Status: Closed (View Workflow)
I have been unable to get CliGitAPIImpl to work with a private key with passphrase on a Linux slave to connect to a nonpublic Git repository. (Selecting the option to load from the default location, ~/.ssh/id_dsa.) I always get
Permission denied (publickey).
I verified that GIT_SSH and SSH_ASKPASS are being set and that the files they point to have the expected contents (by patching the plugin to not delete these files in its finally block). Indeed when I log in to the slave, set these variables to the same files, and run git clone <repo>, it works fine.
If I set the job to use JGit rather than CLI git, it also works fine, so I do not think I am just using the wrong credentials.
I also tested with a private key (specific file on master) with no passphrase. This worked fine (with both JGit and CLI).
I thought one explanation was that ssh thought it was running from a terminal (even though it should not be) and so ignored SSH_ASKPASS. Indeed to interactively verify the GIT_SSH / SSH_ASKPASS combination you have to prefix the git command with setsid if you want the passphrase script to be consulted. But I see the same problem even when I patch the plugin to prefix all git commands with setsid.
So https://github.com/jenkinsci/git-client-plugin/commit/4b4d59d29894ac6eccab969561d2df5207a88f60 is not working for me, for unknown reasons. Whether or not it is working for others, I would suggest a simplifying change to CliGitAPIImpl: rather than relying on SSH_ASKPASS, decrypt the private key in Java code (I think there is code for this in one of the libraries available to this plugin) and save that to the keyfile.
Note that GitPluginTest in acceptance-test-harness does not seem to test passphrases. (Nor does it test private keys that are not entered directly but loaded from a file on master, another important use case.)
JENKINS-20879 SSH Credentials (private key with passphrase) do not work
- is duplicated by
JENKINS-53134 Git checkout fails when using an SSH key with a passphrase
Code changed in jenkins
User: Mark Waite
Optionally detach ssh authenticated git calls from terminal
When I run CredentialsTest from my terminal window on Ubuntu 16.04, the
test fails for ssh keys which need a passphrase. If I run the tests
from my IDE, or if I prepend "setsid" to the maven command that runs
the tests, the tests pass.
The ssh command called by git seems to require the DISPLAY variable, and
the GIT_SSH variable, and must be detached from the controlling terminal.
If any one of those is missing (at least on Ubuntu 16), the passphrase
prompt will not be answered.
Command line maven builds now include the property:
Default runtime value of the property is false. Users will not run
with this change unless they specifically set that property to true.
Most users don't run Jenkins with a controlling terminal attached,
so they don't need the change.
Sets useSETSID=true in surefire target so that command line invocations
of the tests will prefix the "git" command with setsid when it is used
in an ssh private key context.
Allows command line run of CredentialsTest with passphrase protected
Setting BatchMode=yes in the ssh command does not have the same result.
The setsid call was the only technique I found that reliably allowed
the ssh call performed by command line git to consistently process the
script defined in the SSH_ASKPASS variable.
JENKINS-20879 and JENKINS-25194 for more details.