Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20879

SSH Credentials (private key with passphrase) do not work

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: git-client-plugin
    • Labels:
    • Environment:
    • Similar Issues:

      Description

      Am I doing something wrong, or is this not something that is supported?

      When I try to add a Git SCM using SSH credentials, it fails with the following error (see SCMError.png):

      	
      Failed to connect to repository : Command "ls-remote -h git@github.com:AppDirect/StandingCloud.git HEAD" returned status code 128:
      stdout: 
      stderr: Permission denied (publickey). 
      fatal: The remote end hung up unexpectedly
      

      I've configured the private key properly (as far as I know anyway)... See PrivateKeyConfiguration.png

      I've also tried the same configuration under a credential domain in case git was hung with a message like this (See CredentialDomain.png):

      The authenticity of host 'github.com (192.30.252.128)' can't be established.
      RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
      Are you sure you want to continue connecting (yes/no)?
      

      I've tested and the private key that I am using does have access:

      [root@jenkins ~]# ssh -T -i /dev/shm/id_rsa git@github.com
      The authenticity of host 'github.com (192.30.252.128)' can't be established.
      RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
      Are you sure you want to continue connecting (yes/no)? yes
      Warning: Permanently added 'github.com,192.30.252.128' (RSA) to the list of known hosts.
      Enter passphrase for key '/dev/shm/id_rsa': 
      Hi nshenry03! You've successfully authenticated, but GitHub does not provide shell access.
      

      As a workaround I can add/create a key as the jenkins user; however, it would be great if I could use the SSH Credentials plugin so that the key is backed up and restored if I move to a new Jenkins server.

        Attachments

          Issue Links

            Activity

            Hide
            markewaite Mark Waite added a comment -

            That's a good suggestion, though I really intend that the plugin will never prompt for a passphrase, where run with a controlling terminal or not.

            Show
            markewaite Mark Waite added a comment - That's a good suggestion, though I really intend that the plugin will never prompt for a passphrase, where run with a controlling terminal or not.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Mark Waite
            Path:
            pom.xml
            src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java
            http://jenkins-ci.org/commit/git-client-plugin/882ecdfb53d627eeeea130720685681ce2553193
            Log:
            Optionally detach ssh authenticated git calls from terminal

            When I run CredentialsTest from my terminal window on Ubuntu 16.04, the
            test fails for ssh keys which need a passphrase. If I run the tests
            from my IDE, or if I prepend "setsid" to the maven command that runs
            the tests, the tests pass.

            The ssh command called by git seems to require the DISPLAY variable, and
            the GIT_SSH variable, and must be detached from the controlling terminal.
            If any one of those is missing (at least on Ubuntu 16), the passphrase
            prompt will not be answered.

            Command line maven builds now include the property:

            org.jenkinsci.plugins.gitclient.CliGitAPIImpl.useSETSID=true

            Default runtime value of the property is false. Users will not run
            with this change unless they specifically set that property to true.
            Most users don't run Jenkins with a controlling terminal attached,
            so they don't need the change.

            Sets useSETSID=true in surefire target so that command line invocations
            of the tests will prefix the "git" command with setsid when it is used
            in an ssh private key context.

            Allows command line run of CredentialsTest with passphrase protected
            private keys.

            Setting BatchMode=yes in the ssh command does not have the same result.
            The setsid call was the only technique I found that reliably allowed
            the ssh call performed by command line git to consistently process the
            script defined in the SSH_ASKPASS variable.

            See JENKINS-20879 and JENKINS-25194 for more details.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Mark Waite Path: pom.xml src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java http://jenkins-ci.org/commit/git-client-plugin/882ecdfb53d627eeeea130720685681ce2553193 Log: Optionally detach ssh authenticated git calls from terminal When I run CredentialsTest from my terminal window on Ubuntu 16.04, the test fails for ssh keys which need a passphrase. If I run the tests from my IDE, or if I prepend "setsid" to the maven command that runs the tests, the tests pass. The ssh command called by git seems to require the DISPLAY variable, and the GIT_SSH variable, and must be detached from the controlling terminal. If any one of those is missing (at least on Ubuntu 16), the passphrase prompt will not be answered. Command line maven builds now include the property: org.jenkinsci.plugins.gitclient.CliGitAPIImpl.useSETSID=true Default runtime value of the property is false. Users will not run with this change unless they specifically set that property to true. Most users don't run Jenkins with a controlling terminal attached, so they don't need the change. Sets useSETSID=true in surefire target so that command line invocations of the tests will prefix the "git" command with setsid when it is used in an ssh private key context. Allows command line run of CredentialsTest with passphrase protected private keys. Setting BatchMode=yes in the ssh command does not have the same result. The setsid call was the only technique I found that reliably allowed the ssh call performed by command line git to consistently process the script defined in the SSH_ASKPASS variable. See JENKINS-20879 and JENKINS-25194 for more details.
            Hide
            markewaite Mark Waite added a comment - - edited

            Git client plugin 2.5.0 (released 27 Jul 2017) added support for setsid in the /usr/local directory tree, since that seems to be where it is stored on MacOS.

            Show
            markewaite Mark Waite added a comment - - edited Git client plugin 2.5.0 (released 27 Jul 2017) added support for setsid in the /usr/local directory tree, since that seems to be where it is stored on MacOS.
            Hide
            allan_burdajewicz Allan BURDAJEWICZ added a comment -

            Mark Waite I think you meant git-client 2.5.0 ?

            Show
            allan_burdajewicz Allan BURDAJEWICZ added a comment - Mark Waite I think you meant git-client 2.5.0 ?
            Hide
            markewaite Mark Waite added a comment -

            You're correct Allan BURDAJEWICZ, I should have said "git client plugin". The git plugin release 2.5.0 was already a year old by the time git client plugin 2.5.0 was released.

            Show
            markewaite Mark Waite added a comment - You're correct Allan BURDAJEWICZ , I should have said "git client plugin". The git plugin release 2.5.0 was already a year old by the time git client plugin 2.5.0 was released.

              People

              • Assignee:
                Unassigned
                Reporter:
                nshenry03 Nick Henry
              • Votes:
                20 Vote for this issue
                Watchers:
                35 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: