TL;DR: it seems the ansible plugin does not get/provide the passphrase correctly from/to the credentials plugin.

—

See also: -JENKINS-20879-

When I run a job with an Ansible build task that uses a private key with a passphrase provided by the Credentials plugin, the playbook hangs.

When I add the

--ssh-extra-args="-o BatchMode=yes"

option to the build, Ansible fails quickly, and hosts are unreachable. That indicates to me that SSH is prompting for the passphrase of my private key. As the jenkins job is not interactive, it hangs without the option.

I have also tested the following:

• the playbook's execution is OK using the passphraseless key
• i can reach the hosts using a manual SSH command with the passphrase-enabled key, after being prompted for the passphrase by SSH
• the passphrase stored by the Credentials plugin seems fine : during some tests I could  see a temporary .sh file generated in the $CATALINA_HOME/temp folder of Jenkins/Tomcat, that contains the passphrase in clear-text, and is used to generate a temporary PEM file (.key) containing the deciphered key

All in all it seems the only remaining explaination is that there is a bug in the implementation of the Ansible plugin.

The following SSH debug output is generated by Ansible with options :

 --ssh-extra-args="-o BatchMode=yes"

and

-vvvvv

debug1: Next authentication method: publickey
debug1: Trying private key: /usr/local/tomcat/temp/ssh1471148055772625127.key
debug1: key_load_private_type: incorrect passphrase supplied to decrypt private key
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
 Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

But, as I understand the SSH message incorrect passphrase supplied to decrypt private key, it can also mean the PEM file is corrupted. And in fact, when I can see the file it is empty (0 byte).