-
Bug
-
Resolution: Fixed
-
Major
-
Jenkins Server
* CentOS 6.5 (x86_64 - 2.6.32)
* There are no slaves
* Jenkins ver. 1.542 (latest, installed as a package from: http://pkg.jenkins-ci.org/redhat)
* Git plugin is 2.0 (latest)
* Git client plugin is 1.4.6 (latest)
* Git version is 1.7.1 (latest installed w/ yum)
Am I doing something wrong, or is this not something that is supported?
When I try to add a Git SCM using SSH credentials, it fails with the following error (see SCMError.png):
Failed to connect to repository : Command "ls-remote -h git@github.com:AppDirect/StandingCloud.git HEAD" returned status code 128: stdout: stderr: Permission denied (publickey). fatal: The remote end hung up unexpectedly
I've configured the private key properly (as far as I know anyway)... See PrivateKeyConfiguration.png
I've also tried the same configuration under a credential domain in case git was hung with a message like this (See CredentialDomain.png):
The authenticity of host 'github.com (192.30.252.128)' can't be established. RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48. Are you sure you want to continue connecting (yes/no)?
I've tested and the private key that I am using does have access:
[root@jenkins ~]# ssh -T -i /dev/shm/id_rsa git@github.com The authenticity of host 'github.com (192.30.252.128)' can't be established. RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'github.com,192.30.252.128' (RSA) to the list of known hosts. Enter passphrase for key '/dev/shm/id_rsa': Hi nshenry03! You've successfully authenticated, but GitHub does not provide shell access.
As a workaround I can add/create a key as the jenkins user; however, it would be great if I could use the SSH Credentials plugin so that the key is backed up and restored if I move to a new Jenkins server.
- is duplicated by
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- links to
[JENKINS-20879] SSH Credentials (private key with passphrase) do not work
Nick Henry
created issue -
Damien Nozay
made changes -
| Summary | Original: SSH Credentials do not work to connect to private GitHub repository | New: SSH Credentials (private key with passphrase) do not work |
Damien Nozay
added a comment - The issue is not limited to private GitHub repositories.
I have confirmed on my system that a non-empty passphrase is the issue.
Damien Nozay
added a comment - The issue is not limited to private GitHub repositories.
I have confirmed on my system that a non-empty passphrase is the issue. Damien Nozay
added a comment - /var/log/secure when attempting to use credentials that have a passphrase
Feb 25 11:16:57 git sshd[32273]: Failed password for jenkins from X.X.X.X port 57524 ssh2
Feb 25 11:16:57 git sshd[32273]: Failed password for jenkins from X.X.X.X port 57524 ssh2
Feb 25 11:16:57 git sshd[32274]: Connection closed by X.X.X.X
/var/log/secure when attempting to use credentials that do not have a passphrase
Feb 25 11:17:00 git sshd[32276]: Accepted publickey for jenkins from X.X.X.X port 57526 ssh2
Feb 25 11:17:00 git sshd[32276]: pam_unix(sshd:session): session opened for user jenkins by (uid=0)
Feb 25 11:17:00 git sshd[32279]: Received disconnect from X.X.X.X: 11: disconnected by user
Feb 25 11:17:00 git sshd[32276]: pam_unix(sshd:session): session closed for user jenkins
Damien Nozay
added a comment - /var/log/secure when attempting to use credentials that have a passphrase
Feb 25 11:16:57 git sshd [32273] : Failed password for jenkins from X.X.X.X port 57524 ssh2
Feb 25 11:16:57 git sshd [32273] : Failed password for jenkins from X.X.X.X port 57524 ssh2
Feb 25 11:16:57 git sshd [32274] : Connection closed by X.X.X.X
/var/log/secure when attempting to use credentials that do not have a passphrase
Feb 25 11:17:00 git sshd [32276] : Accepted publickey for jenkins from X.X.X.X port 57526 ssh2
Feb 25 11:17:00 git sshd [32276] : pam_unix(sshd:session): session opened for user jenkins by (uid=0)
Feb 25 11:17:00 git sshd [32279] : Received disconnect from X.X.X.X: 11: disconnected by user
Feb 25 11:17:00 git sshd [32276] : pam_unix(sshd:session): session closed for user jenkins Does the credentials plugin support ssh credentials which use a passphrase? I don't recall ever seeing any any location to enter the passphrase, so I assumed there was no support in Jenkins overall for ssh credentials with passphrases.
Simon Fawkes
added a comment - Is anyone planning on fixing this issue soon I don't think there is any plan to support ssh keys which require a passphrase. You'll need to use an ssh key which does not require a passphrase.
I can confirm that ssh keys without a passphrase work very well both to GitHub and to other ssh repositories (like Debian Linux).
tfnico
added a comment - Private key in the text field works fine for me, both with and without passphrase.
tfnico
added a comment - Private key in the text field works fine for me, both with and without passphrase. tfnico Could you explain further how you configure Jenkins to allow a private key with a passphrase to work with the git plugin?
You said that "Private key in the text field works fine for me, both with and without passphrase", yet when I've added a credential to Jenkins using a private key which requires a passphrase, even if I enter the passphrase, I'm not able to use that private key based credential from the git plugin to checkout a repository whose access is controlled by that private key.
The steps I took in my failed attempt included:
- Create a new user named "private" on my Debian Linux 7.5 (Wheezy)
$ sudo useradd private - Use ssh-keygen to define a passphrase protected ssh key for that user
$ sudo su - private
$ ssh-keygen - Configure git for the "private" user
$ git config --global user.name "Private User"
$ git config --global user.email mwaite@wheezy64b - Create a git repository in the .ssh directory
$ cd .ssh
$ git init
$ git add .
$ git commit -m "First checkin" - Create a bare git repository copy of that .ssh directory
$ cd ~
$ git clone --bare .ssh ssh.git - Configure bare repository as "origin" of .ssh repo
$ cd ~/.ssh
$ git remote add origin ../ssh.git
$ git branch --set-upstream master origin/ - Allow user "private" to login without password prompt if agent provides key
$ cd ~/.ssh
$ cp id_rsa.pub authorized_keys - Confirm user "private" can login without password prompt
$ eval $(ssh-agent)
$ ssh-add
$ ssh wheezy64b ls .ssh - Confirm user "private" can clone ssh repo without password prompt
$ git clone ssh://localhost/~private/ssh.git tmp - Add private key from the user "private" to Jenkins as credential, including the passphrase in "Advanced"
- Define a job which uses that credential
- Confirm that "git ls-remote" fails to connect during job definition
- Confirm that the job fails with message that credentials were not correct
My impression is that the git plugin doesn't work with ssh keys which have a non-empty passphrase. Can you confirm if it works ok on a key with an empty passphrase?