The purpose of an SSH fingerprint is to verify the identity of a remote server. It prevents hackers from masquerading an illegitimate server as a legitimate one and redirecting connections to their machines. JAMS takes this into account by failing the first job for a new server by default.
Fingerprints are expressed as hexadecimal strings separated by colons so they are easy to read, for example: 43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8
It is important to recognize that the fingerprint that JAMS checks on with a remote node is the host key, which is unrelated to the SSH public authentication keys that users may create within JAMS User Defintions.
Fingerprint Options in JAMS
It is possible to configure JAMS in several different ways to deal with SSH fingerprints. To do this, click the Configuration button in the Management Group. Click the +Add button and name the new Configuration setting HostKeyChecking.
Set the Data Type as Text, and have the value be FailFirstJob.
Finish creating the Configuration setting.
Configuration Options If users want to change the value of the setting, double-click on its name and click the value tab. The options are:
AcceptHostKey — Accepts the host key and adds the fingerprint to the cache of acceptable fingerprints. (NOT secure, defeats the purpose of fingerprint checking. Only use if you are sure of the identify of the server)
CheckParameter — Checks for a boolean parameter named AcceptHostKey and accepts the key if the parameter value is true.
FailFirstJob — Fails the first job but adds the fingerprint to the cache of acceptable fingerprints. (Default setting, sort of secure) </p
Now, when connecting to a remote node for the first time, JAMS will read the configuration setting here and act accordingly when encountering a SSH fingerprint not in the cache.
When making changes to Configuration, a restart of the JAMS Scheduler service is needed. This will NOT impact any jobs currently in the schedule.
Managing the SSH HostKey Fingerprints
It is possible to manage the SSH HostKey Fingerprint file which is typically located in a folder similar to "C:\ProgramData\IsolatedStorage\kdcnxtdayw.5td\ec0d232.fg5\StrongName.3c0asnsneg1t4jzcimp2tgtwajvdqmsza\AssemFiles\" on the JAMS Scheduler server. It is created after the first HostKey Fingerprint is defined.
It is possible to copy this HostKey.dat file to a similar directory on another JAMS Server or an HA node so that jobs will not fail initially during a failover event.
If the folder doesn't exist on the other server, you will need to create it by running a test job on a remote server first in order to define the folder and initial hostkey.dat file.
Note: The JAMS SSH cipher suite is periodically updated when a new JAMS version is released.
The expected behavior is the server will recognize the support of stronger encryption algorithms and send a new SSH fingerprint to JAMS.
A failure may occur indicating that a new fingerprint has been stored depending on how the SSH Fingerprint behavior is configured.
Comments