Details
-
Bug
-
Status: Resolved (View Workflow)
-
Minor
-
Resolution: Fixed
-
None
-
-
ssh-credentials-1.17.1
Description
Repro:
- Add Credentials
- set Kind to "SSH Username with private key"
- tick "enter directly"
- paste a password-less private key without a trailing newline - Attempt to use credentials (I used ssh-agent from a Jenkinsfile)
- Observe that ssh-add will prompt for a passphrase in the logs and the ssh-add has failed.
The relevant part of my logs looked like this:
```
[Pipeline] sshagent
[ssh-agent] Using credentials jenkins (Github SSH key)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-rEGjLSRTHULl/agent.3927
SSH_AGENT_PID=3929
[ssh-agent] started an agent
$ ssh-add /var/lib/jenkins/workspace/job@tmp/private_key_2980200938951827942.key
Enter passphrase for /var/lib/jenkins/workspace/job@tmp/private_key_2980200938951827942.key: [Pipeline] // sshagent
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // withEnv
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
ERROR: Failed to run ssh-add
Finished: FAILURE
```
Adding the trailing newline to input in the web-ui resolves this issue. Adding multiple newlines didn't seem have any adverse effect so Jenkins should probably just add a newline when it writes the keyfile.
Attachments
Issue Links
- is duplicated by
-
JENKINS-43564 Ensure newline at the end of SSH key blocks
-
- Resolved
-
- links to
Activity
OK, I debugged it a little and I think I know what the problem is:
even though I modified the ssh-credentials plugin to save with a newline, it still didn't work for me.
It turns out that the ssh-agent plugin that writes the private key to the file, strips it out of the newline. Then... ssh-add asks for a password. When I add a newline, it adds it to the agent fine. The question is now, what is stripping this newline... I'll continue to debug but any hints appreciated.
Terracota Pz
added a comment - I'm having the same issue as initially described (it seems ssh-add prompts for passphrase and fails), but workaround of adding newline in credentials' key does not solve it.
Versions:
- Jenkins 2.190.3
- "ssh agent" plugin 1.17
- "ssh credentials" plugin 1.18
Logs:
[ssh-agent] Using credentials testcreds
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-HmEucFexUrOg/agent.19128
SSH_AGENT_PID=19129
Running ssh-add (command line suppressed)Enter passphrase for /opt/jenkins/workspace/roduct-service-read-build_master@tmp/private_key_1675109103121607963.key: [Pipeline] // sshagent[Pipeline] }[Pipeline] // stage
Terracota Pz
added a comment - I'm having the same issue as initially described (it seems ssh-add prompts for passphrase and fails), but workaround of adding newline in credentials' key does not solve it.
Versions:
Jenkins 2.190.3
"ssh agent" plugin 1.17
"ssh credentials" plugin 1.18
Logs:
[ssh-agent] Using credentials testcreds
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-HmEucFexUrOg/agent.19128
SSH_AGENT_PID=19129
Running ssh-add (command line suppressed)Enter passphrase for /opt/jenkins/workspace/roduct-service-read-build_master@tmp/private_key_1675109103121607963.key: [Pipeline] // sshagent [Pipeline] } [Pipeline] // stage Terracota Pz
added a comment - UPDATE
I'm not having the issue anymore, it was my fault:
- I was using github token as the private key when I created the "SSH Username with private key" credential.
- Instead, an RSA private key should be used (eg: as per https://help.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh ). With this, it works fine.
Terracota Pz
added a comment - UPDATE
I'm not having the issue anymore, it was my fault:
I was using github token as the private key when I created the "SSH Username with private key" credential.
Instead, an RSA private key should be used (eg: as per https://help.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh ). With this, it works fine.
After upgrading to ssh-agent 1.21 we had a job hang at a git command.
We terminated it after more than 30 minutes. Tried again and again with same result.
After reverting to 1.20 it worked again.
Versions:
- Jenkins 2.280
- ssh-agent 1.21
- ssh-credentials 1.18.1
Log:
...
[Pipeline] sshagent
15:27:55 [ssh-agent] Using credentials jenkins (jenkins ssh key)
15:27:55 [ssh-agent] Looking for ssh-agent implementation...
15:27:55 [ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
15:27:55 $ docker exec bb2595d46378e3aa4279cba0a20d8e3026f79d84bc9d2f2b5b856bbfba3ab1f5 ssh-agent
15:27:55 [ssh-agent] Java/JNR ssh-agent
15:27:55 [ssh-agent] Registered BouncyCastle on the remote agent
15:27:55 [ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
15:27:55 + git ls-remote --heads origin
Is that a separate issue? And can you reproduce this with a unit test? See the original PR for example.