File Transfer Plugins
Rundeck, Inc.

File Transfer Plugins This plugin provides FTP/SFTP/HTTP file transfers via Workflow Steps. It is available since 2.1.0 (Rundeck Enterprise Version History


RUNDECK FILE TRANSFER PLUGIN.

SFTP Host Keys setup.

The SFTP endpoint of this plugin uses the SSH protocol for communication, which needs a trusted base of keys for identifying each host. This key base is commonly known in the linux world as the $HOME/.ssh/known_hosts file.

This plugin uses the same file format to search for the hosts keys, searching them at the $RUNDECK_BASEDIR/.ssh/known_hosts file. If a server is not specified in this file, SFTP communication will not work. In this case you will se an error like this at the log:

Error [JSchException] creating SFTP endpoint: UnknownHostKey: 10.10.10.4. RSA key fingerprint is 23:7a:96:8f:02:b5:0d:ad:ee:ec:69:ad:b8:c3:1b:30

Installing a host key.

To install a host key you need to retrieve the key first. This is easily done on a linux server using the following command:

ssh-keyscan -t rsa <SERVER ADDRESS>

This command will output a text line like this one:

<SERVER ADDRESS> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDR8LIJso4j+8l5p5Kx4Vm3gZEFzeChihD2nRqJvXZqjpo64bs6AjT8ismwTjAlzJVeFTiRW5/Kj/HAk2ipVTaNbqdwSrKBKewu0BwSWuY84VWZGC4V1R2QUS6+nMeXdi+A0BJFW3rM6uyhb+EgtyOd4ZnwKAoF01FW76zvdY3O0erwcxLZHP8y92C/Qgy+2ii8xfVGrmUNkX+neoNisMllyr+UOXzpPWFmPgyCE7r7Cptishj66XFfQI+xh5HiVL4sbnGP3jX8fC3C802znZ9XgGVENxdwIZqWfc8JzsjfHF6HD7lY/zgS5r/JcxX5Zt4gGjmzy0inJRogWCwXI1+r

For example, the command ssh-keyscan -t rsa 10.10.10.4 should output:

10.10.10.4 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDR8LIJso4j+8l5p5Kx4Vm3gZEFzeChihD2nRqJvXZqjpo64bs6AjT8ismwTjAlzJVeFTiRW5/Kj/HAk2ipVTaNbqdwSrKBKewu0BwSWuY84VWZGC4V1R2QUS6+nMeXdi+A0BJFW3rM6uyhb+EgtyOd4ZnwKAoF01FW76zvdY3O0erwcxLZHP8y92C/Qgy+2ii8xfVGrmUNkX+neoNisMllyr+UOXzpPWFmPgyCE7r7Cptishj66XFfQI+xh5HiVL4sbnGP3jX8fC3C802znZ9XgGVENxdwIZqWfc8JzsjfHF6HD7lY/zgS5r/JcxX5Zt4gGjmzy0inJRogWCwXI1+r

Copy this line entirely (be very careful to copy all characters) and paste it into the $RUNDECK_BASEDIR/.ssh/known_hosts file. Ensure each hostkey text is one single line on the file. If the address reported at this text does not match the IP you need on your rundeck server, you can change the IP address manually. You must be careful to not modify any text character besides the server address.

What if my rundeck server is a windows server??

If rundeck is running in a windows server, you have a few options:

  • You can run the above command on a linux server (even the destination server is useful) and copy the text to your rundeck's known_hosts file. Be sure to set the correct address at the start of the line.
  • You can a windows SSH client to retrieve the hostkey. Be sure to retrieve the key in the correct "known_hosts" format.
  • You can install OpenSSH on Windows to provide the ssh-keyscan command.

Known Issues

When using SFTP protocol, JSCH will search for the host key at $RDECK_BASE/.ssh/known_hosts file, however, the java JVM and JSCH do not provide the default encryption algorithms used by openssh (ecdsa-sha2-nistp256 as of 07-2016) resulting in failure on finding the server key even if the server is present in the known_hosts file.

As a workaround, be sure to extract the hostkey using the -t rsa parameter for ssh-keyscan:

ssh-keyscan -t rsa <SERVER ADDRESS>

If you DO need the use of strongest encryption methods (like ecdsa), you must install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files on your JVM.

More info on this issue at: http://stackoverflow.com/questions/30846076/jsch-algorithm-negotiation-fail