-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
- Jenkins 2.277.3
- SSH Pipeline Steps 2.0.0
Using an ed25519 key, or one generated with OpenSSH 7.8+ fails:
invalid privatekey: [B@39b54f70
According to this discussion, it comes from JSch not supporting OpenSSH 7.8 and newer keys – incl. ed25519.
Minimal example:
def remote = [:] remote.name = "example-host-name" remote.host = remote.name remote.allowAnyHosts = true withCredentials([sshUserPrivateKey(credentialsId: 'example-key', keyFileVariable: 'identity', passphraseVariable: 'identityPass', usernameVariable: 'userName')]) { remote.user = userName remote.identityFile = identity remote.passphrase = identityPass sshCommand(remote: remote, command: "ls -l") }
Exception:
com.jcraft.jsch.JSchException: invalid privatekey: [B@39b54f70 at com.jcraft.jsch.KeyPair.load(KeyPair.java:664) at com.jcraft.jsch.KeyPair.load(KeyPair.java:561) at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:40) at com.jcraft.jsch.JSch.addIdentity(JSch.java:406) at com.jcraft.jsch.JSch.addIdentity(JSch.java:387) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [...]
Workaround
Use RSA key of the old format instead (generate with -m pem).
- relates to
-
-
- Closed
-
- links to
[JENKINS-65533] New OpenSSH format and ed25519 keys not supported
ethorsa
added a comment - I'd suggest dropping the plugin instead of using outdated formats (at least that's what I have done).
ethorsa
added a comment - I'd suggest dropping the plugin instead of using outdated formats (at least that's what I have done). 
Justin
added a comment - If I'm following the code flow correctly, SSH Steps uses Groovy SSH, which in turn uses JSch (hence the JSch error). It looks like starting with Groovy SSH 2.11 (released Jan 2023), they switched over to the popular fork of JSch by mwiede. Without doing any testing myself and not knowing the ins and outs of this plugin and Groovy SSH, it sounds like this problem could be fixed by updating the plugin to build using this newer release.
For reference, the pull request is here: https://github.com/int128/groovy-ssh/pull/294
Justin
added a comment - If I'm following the code flow correctly, SSH Steps uses Groovy SSH, which in turn uses JSch (hence the JSch error). It looks like starting with Groovy SSH 2.11 (released Jan 2023), they switched over to the popular fork of JSch by mwiede. Without doing any testing myself and not knowing the ins and outs of this plugin and Groovy SSH, it sounds like this problem could be fixed by updating the plugin to build using this newer release.
For reference, the pull request is here: https://github.com/int128/groovy-ssh/pull/294 ^^ This. It seems it's just a version bump that dependabot has also already proposed:
https://github.com/jenkinsci/ssh-steps-plugin/pull/91
It looks like that build is failing for other dependency related reasons. If we could get some attention on this, that would be super helpful.
Good afternoon. Any chance of releasing a new version of ssh-steps-plugin anytime soon with the new groovy-ssh version enabled or use jsch instead (look at https://github.com/jenkinsci/ssh-steps-plugin/pull/101)?
Eugeny Romanchenko
added a comment - - edited Good afternoon. Any chance of releasing a new version of ssh-steps-plugin anytime soon with the new groovy-ssh version enabled or use jsch instead (look at https://github.com/jenkinsci/ssh-steps-plugin/pull/101)? 
Frederic
added a comment - I still have issues with it the current release.
With the pipeline below I get the following error message "Auth fail for methods 'publickey,password'"
def remote = [:]
remote.name = 'Customer'
remote.host = 'theIP'
remote.port = 22
remote.allowAnyHosts = truenode {
sh 'java --version'
withCredentials([sshUserPrivateKey(credentialsId: 'ecs-customer-live',
keyFileVariable: 'KEYFILE',
passphraseVariable: 'PASSPHRASE',
usernameVariable: 'USERNAME')]) {
remote.user = USERNAME
remote.identityFile = KEYFILE
stage("SSH") {
sshCommand remote: remote,
command: "ls -l"
}
}
}
The Private Key is correct because when I use
sh 'ssh -i ${KEYFILE} root@theIP "ls -l"'
I can successfully connect to the server.
Both use the same private key created with ed25519
According to the Pull request, the new version of JSCH is being used so I don't really understand where the problem is coming from. According to some JSCH documentation being able to use ed25519 requires Java 15 but I tested it with Java 17 and 21 without any change in the error or behaviour.
Frederic
added a comment - I still have issues with it the current release.
With the pipeline below I get the following error message "Auth fail for methods 'publickey,password'"
def remote = [:]
remote.name = 'Customer'
remote.host = 'theIP'
remote.port = 22
remote.allowAnyHosts = truenode {
sh 'java --version'
withCredentials([sshUserPrivateKey(credentialsId: 'ecs-customer-live',
keyFileVariable: 'KEYFILE',
passphraseVariable: 'PASSPHRASE',
usernameVariable: 'USERNAME')]) {
remote.user = USERNAME
remote.identityFile = KEYFILE
stage("SSH") {
sshCommand remote: remote,
command: "ls -l"
}
}
}
The Private Key is correct because when I use
sh 'ssh -i ${KEYFILE} root@theIP "ls -l"'
I can successfully connect to the server.
Both use the same private key created with ed25519
According to the Pull request, the new version of JSCH is being used so I don't really understand where the problem is coming from. According to some JSCH documentation being able to use ed25519 requires Java 15 but I tested it with Java 17 and 21 without any change in the error or behaviour. 
The lack of support for newer formats of SSH keys is very frustrating. We have a huge CI/CD system that we'd like to move over to using this plugin for deployments (currently done largely through SSH for some systems) and we are already using keys with the newer formats. Many many keys with that format. Doesn't make sense or seem feasible to go through and re-generate all our keys to an OLDER format just to be compatible with this plugin.