Bitbucket Pipeline: Host key mismatch (prefers ECDSA before RSA)

Question

I have a Bitbucket deployment pipeline which uses the wagon-maven-plugin to copy a file on a server. This fails with

Are you sure you want to continue connecting? (yes/no): The authenticity of host 'www.rpgframework.de' can't be established. RSA key fingerprint is c9:aa:d7:4e:bd:de:2b:59:be:5e:b9:48:4d:80:b8:a2.

I've found instructions how to add a known host in Bitbucket, but the problem is that Bitbucket detects a different key than the one above.

bash-5.0$ ssh-keygen -E md5 -lf <(ssh-keyscan  myhost.de  2>/dev/null)
2048 MD5:c9:aa:d7:4e:bd:de:2b:59:be:5e:b9:48:4d:80:b8:a2 myhost.de (RSA)
256 MD5:dd:63:d4:e9:6b:25:64:2b:24:df:36:f3:d9:36:60:64 myhost.de (ECDSA)
256 MD5:e8:5a:1d:35:5c:86:ad:a2:55:9f:fb:93:e2:6a:26:ce myhost.de (ED25519)

So it seems to me, that Bitbucket detects only the ECDSA key, while the Maven Wagon plugin uses RSA.

Any ideas how to work around this?

Answer 1

Apparenty the sequence in which ssh-keyscan will return the hosts keys is random and varies whenever ssh-keyscan is run. Bitbucket however, when it fetches the hosts key when you add it under Repository Settings > Pipelines > SSH Keys, will use the first key it gets.

Try clicking on "fetch" multiple times with the same hostname - the fingerprint you'll get will switch through the available keys.

Repeat it until the fingerprint corresponding to the RSA key appears.

At least that's how it worked for me.