-
Bug
-
Resolution: Fixed
-
Major
-
Jenkins Server
* CentOS 6.5 (x86_64 - 2.6.32)
* There are no slaves
* Jenkins ver. 1.542 (latest, installed as a package from: http://pkg.jenkins-ci.org/redhat)
* Git plugin is 2.0 (latest)
* Git client plugin is 1.4.6 (latest)
* Git version is 1.7.1 (latest installed w/ yum)
Am I doing something wrong, or is this not something that is supported?
When I try to add a Git SCM using SSH credentials, it fails with the following error (see SCMError.png):
Failed to connect to repository : Command "ls-remote -h git@github.com:AppDirect/StandingCloud.git HEAD" returned status code 128: stdout: stderr: Permission denied (publickey). fatal: The remote end hung up unexpectedly
I've configured the private key properly (as far as I know anyway)... See PrivateKeyConfiguration.png
I've also tried the same configuration under a credential domain in case git was hung with a message like this (See CredentialDomain.png):
The authenticity of host 'github.com (192.30.252.128)' can't be established. RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48. Are you sure you want to continue connecting (yes/no)?
I've tested and the private key that I am using does have access:
[root@jenkins ~]# ssh -T -i /dev/shm/id_rsa git@github.com The authenticity of host 'github.com (192.30.252.128)' can't be established. RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'github.com,192.30.252.128' (RSA) to the list of known hosts. Enter passphrase for key '/dev/shm/id_rsa': Hi nshenry03! You've successfully authenticated, but GitHub does not provide shell access.
As a workaround I can add/create a key as the jenkins user; however, it would be great if I could use the SSH Credentials plugin so that the key is backed up and restored if I move to a new Jenkins server.
- is duplicated by
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- links to
[JENKINS-20879] SSH Credentials (private key with passphrase) do not work
Michael Konečný
added a comment - For me, the passphrase only contained lowercase alphabetical characters, but still didn't work.
Michael Konečný
added a comment - For me, the passphrase only contained lowercase alphabetical characters, but still didn't work. Have you made any progress on not sending Credentials instances over to remote agents
stephenconnolly I have not made any progress on JENKINS-37899 or not sending credentials instances to remote agents. I'm unlikely to make any short term progress on it because I want to resolve the authentication failures in git plugin 3.0 (JENKINS-38138, JENKINS-38179, JENKINS-38194) and the submodule failures in git plugin 3.0 (JENKINS-37495).
Sergey Serebryakov
added a comment - Tip: if running Jenkins inside of Docker container, don't provide -it flags, otherwise Jenkins will think it's run from a terminal and start asking for passphrase instead of using the one provided in Credentials settings.
Sergey Serebryakov
added a comment - Tip: if running Jenkins inside of Docker container, don't provide -it flags, otherwise Jenkins will think it's run from a terminal and start asking for passphrase instead of using the one provided in Credentials settings. That's a good suggestion, though I really intend that the plugin will never prompt for a passphrase, where run with a controlling terminal or not.
Code changed in jenkins
User: Mark Waite
Path:
pom.xml
src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java
http://jenkins-ci.org/commit/git-client-plugin/882ecdfb53d627eeeea130720685681ce2553193
Log:
Optionally detach ssh authenticated git calls from terminal
When I run CredentialsTest from my terminal window on Ubuntu 16.04, the
test fails for ssh keys which need a passphrase. If I run the tests
from my IDE, or if I prepend "setsid" to the maven command that runs
the tests, the tests pass.
The ssh command called by git seems to require the DISPLAY variable, and
the GIT_SSH variable, and must be detached from the controlling terminal.
If any one of those is missing (at least on Ubuntu 16), the passphrase
prompt will not be answered.
Command line maven builds now include the property:
org.jenkinsci.plugins.gitclient.CliGitAPIImpl.useSETSID=true
Default runtime value of the property is false. Users will not run
with this change unless they specifically set that property to true.
Most users don't run Jenkins with a controlling terminal attached,
so they don't need the change.
Sets useSETSID=true in surefire target so that command line invocations
of the tests will prefix the "git" command with setsid when it is used
in an ssh private key context.
Allows command line run of CredentialsTest with passphrase protected
private keys.
Setting BatchMode=yes in the ssh command does not have the same result.
The setsid call was the only technique I found that reliably allowed
the ssh call performed by command line git to consistently process the
script defined in the SSH_ASKPASS variable.
See JENKINS-20879 and JENKINS-25194 for more details.
Git client plugin 2.5.0 (released 27 Jul 2017) added support for setsid in the /usr/local directory tree, since that seems to be where it is stored on MacOS.
Allan BURDAJEWICZ
added a comment - markewaite I think you meant git-client 2.5.0 ? You're correct allan_burdajewicz, I should have said "git client plugin". The git plugin release 2.5.0 was already a year old by the time git client plugin 2.5.0 was released.
harel_e thanks for the report. It is quite valuable to know which passphrase characters have shown problems for users. I've included a passphrase with a $ sign in my test data creation script. I'll include that in the verification of any changes to the passphrase support in the git plugin and the git client plugin.