36

Here is my setup:

  1. Jenkins is running on my linux machine as 'jenkins' user.
  2. I have generated a ssh key-pair as described in Linux - Setup Git, for the 'jenkins' user.
  3. When I sudo su jenkins and try ssh -vT git@github.com, I am always asked my passphrase, but I am always eventually authenicated. (the verbose option shows which key is used, among others).
  4. I could clone my repo from GitHub using jenkins:

Thusly:

jenkins@alpm:~/jobs/test git/workspace$ git pull 
Enter passphrase for key '/var/lib/jenkins/.ssh/id*_rsa':
Already up-to-date.

Up to this point I have followed the instructions to the letter. The problem is that the Jenkins job fails with the following error:

status code 128:
stdout: 
stderr: Permission denied (publickey).
fatal: The remote end hung up unexpectedly

This is same error as I get when I typo the passphrase (but of course, Jenkins does not ask me for the passphrase). The following pages:

indicate to me that ssh-agent could help remember the passphrase, which it does when I am using my own user, but not the jenkins id. Note that while running as my normal user yields:

echo "$SSH_AUTH_SOCK"
/tmp/keyring-nQlwf9/ssh

While running the same command as my 'jenkins' yields nothing (not even permission denied)

My understanding of the problem is that the passphrase is not remembered. Do you have any idea? Shall I start a ssh-agent or key ring manager for the jenkins user? How? Or is ssh forwarding suitable when forwarding to the same machine? Any brighter idea?

ps: I never sudo gitted, I always used jenkins or my user account (as mentioned in this SO post - Ubuntu/GitHub SSH Key Issue)

Community
  • 1
  • 1
pimajor
  • 461
  • 1
  • 4
  • 4
  • 1
    try [this][1] the secret is to create a .ssh key via 'jenkins' user [1]: http://stackoverflow.com/questions/8910848/hudson-cannot-fetch-from-git-repository – Luiz E. May 14 '12 at 19:45
  • 3
    actually what worked was not to create the ssh key with the jenkins user, this is necessary but not sufficient. What helped was to leave the passphrase empty. (so it was not asked for....) – pimajor May 16 '12 at 21:29
  • 1
    So, is it working or not? Please write a short answer (and not a comment) to your question describing how it was solved. Thanks! – Gonen Sep 14 '12 at 18:20
  • Try this https://stackoverflow.com/questions/46893328/bitbucket-access-keys-can-only-be-used-for-read-only/55469070#55469070 – Remigiusz Apr 02 '19 at 07:38

9 Answers9

49

Since nobody wrote the answer from the comments for several months, I will quickly do so.

There are 2 possible problems/solutions:

  1. id_rsa created with wrong user

    Create id_rsa as the jenkins user (see hudson cannot fetch from git repository)

  2. Leave passphrase empty

Community
  • 1
  • 1
Patrick Boos
  • 6,789
  • 3
  • 35
  • 36
  • Why does it matter which user creates the keypair? – Richard Jul 07 '13 at 23:59
  • 1
    Because each user has his own .ssh folder where the keys are stored. The user jenkins connects to github with his own ssh key in ~/.ssh/id_rsa. If you create them with your own user, than jenkins won't be using them, but still his own ssh keys. – Patrick Boos Jul 08 '13 at 01:52
  • 1
    That would have taken a while to figure out, but it's actually obvious once you think about it. Many thanks! – binarygiant Sep 04 '13 at 22:11
  • Wouldn't it be sufficient to create id_rsa with another user, move it to the desired user's folder and set chown on it? – Tzen Aug 28 '17 at 08:52
  • 2
    Leave passphrase empty solved it , with a passprase I got the above error,Thanks! – lukass77 Feb 07 '20 at 14:20
15

To summarise what must be done on the Jenkins server:

# 1. Create the folder containing the SSH keys if necessary
if [ ! -e ~jenkins/.ssh ]; then mkdir ~jenkins/.ssh; fi
cd ~jenkins/.ssh/

# 2. Create the SSH pair of keys
# The comment will help to identify the SSH key on target systems
ssh-keygen -C "jenkins" -f ~jenkins/.ssh/id_rsa -P ""

# 3. Assign the proper access rights
chown -R jenkins ~jenkins/.ssh/
chmod 700 ~jenkins/.ssh
chmod 600 ~jenkins/.ssh/*

Remember:

