Harden Jenkins jobs

It allows any ssh connection from Ubuntu 22.04 and
precises the ssh user.

Change-Id: I660b88d5b1640f8057d4081226517abad94889db
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>

diff --git a/jjb/global/releng-macros.yaml b/jjb/global/releng-macros.yaml
index 031e240..ddf2a73 100644 (file)
--- a/jjb/global/releng-macros.yaml
+++ b/jjb/global/releng-macros.yaml
@@ -358,7 +358,8 @@
               echo
               cat gerrit_comment.txt
               echo
-              ssh -p 29418 gerrit.opnfv.org \
+              ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' \
+                  -p 29418 jenkins-ci@gerrit.opnfv.org \
                   "gerrit review -p $GERRIT_PROJECT \
                    -m '$(cat gerrit_comment.txt)' \
                    $GERRIT_PATCHSET_REVISION \
@@ -419,7 +420,7 @@
               msg="Found syntax error and/or coding style violation(s) in the files modified by your patchset."
               sed -i -e "1s#^#${msg}\n\n#" violation.log
               cmd="gerrit review -p $GERRIT_PROJECT -m \"$(cat violation.log)\" $GERRIT_PATCHSET_REVISION --notify NONE"
-              ssh -p 29418 gerrit.opnfv.org "$cmd"
+              ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -p 29418 jenkins-ci@gerrit.opnfv.org "$cmd"
 
               # Make sure the caller job failed
               exit 1

diff --git a/jjb/releng/releng-release-create-branch.sh b/jjb/releng/releng-release-create-branch.sh
index bbb9257..917a4c7 100644 (file)
--- a/jjb/releng/releng-release-create-branch.sh
+++ b/jjb/releng/releng-release-create-branch.sh
@@ -44,7 +44,7 @@ fi
 run_merge(){
 unset NEW_FILES
 if [[ $REF_EXISTS = true && "$JOB_NAME" =~ "merge" ]]; then
-  ssh -n -f -p 29418 gerrit.opnfv.org gerrit create-branch "$repo" "$branch" "$ref"
+  ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -n -f -p 29418 jenkins-ci@gerrit.opnfv.org gerrit create-branch "$repo" "$branch" "$ref"
   python3 releases/scripts/create_jobs.py -f $release_file
   NEW_FILES=$(git status --porcelain --untracked=no | cut -c4-)
 fi