-
Improvement
-
Resolution: Won't Do
-
Major
-
None
We are trying to connect to a Git repository via SSH (not Github) using username/password (we're not using keys) and we're getting the following error:
Failed to connect to repository : Command "git ls-remote -h ssh://account@repository/path/toApplication HEAD" returned status code 128:
stdout:
stderr: Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
------------------
If we use the anonymous access or change the access type from SSH to HTTPS, it works fine, but we should be able to use the SSH with user/password without having to add the public/private keys.
Jenkins ver. 1.532.1
Git Client Plugin 1.6.4
Git Plugin 2.0.4
•How are you running Jenkins?
We are running Jenkins as a service in RHEL
•Have you specified additional parameters for the Java VM (Heapspace etc.)?
No
•Did you just install the deb or rpm?
We used the RPM jenkins-1.532.1-1.1.noarch.rpm
•With which Java VM (Oracle, IBM etc.)?
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)
•On which operating system? 32- or 64-bit?
Linux version 2.6.32-358.23.2.el6.x86_64 (mockbuild@ca-build44.us.oracle.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC) )
- duplicates
-
-
- Closed
-
- is duplicated by
-
-
- Closed
-
- is related to
-
JENKINS-22855 SSH Credential's username isn't used.
-
- Closed
-
-
-
- Closed
-
[JENKINS-22909] git plugin does not support username/password over ssh
The more I look at this report, the less confident I am that I understand what is requested.
I'm able to clone with a username / password credential without using public / private keys with the following steps:
- Configure a global username / password credential (through "Manage Credentials") with appropriate user name and password (no public key, no private key)
- Create a new freestyle job -
JENKINS-22909-username-password-credentials - Use git as the SCM for the job
- Use an ssh URL for the repository. I used ssh://mwaite@mark-pc1.markwaite.net/var/lib/git/mwaite/bin.git
- Use the previously defined username / password credential as the credential for that ssh URL
- Run the job, confirm it succeeds
I suspect that my clone succeeds through an accident in that case. The accident is that my jenkins user is likely allowed to access that repository as user mwaite through ssh by default. When I run in a "clean" environment, username/password authentication fails for an ssh protocol URL unless I also use a private key.
Are there more steps you're taking to show the problem?
Have you used a more recent git client plugin and a more recent git plugin?
Sabareesh SS
added a comment - I am also following the same steps. I tried all my best. My build failed and ended up with
"Failed to connect to repository : Command "C:\Program Files\Git\bin\git.exe -c core.askpass=true ls-remote -h ssh://git@localhost:7999/jen/jensh_empty.git HEAD" returned status code 128:
stdout:
stderr: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists."
Please help.
How can I fix this issue?
Sabareesh SS
added a comment - I am also following the same steps. I tried all my best. My build failed and ended up with
"Failed to connect to repository : Command "C:\Program Files\Git\bin\git.exe -c core.askpass=true ls-remote -h ssh://git@localhost:7999/jen/jensh_empty.git HEAD" returned status code 128:
stdout:
stderr: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists."
Please help.
How can I fix this issue? Sabareesh SS
added a comment - The issue is reproduced n number of times.
Tommi Pakarinen
added a comment - Still able to reproduce this with the latest available versions:
Jenkins ver. 1.644
Credentials Plugin 1.24
Git plugin 2.4.1
Git client plugin 1.19.1
I used RHEL 7.2 (x86_64) with openssh:
openssh.x86_64 6.6.1p1-23.el7_2
openssl.x86_64 1:1.0.1e-51.el7_2.2
Tommi Pakarinen
added a comment - Still able to reproduce this with the latest available versions:
Jenkins ver. 1.644
Credentials Plugin 1.24
Git plugin 2.4.1
Git client plugin 1.19.1
I used RHEL 7.2 (x86_64) with openssh:
openssh.x86_64 6.6.1p1-23.el7_2
openssl.x86_64 1:1.0.1e-51.el7_2.2 In all my recent tests of credentials, I've never seen a case where an ssh URL was able to authenticate with a user name and password. When using an ssh URL, the plugin seems to expect that you are using a private key for authentication, rather than user name and password.
Jim Klo
added a comment - I'm not sure if this is related, however it sound's very similar: https://issues.jenkins-ci.org/browse/JENKINS-24368?focusedCommentId=246537&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-246537
Jim Klo
added a comment - I'm not sure if this is related, however it sound's very similar: https://issues.jenkins-ci.org/browse/JENKINS-24368?focusedCommentId=246537&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-246537 jimklo I don't think they are related, since I believe they use different paths through the code for ssh based authentication and https based authentication. JENKINS-24368 is specific to https. (and seems to be specific to bitbucket) I can connect to a bitbucket repo with ssh, just not with https in certain configurations.
Jason Worick
added a comment - I do not want to sound pushy, but this issue was created since May 2014 and its now March 2016. Can someone that is responsible for resolving this bug give an indication as to when it will be resolved? Thanks!
Jason Worick
added a comment - I do not want to sound pushy, but this issue was created since May 2014 and its now March 2016. Can someone that is responsible for resolving this bug give an indication as to when it will be resolved? Thanks! jaswo I'm probably the only one that is close to "responsible for resolving this bug", so I'll give you my estimate. I don't know that it will be resolved any time within the next few years. A private key works quite well with ssh protocol, so I perceive there is a relatively simple work around to allow access to ssh protected git repositories.
I'm currently focused on other areas, like adding authenticated submodule access, and like processing the ~50 pull requests pending on the git plugin, and the ~5 pull requests pending on the git client plugin.
My first goal is to not regress functionality for the existing 70000+ installations of the plugin. I'd love to have additional help from others evaluating the pull requests, and submitting proposed improvements (fixes or features) with tests to support those additions. I'd also love to have additional automated tests for the existing features.
Attila Strba
added a comment - I have just encountered the same issue but happens only on Windows Slave if using SSH username thus credentialsID with the git plugin. On Linux Slave works, and as said it also works with ssh keys. So my workaround was to go with the ssh keys.
Attila Strba
added a comment - I have just encountered the same issue but happens only on Windows Slave if using SSH username thus credentialsID with the git plugin. On Linux Slave works, and as said it also works with ssh keys. So my workaround was to go with the ssh keys. 
Embedding the user name and password in the URL directly will expose your user name and password in the job definition and may expose it in the job log. If you'll enter a credential with that same user name and password, you can then reference that credential without having the user name or the password visible in the job definition or in the console log from the build.
I agree that the plugin should also accept the user name and password embedded in the URL, but it does not currently. The work around of entering the user name and password as a credential is workable, and is more secure.