Status: Open (View Workflow)
OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016
jenkins 2.73.3 (stable)
with plugin ansible 0.6.2
and plugin credentials 2.1.16
TL;DR: it seems the ansible plugin does not get/provide the passphrase correctly from/to the credentials plugin.
See also: -
When I run a job with an Ansible build task that uses a private key with a passphrase provided by the Credentials plugin, the playbook hangs.
When I add the
option to the build, Ansible fails quickly, and hosts are unreachable. That indicates to me that SSH is prompting for the passphrase of my private key. As the jenkins job is not interactive, it hangs without the option.
I have also tested the following:
- the playbook's execution is OK using the passphraseless key
- i can reach the hosts using a manual SSH command with the passphrase-enabled key, after being prompted for the passphrase by SSH
- the passphrase stored by the Credentials plugin seems fine : during some tests I could see a temporary .sh file generated in the $CATALINA_HOME/temp folder of Jenkins/Tomcat, that contains the passphrase in clear-text, and is used to generate a temporary PEM file (.key) containing the deciphered key
All in all it seems the only remaining explaination is that there is a bug in the implementation of the Ansible plugin.
The following SSH debug output is generated by Ansible with options :
But, as I understand the SSH message incorrect passphrase supplied to decrypt private key, it can also mean the PEM file is corrupted. And in fact, when I can see the file it is empty (0 byte).