  • Please keep the default "id_rsa" name when generating the keys, as other such as "id_rsa_jenkins" won't work, even if correctly set up.
  • Do not use a passphrase for your key
  • Check that the public key (id_rsa.pub) has been uploaded on the git server (GitHub, Bitbucket, etc). Once done, test your SSH key by running: ssh -vvv git@github.com (change address according to your git server)
Paul Podgorsek
  • 2,416
  • 3
  • 19
  • 22
  • Dude, you saved my day! I was struggling with this setup and nothing else has worked. It works like a charm here. – Paulo Pedroso Mar 27 '17 at 19:29
  • "Please keep the default "id_rsa" name when generating the keys, as other such as "id_rsa_jenkins" won't work, even if correctly set up." This. fixed my issue. very important. thanks! – Kevin Milner Jun 08 '17 at 21:58
10

I got around this problem by simply leaving the passphrase empty when creating the keys.

Marco Corona
  • 812
  • 6
  • 12
  • 4
    Confirmed. This means that despite having a credentials store with UI for a passphrase, Jenkins cannot deal with a passphrase on SSH key. That is a security bug. https://issues.jenkins-ci.org/browse/JENKINS-20879 – bbaassssiiee Dec 11 '15 at 19:59
  • Updating the SSH and Git plugins in Jenkins to the latest version fixed the problems for me. Seems the issue was fixed in 2017. – Bjørn Stenfeldt Nov 11 '19 at 11:21
5

I would add that if you created the keys by hand, they might still be owned by you and not readable by jenkins, try:

sudo chown jenkins -R /var/lib/jenkins/.ssh/*
stoyan
  • 166
  • 1
  • 3
  • Few check on jenkins user, $ su jenkins then test git connection ssh -T git@xxx-server. – syyu Feb 21 '17 at 15:18
3

To check are the following:

  1. if the right public key (id_rsa.pub) is uploaded to the git-server.
  2. jenkins user will access to github -> to CHECK if the right private key (id_rsa) is copied to /var/lib/jenkins/.ssh/
  3. if the known_hosts file is created inside ~/.ssh folder. Try ssh -vvv git@github.com to see debug logs. If thing goes well, github.com will be added to known_hosts.
  4. if the permission of id_rsa is set to 755 (chmod 755 id_rsa)

After all checks -> try ssh -vvv git@github.com Dont try to do config in jenkins until ssh works!

Tim Long
  • 2,039
  • 1
  • 22
  • 25
2

If you are running jenkins as a service in windows, you need to verify the user running the service. If you created the keys using the user "MACHINENAME\user", change the service so the user running it can match

Filipe Rodrigues
  • 313
  • 1
  • 2
  • 11
2

For Mac users, the issue can be solved by removing the existing keys and creating new Private and Public Keys by following these steps:

1.Remove all Public and Private keys located at /Users/Username/.ssh

2.Remove all the credentials saved under the Credentials tab in Jenkins.

3.Remove the existing Public SSH keys defined in the Github Repository Settings.

4.Create new SSH keys (private and public: id_rsa and id_rsa.pub) by following the steps from https://confluence.atlassian.com/bitbucketserver/creating-ssh-keys-776639788.html#CreatingSSHkeys-CreatinganSSHkeyonLinux&MacOSX

5.Set the newly created public SSH key (id_rsa.pub) in Github or an equivalent Repository Settings.

6.In Jenkins,create new credentials by adding the private SSH key(id_rsa) for your Github username.

7.The Error should be removed now.

DeveloperIOS
  • 21
  • 4
1

keys need to generated from jenkins user.

sudo su jenkins
ssh-keygen

once the key is generated, it should be added as ssh key in bitbucket or github.

blazehub
  • 1,880
  • 19
  • 25
0

I solved this problem by creating credential with private key. This way I dont need to worry about permission for private key file in the OS.

  1. Create new credential of kind "SSH Username with private key".
  2. Give Github user ID.
  3. Check the radio button "Private Key -> Enter directly", then click on Add button to copy paste the private key file contents from the OS (.ssh/id_rsa) and save.

Now in the pipeline, give Github repo URL with SSH and choose this new credential.

Govind Avireddi
  • 1
  • 1