Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-69552

Passphrase Authentication Fails


    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • RHEL7
      Jenkins 2.359
      SSH Agent Plugin Version 295.v9ca_a_1c7cc3a_a_
      Credentials Plugin Version 1143.vb_e8b_b_ceee347

      The Problem 
      The Jenkins SSH Agent Plugin is failing to successfully load a key with a passphrase that is stored with the Credentials Plugin. The Jenkins Agent is running on the same machine as the Controller.

      The error seems to be saying that the script used to load the passphrase doesn't exist.  I don't know if it exists or how to test that, as I'm assuming it's meant to be deleted quickly.  Therefore, I'm not sure if the problem is with the SSH Agent Plugin, or Credentials Plugin or a combination/interaction of both plugins.

      The ssh-agent Binary on the Host Works  
      The problem does not seem to be with the host system, as I am able to successfully use ssh-add from the command line with the referenced key and passphrase.

      The SSH Agent Plugin Partially Works  
      The username, private key and passphrase have been added into the Jenkins Controller utilizing the Credentials Plugin. The SSH Agent Plugin works as expected with a plugin that does not have a passphrase.

      My pipeline is simple  

      pipeline {
          agent any
          options {
          stages {
              stage("setup environment") {
                  steps {
                  } //steps
              } //stage - setup environment
              stage("Test the key") {
                  steps {
                      sshagent(['testkey']) {
                          sh "ssh host whoami"
                      } //sshagent
                  } //steps
              } //stage - Test the key
          } //stages
      } //pipeline

      The output looks like this  

      [Pipeline] {
      [Pipeline] sshagent
      [ssh-agent] Using credentials testkey (Test key with passphrase)
      [ssh-agent] Looking for ssh-agent implementation...
      [ssh-agent]   Exec ssh-agent (binary ssh-agent on a remote machine)
      $ ssh-agent
      Running ssh-add (command line suppressed)
      ssh_askpass: exec(/var/lib/jenkins/workspace/testing@tmp/askpass_11086250741160980548.sh): No such file or directory
      [Pipeline] // sshagent
      [Pipeline] }
      .  (I removed the extraneous output showing the closing of each section.)
      ERROR: Failed to run ssh-add
      Finished: FAILURE

      I've found similar issues where Jenkins was having issues interacting with the ssh-agent tools, however this isn't the case here.  The indicated problem is with the script that (I'm guessing) provides the key and passphrase to ssh-agent.  

      For example, [this post](https://stackoverflow.com/questions/63565578/ssh-askpass-exec-usr-bin-ssh-askpass-no-such-file-or-directory-permission-de) describes an issue with the ssh-askpass binary while executing ssh-add on the client.

      ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directory
      Permission denied, please try again.

      In my scenario,


      is being executed by the ssh-agent plugin on the Jenkins Controller, which is where the Jenkins Agents are launched. And the error isn't with the ssh-askpass binary, but rather the @tmp/askpass_####.sh script that Jenkins generates to interact with ssh-askpass.

      Some posts have suggested removing or adding trailing newlines, however their symptoms are slightly different.  I have tried these suggestions with no success.

      • Is there a way to test things further?
      • Is there more logging that I can turn on?  
      • What is the experiment that would isolate a component and expose the root cause?

      My question is similar to [this question](https://stackoverflow.com/questions/59879395/ssh-askpass-exec-app-jenkins-slave-workspace-footmp-askpass-foo-sh-no-such), however I have added additional information in hopes that I'm clearly stating the issue and the surrounding context.

            jvz Matt Sicker
            jbuck Jonathan Buck
            0 Vote for this issue
            1 Start watching this issue