6

I'm trying to enable ForwardAgent in the "Publish over SSH" Jenkins Plugin. This would allow jenkins to execute deployments, rsyncs and svn+ssh checkouts on remote servers. But there's no option for this in the GUI.

ForwardAgent is set to yes in /etc/ssh/ssh_config and in /var/lib/jenkins/.ssh/config, but when Jenkins jobs login over ssh, the remote session does not have the key loaded in agent. ("Could not open a connection to your authentication agent.")

Is there a way to force ForwardAgent, or a better way to do this (via a Jenkins slave)?

Thanks for any ideas, much appreciated!

MattPark
  • 303
  • 5
  • 20
r_2
  • 335
  • 3
  • 9
  • "*Could not open a connection to your authentication agent.*" means a failure to communicate to the agent. Please provide output of following commands when executed remotely: `ssh-add -l; echo $SSH_AUTH_SOCK; ls -ld $SSH_AUTH_SOCK` – yrk Feb 07 '12 at 21:47
  • @yarek, it looks like it's not finding $SSH_AUTH_SOCK: ` SSH: EXEC: STDOUT/STDERR from command [ssh-add -l; echo SSH_AUTH_SOCK is "$SSH_AUTH_SOCK"; ls -ld $SSH_AUTH_SOCK] ... Could not open a connection to your authentication agent. SSH_AUTH_SOCK is drwxr-xr-x 9 user user 4096 2012-02-06 18:43 . ` – r_2 Feb 07 '12 at 22:41
  • I probably need to start agent and set that env var on jenkins startup. Let me try that... – r_2 Feb 07 '12 at 22:47
  • do you have the agent started on your local machine? The commands above should tell. – yrk Feb 08 '12 at 12:34
  • When do you enter the password for the agent to load the key? Is that a different user than the one jenkins runs on? – AndreasM Feb 10 '12 at 12:00
  • Getting close. I added the following to /etc/default/jenkins: `eval \`su jenkins -c "ssh-agent"\``, and added the following env var to DAEMON_ARGS in /etc/init.d/jenkins: `--env=SSH_AUTH_SOCK=$SSH_AUTH_SOCK`. Now when I execute `ssh-add` in a job on local shell, the agent loads. However, the Publish Over SSH Plugin doesn't seem to ever run "ssh-add", and so remote sessions do not have the agent available. Ideas? – r_2 Feb 15 '12 at 19:45

1 Answers1

1

I see this question has been unanswered for over a year, but here is how I solved the problem.

What you want to do is make sure that the user that runs jenkins

  1. checks to see if ssh-agent is running (if not, start it)
  2. checks to see if a key is loaded (if not, load one)

Put this in your ~/.bash_profile for the user that runs jenkins of the user that needs to forward agent, to ensure it runs with each new shell:

SSH_ENV="$HOME/.ssh/environment"

function start_agent {
  echo "Initializing new SSH agent..."
  /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
  echo succeeded
  chmod 600 "${SSH_ENV}"
  . "${SSH_ENV}" > /dev/null
  ssh-add .ssh/id_rsa
  cat .ssh/id_rsa.pub
}

#Source SSH Settings

if [ -f "${SSH_ENV}" ]
then
  . "${SSH_ENV}" > /dev/null
  ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent > /dev/null || {
    start_agent;
  }
else
  start_agent;
fi

if [ `ssh-add -l | grep "The agent has no identities." | wc -l` == 1 ]
then
  ssh-add .ssh/id_rsa
  cat .ssh/id_rsa.pub
fi

About 50% of the code here I took from somewhere else but can't remember where to give credit. This should be fairly portable, and its use need not be limited to jenkins it should work in any ssh-agent forwarding situation.

MattPark
  • 303
  • 5
  • 20