Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-69207

Pipeline Git checkout fails: "Permission denied (publickey)"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • - Jenkins 2.346.2 LTS
      - Git 4.11.4
      - Git Client 3.11.1
      - SSH Credentials 295.vced876c18eb_4
      - Pipeline Multibranch 716.vc692a_e52371b_
      - Pipeline SCM Step 400.v6b_89a_1317c9a_
      - OpenJDK Java 11 (Jenkins / Agent)

      Git fails to fetch the Multibranch Pipeline repo since the 2.346.2 LTS and related Plugin updates. It's worth mentioning that the update ran into the Mina SSH / CasC dependency cycle, which was finally resolved by an update.
       
      While branch discovering and fetching the Jenkinsfile works fine, the actual build fails due to "Permission denied (publickey)".
      Jobs were working until that day, SSH Credentials haven't changed.
      This happens on all agents (Linux, Windows), connections (SSH, Swarm Client) and clients (CLI, JGit, JGit + Http Client). The error is reproducable with a simple Multibranch Pipeline Job – see below.
       
      It seems the credentials aren't passed to the actual Git / SSH calls at this point:
       

      run_command: unset GIT_PREFIX; GIT_PROTOCOL=version=2 'ssh -vvv' -o SendEnv=GIT_PROTOCOL git@[[ REPO ]] 'git-upload-pack

       
      (GIT_SSH_COMMAND=ssh -vvv and GIT_TRACE=1)
       
      According to SSH debug log no other keys than the default locations (~/.ssh/id{_}...) are attempted.  
       
      The issue appeared before the host key verification change of Git plugin already.
      Using JGit or JGit with Apache HTTP Client fails too, just with a slightly different message.
       

      Error

       

      ERROR: Error fetching remote repo 'origin'
      hudson.plugins.git.GitException: Failed to fetch from ssh://git@[[ REPO ]]
       ...
      git@[[ REPO ]]: Permission denied (publickey).
      fatal: Could not read from remote repository.
      
      Please make sure you have the correct access rights
      and the repository exists.
      

       (Log attached)
       

      Reproduction

      Using a minimal declarative Pipeline Jenkinsfile.
       

      1. Generate an ed25519 SSH key (no Password to simplify testing), readable to the Pipelines repo
      2. Create a Multibranch Pipeline
      3. Add SSH key to Pipeline (at pipeline level, type: SSH username and private key)
      4. Mulitbranch Pipeline scan succeeds and lists branches (log shows usage of correct credentials)
      5. Build a branch: Fetching the Jenkinsfile ok, correct credentials are used, but checkout step fails
         

      Workaround

       
      Restore Master host from backup.
       

            Unassigned Unassigned
            ethorsa ethorsa
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: