. programmatically answer yes (this is not a free-style Jenkins job; this is Maven project.)
2. an alternative to site-deploy (ant code within the pom.xml?)
3. have site-deploy fail if this question does not get answered, so that the Jenkins build doesn't fill gigs of disk space with this question repeated over and over again.
4. tell the site-deploy plugin to set stricthostkeychecking to "no"

I would like to avoid any pre-build steps that could tweak ssh settings; I would prefer to either tweak the settings.xml, pom.xml, or maven options.

Nonetheless, I'm open to any suggestions.

Answer 1

echo yes | mvn site:deploy 

Totally fixed this for me despite having tried many other routes.

Answer 2

For the case that someone would not use StrictHostKeyChecking no and also if someone has this problem on Windows I have another solution:

Normaly your known_hosts could be found under

C:\Users\<YourUsername>\.ssh\known_hosts

For the Windows Service Installation of Jenkins you should copy your known_hosts to:

C:\Windows\System32\config\systemprofile\.ssh\

Or for the case of a Jenkins 64Bit version to:

C:\Windows\SysWOW64\config\systemprofile\.ssh\

For Unix/Linux systems use analog paths - copy the known_hosts (or only parts of it) from your account to Jenkins user.

Answer 3

You can manage to get it work using this settings.xml configuration :

<server>
  <id>site</id>
  <username>_your_login_user_</username>
  <privateKey>_path_to_key_identify_file</privateKey>
  <configuration>
    <strictHostKeyChecking>no</strictHostKeyChecking>
    <preferredAuthentications>publickey,password</preferredAuthentications>
    <interactive>false</interactive>
  </configuration>
</server>

along with the following pom.xml :

<plugin>
   <groupId>org.apache.maven.plugins</groupId>
   <artifactId>maven-site-plugin</artifactId>
   <version>3.6</version>
     <dependencies>
       <dependency><!-- add support for ssh/scp -->
           <groupId>org.apache.maven.wagon</groupId>
           <artifactId>wagon-ssh</artifactId>
           <version>2.12</version>
       </dependency>
     </dependencies>
 </plugin>

An issue https://issues.apache.org/jira/browse/WAGON-467 has been addressing the wagon-ssh plugin for the strictHostKeyChecking parameter and has been solved in recent versions.

Answer 4

I couldn't find a way round this. Using this didnt work: org.apache.maven.wagon.providers.ssh.knownhost.NullKnownHostProvider, which seems to be a known issue.

But assuming you're on a unix box of some sort you can do this as a workaround to send yes when prompted if you don't want to change ssh config:

echo yes | mvn site:deploy 

Answer 5

add a shell pre-build step to create ~/.ssh/config with content :

StrictHostKeyChecking no