Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-40217

Git plugin can't clone when SSH Agent is enabled with different credentials

      Hi, ...

      How to replicate:
      1. Create freestyle job
      2. Add git scm with SSH url and select ssh key for it
      3. Enable SSH Agent in Build Environment section and select different key for it

      Result:

      Cloning the remote Git repository
      Cloning repository ssh://git@stash:7999/cm/ansible.git
       > git init /opt/jenkins/workspace/ansible/cm-ansible-potiomkin-sync-34 # timeout=10
      Fetching upstream changes from ssh://git@stash:7999/cm/ansible.git
       > git --version # timeout=10
      using GIT_SSH to set credentials jenkins at stash ssh
       > git fetch --tags --progress ssh://git@stash:7999/cm/ansible.git +refs/heads/*:refs/remotes/origin/*
      ERROR: Error cloning remote repo 'origin'
      hudson.plugins.git.GitException: Command "git fetch --tags --progress ssh://git@stash:7999/cm/ansible.git +refs/heads/*:refs/remotes/origin/*" returned status code 128:
      stdout: 
      stderr: Repository not found
      The requested repository does not exist, or you do not have permission to access it.
      fatal: Could not read from remote repository.
      
      Please make sure you have the correct access rights
      

      Disabling SSH Agent fixes the problem.

      Adding two keys to ssh agent doesn't work as expected for me. It looks like only first ssh key is used/visible.

          [JENKINS-40217] Git plugin can't clone when SSH Agent is enabled with different credentials

          Jesse Glick added a comment -

          Maybe a flaw in one of the (almost-)pure-Java implementations. Try again with the native one coming up in 1.14.

          Jesse Glick added a comment - Maybe a flaw in one of the (almost-)pure-Java implementations. Try again with the native one coming up in 1.14.

          Jeff Geerling added a comment -

          I'm still having this issue on Jenkins 2.58 with the SSH Agent plugin version 1.15.

          Steps to reproduce:

          1. Add a Job with Git source code management
          2. Choose a deploy key for the Repository
          3. Save the job and build it
          4. Verify that the job clones the Repository correctly (SUCCESS)
          5. Configure the Job again
          6. Enable SSH Agent
          7. Add two keys in SSH Agent config—and set the deploy key used for Git as the second key
          8. Run the job again
          9. Now the job fails when attempting to connect to the SCM repo.

          I've also verified that if I set the SCM repo key as the first one used by the SSH Agent plugin, that git clone works.

          So I guess the bug is actually: Only the first key added to the SSH Agent seems to work in the Job build process.

          Jeff Geerling added a comment - I'm still having this issue on Jenkins 2.58 with the SSH Agent plugin version 1.15. Steps to reproduce: Add a Job with Git source code management Choose a deploy key for the Repository Save the job and build it Verify that the job clones the Repository correctly (SUCCESS) Configure the Job again Enable SSH Agent Add two keys in SSH Agent config—and set the deploy key used for Git as the second key Run the job again Now the job fails when attempting to connect to the SCM repo. I've also verified that if I set the SCM repo key as the first one used by the SSH Agent plugin, that git clone works. So I guess the bug is actually: Only the first key added to the SSH Agent seems to work in the Job build process.

          Jeff Geerling added a comment -

          As a workaround, I'm disabling the SSH Agent plugin for this job (since I need to use two different keys), and choosing the key for the SCM task, then as part of the build process, I've added:

          eval `ssh-agent -s`
          ssh-add /var/lib/jenkins/.ssh/private_key_here

          Jeff Geerling added a comment - As a workaround, I'm disabling the SSH Agent plugin for this job (since I need to use two different keys), and choosing the key for the SCM task, then as part of the build process, I've added: eval `ssh-agent -s` ssh-add / var /lib/jenkins/.ssh/private_key_here

          Jesse Glick added a comment -

          Not sure offhand. Jenkins is just running ssh-add so see what happens when you do the same things from the command line.

          Jesse Glick added a comment - Not sure offhand. Jenkins is just running ssh-add so see what happens when you do the same things from the command line.

          xianjun zhu added a comment -

          This sounds like `git-plugin` issue to me instead of `ssh-agent plugin` issue. Once explicitly specify a ssh key for the scm clone, `git-plugin` should use that key to clone the repo instead of using entries in `ssh-agent` environment.

          xianjun zhu added a comment - This sounds like `git-plugin` issue to me instead of `ssh-agent plugin` issue. Once explicitly specify a ssh key for the scm clone, `git-plugin` should use that key to clone the repo instead of using entries in `ssh-agent` environment.

          Jesse Glick added a comment -

          I suspect this is a dupe of JENKINS-30600.

          Jesse Glick added a comment - I suspect this is a dupe of  JENKINS-30600 .

            Unassigned Unassigned
            emdepl Maciej De
            Votes:
            4 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: