Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53877

sshagent + git checkout on local agent: ssh key not found

    XMLWordPrintable

Details

    Description

      sshagent + git checkout doesn't seem to work: the `SSH_AUTH_SOCK` env var disappears from the git process environment, and thus the ssh-agent is not available to ssh started by git...

       

      Scenario:

      • create a ssh key credentials `ssh-key`
      • create a pipeline job with Jenkinsfile:
        node {
            stage('Preparation') {
                sshagent (['my-ssh-key']) {
                    sh 'printenv'
                    sh 'ssh-add -l'
                    git 'git@github.com:foo/bar.git'
                }
            }
        }
        
      • run created job

      Expected result:
      ssh started by git finds the correct ssh key via the ssh agent.

      Actual Result:

      • git fetch fails : no valid ssh key found
      • `ssh-add -l` works though, and shows the key added by `sshagent`

      Other tests:

      • `checkout` scm instead of `git` command: same behavior: it fails to find the key
      • direct `sh 'ssh -vvv git@github.com'` works

      More digging:

      • configure a git wrapper as `git` tool in global jenkins config to observe what happens:
        #!/bin/bash                                                                                                           
        printenv >& /tmp/$$.git-env
        ssh-add -l >& /tmp/$$.git-ssh-add-list
        export GIT_TRACE=1
        export GIT_SSH_COMMAND="ssh -vvv" 
        git "${@}"
        
      • run job again

      Result:

      • `ssh-add -l` fails: "Could not open a connection to your authentication agent."
      • `printenv` shows `SSH_AUTH_SOCK` env var is not here, which explains why the ssh agent is not usable/used

      So the remaining question is: why is the `SSH_AUTH_SOCK` env var removed when executing git commands ?

      Attachments

        Issue Links

          Activity

            thomas_deepomatic Thomas Riccardi created issue -
            thomas_deepomatic Thomas Riccardi made changes -
            Field Original Value New Value
            Description sshagent + git checkout doesn't seem to work: the `SSH_AUTH_SOCK` env var disappears from the git process environment, and thus the ssh-agent is not available to ssh started by git...

             

            Scenario:
            - create a ssh key credentials `ssh-key`
            - create a pipeline job with Jenkinsfile:
            {code:groovy}
            node {
                stage('Preparation') {
                    sshagent (['']) {
                        sh 'printenv'
                        sh 'ssh-add -l'
                        git 'git@github.com:foo/bar.git'
                    }
                }
            }
            {code}
            - run created job

            Expected result:
            ssh started by git finds the correct ssh key via the ssh agent.

            Actual Result:
            - git fetch fails : no valid ssh key found
            - `ssh-add -l` works though, and shows the key added by `sshagent`

            Other tests:
            - `checkout` scm instead of `git` command: same behavior: it fails to find the key
            - direct `sh 'ssh -vvv git@github.com'` works

            More digging:
            - configure a git wrapper as `git` tool in global jenkins config to observe what happens:
            {code:bash}
            #!/bin/bash
            printenv >& /tmp/$$.git-env
            ssh-add -l >& /tmp/$$.git-ssh-add-list
            export GIT_TRACE=1
            export GIT_SSH_COMMAND="ssh -vvv"
            git "${@}"
            {code}
            - run job again

            Result:
            - `ssh-add -l` fails: "Could not open a connection to your authentication agent."
            - `printenv` shows `SSH_AUTH_SOCK` env var is *not* here, which explains why the ssh agent is not usable/used

            So the remaining question is: why is the `SSH_AUTH_SOCK` env var removed when executing git commands ?
            sshagent + git checkout doesn't seem to work: the `SSH_AUTH_SOCK` env var disappears from the git process environment, and thus the ssh-agent is not available to ssh started by git...

             

            Scenario:
            - create a ssh key credentials `ssh-key`
            - create a pipeline job with Jenkinsfile:
            {code:groovy}
            node {
                stage('Preparation') {
                    sshagent (['my-ssh-key']) {
                        sh 'printenv'
                        sh 'ssh-add -l'
                        git 'git@github.com:foo/bar.git'
                    }
                }
            }
            {code}
            - run created job

            Expected result:
            ssh started by git finds the correct ssh key via the ssh agent.

            Actual Result:
            - git fetch fails : no valid ssh key found
            - `ssh-add -l` works though, and shows the key added by `sshagent`

            Other tests:
            - `checkout` scm instead of `git` command: same behavior: it fails to find the key
            - direct `sh 'ssh -vvv git@github.com'` works

            More digging:
            - configure a git wrapper as `git` tool in global jenkins config to observe what happens:
            {code:bash}
            #!/bin/bash
            printenv >& /tmp/$$.git-env
            ssh-add -l >& /tmp/$$.git-ssh-add-list
            export GIT_TRACE=1
            export GIT_SSH_COMMAND="ssh -vvv"
            git "${@}"
            {code}
            - run job again

            Result:
            - `ssh-add -l` fails: "Could not open a connection to your authentication agent."
            - `printenv` shows `SSH_AUTH_SOCK` env var is *not* here, which explains why the ssh agent is not usable/used

            So the remaining question is: why is the `SSH_AUTH_SOCK` env var removed when executing git commands ?
            markewaite Mark Waite made changes -
            Assignee Mark Waite [ markewaite ]
            jglick Jesse Glick made changes -
            Link This issue duplicates JENKINS-30600 [ JENKINS-30600 ]
            jglick Jesse Glick made changes -
            Resolution Duplicate [ 3 ]
            Status Open [ 1 ] Resolved [ 5 ]
            markewaite Mark Waite made changes -
            Status Resolved [ 5 ] Closed [ 6 ]

            People

              Unassigned Unassigned
              thomas_deepomatic Thomas Riccardi
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: