SSH - Help understanding proxy command

Question

I am trying to debug a Jenkins Plugin that seems to be failing due to an SSH permission problem. Basically the plugin allows me to SSH from a master machine into a specific Jenkins build on the slave machine, but for some reason it fails on the system that I'm trying to use it on.

When executed, the plugin tells me that I can use something like the following command to SSH into the slave build from the master machine:

ssh.config

Host=*.localhost
Port=43689
ProxyCommand=ssh -p 43689 localhost diagnose-tunnel -suffix .localhost %h

command:

ssh -F ssh.config Test.localhost

This works on a test system I've set up (using two machines), but fails in the production environment with the error Permission denied (publickey).

While I'm certainly willing to debug the permission problem myself, I'm really confused as to how this ssh command works :/ What exactly is it trying to do? I researched the matter but I'm still confused as to how this works with the proxy command.

I imagine that it connects to some custom port in localhost (the jenkins master machine), but how would this allow me to ssh into the slave machine? Can this command be rewritten into one line for readability? What could possibly cause a permission denied error?

Thanks for any help! I imagine this is probably a really simple question, but I'm new to SSH and am still trying to understand it :)

Update

Output of ssh -vF test_ssh <job>.<host>, as requested! ^^ (with the job and host replaced by tags for readability)

OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data test_ssh
debug1: Applying options for *.<host>
debug1: Executing proxy command: exec ssh -p 44078 <host> diagnose-tunnel -suffix .<host> <job>
debug1: permanently_drop_suid: 497
debug1: identity file /var/lib/jenkins/.ssh/identity type -1
debug1: identity file /var/lib/jenkins/.ssh/identity-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_rsa type 1
debug1: identity file /var/lib/jenkins/.ssh/id_rsa-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_dsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_dsa-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa-cert type -1
Permission denied (publickey).
ssh_exchange_identification: Connection closed by remote host

Thank you for the reply! I just checked the keys, and I have the public key from the master machine inside the slave's authorized_keys file. I seem to be able to ssh into the slave machine without problems, but it's the `ssh -p 43689 localhost` that's giving me problems on the production setup with the permission denied error :/ I tried adding id_rsa.pub from the master machine into authorized_keys on the same machine, but it's still not really working... — Volodymyr Sereda, Mar 18 '16 at 13:01
'permission denied' or 'connection refused'? are you sure anyone listens to port 43689? — sotona, Mar 18 '16 at 13:06
Definitely permission denied! I just checked for active ports, and the port is indeed listening. — Volodymyr Sereda, Mar 18 '16 at 13:32
who is listening to this port? which user owns the process listening to this port? — sotona, Mar 18 '16 at 13:34
so 'permission denied' is most likely due to lack of permissions for user which initiates ssh connection. moreover, if this all is for tunneling you to somewhere else (SOCKS proxy emulation AFAIU), there might be something else elsewhere that causes denial. can you post `ssh -v ...` output? — sotona, Mar 18 '16 at 13:41
your debug output says it tries to connect to port 44078 somewhere else — sotona, Mar 18 '16 at 13:54
also check if jenkins owns every file in /var/lib/jenkins/.ssh — sotona, Mar 18 '16 at 14:01
Hmmmm. Jenkins owns both the folder and the files within it ^^ I was experimenting, and this seems to be the problem: `ssh -p 44078 localhost`. It fails with permission denied. — Volodymyr Sereda, Mar 18 '16 at 14:21
Because it's the default (standard) port your ssh daemon listens to. And these five digit ports are used to emulate SOCKS proxy and may be served by Java app rather then sshd — sotona, Mar 18 '16 at 16:07
Yes! The 44078 port seems to be served by Apache SSHD, as opposed to the 22 one served by OpenSSH... But why would it refuse to authenticate me? :/ — Volodymyr Sereda, Mar 18 '16 at 16:11

score 0 · Answer 1 · answered Mar 18 '16 at 10:32

your ssh.config should also contain something like

User USERNAME
PubKeyAuthentication yes
IdentityFile /path/to/key

where USERNAME is the actual user which is allowed to connect to your prod server, /path/to/key is their private key and before that you should have been done

ssh-copy-id -i /path/to/key.pub SERVER

where SERVER is your prod host

rinatdobr · Answer 2 · 2017-01-18T11:29:47.287

I've had the same problem..

Now, I'll try to answer you.

What exactly is it trying to do?

ssh -p <port> <server> diagnose-tunnel -suffix .<server> %h

diagnose-tunnel -suffix .<server> %h is command which executes on <server>:<port>. As I understand, it is Jenkins' specific command which helps to establish connection with slave node.

Permission denied (publickey).

There is solution which helps me:

Generate private & public keys via ssh-keygen;
Copy public key (id_rsa.pub) to your user settings (http://<jenkins_server>:8080/user/<jenkins_user_name>/configure);
Edit ~/.ssh/config file: you should add jenkins_user_name to ProxyCommand line:

ProxyCommand ssh -p <port> <jenkins_user_name>@<jenkins_server> diagnose-tunnel -suffix .<jenkins_server> %h
Also it is needed to add User <jenkins_user_name> and IdentityFile /path/to/private_key how @sotona is written

SSH - Help understanding proxy command

2 Answers2

Linked