Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32704

Command line ssh-add does not work


    • Similar Issues:


      I have the ssh-agent-plugin configured for one of my Jenkins jobs.
      The SSH connection uses a jump server to get to a target machine.

      | Jenkins Build Node |  -A-> | Jump Server | -B-> | Target Machine |

      A) The key for the "deploy" user on the jump server has been added to the Jenkins configuration and is added to the SSH Agent as part of the job.

      B) The user on the target server is selected from a drop-down box in the parameterized job form, which is displayed when clicking on the link "Build with Parameters".

      For this to work a Bash shell script is started which adds the private key for the selected environment to the SSH agent by running ssh-add seckeys/dev. The connection to the SSH agent is established by the Unix socket, as defined by SSH_AUTH_SOCK=/tmp/jenkins4211455000048058133.jnr.
      I run ssh-add -l afterwards to validate that the key has been added:

      4096 e0:bd:34:99:42:26:60:0f:bf:89:c2:b9:f1:b0:83:cc deploy (The jump server user) (RSA)
      17 8c:64:4a:c3:40:c2:50:ec:8e:ac:03:86:5f:45:24:37 seckeys/dev (RSA)

      The first key is the deploy user's (A) key on the jump server, which is the same for all targets.
      The second one is the private key for the environment specific user on the target server (B).

      As you can see that the key, added by ssh-add from the shell script seems to broken, as the key length, i.e. the first value, is only 17Bit. The consequence is that the server rejects the key and not connection is possible.

      When I add both keys to the Linux standard ssh-agent the key dump looks like this:

      4096 6f:89:e7:13:00:6f:09:7c:2f:bf:5a:a5:71:ff:31:2c seckeys/dev (RSA)
      4096 e0:bd:34:99:42:26:60:0f:bf:89:c2:b9:f1:b0:83:cc deploy (RSA)

      The workarounds are:

      1. Add all keys to Jenkins. The disadvantage is that the list of environments/keys cannot be extended by the maintainers of the deployment project in our Git repository. There is always a Jenkins configuration change necessary (We have a restricted environment where users cannot access the configuration page of a job).
      2. Use the Linux default ssh-agent as part of the shell script and do not use the ssh-agent-plugin at all


          Issue Links


            jglick Jesse Glick added a comment -

            Covered by the new implementation in JENKINS-36997.

            jglick Jesse Glick added a comment - Covered by the new implementation in JENKINS-36997 .


              • Assignee:
                mirumpf Michael Rumpf
              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created: