2

Jenkins v2.164.3, ssh agent plugin 1.19

I created a new Ubuntu build node, called it test-fleet arbitrarily. I have the following file in the node

/home/ubuntu/.gitconfig
------------------------
[user]
(tab)name = myUser
(tab)email = myUser@myemail.com

$ ls -al .gitconfig
-rw-r--r-- 1 ubuntu ubuntu   58 Jan 25 04:27 .gitconfig

Now I have a Jenkins pipeline that does this

node('test-fleet') {
   stage('test git') {
     sshagent(credentials: ['myUser-creds']) {
       sh """
          export GIT_SSH_COMMAND=\"ssh -v\"
          git ls-remote git@bitbucket.org:project/myrepo.git
       """
     }
   }
}

I get this in my job's console

[ssh-agent] Using credentials myUser-creds (Bitbucket credentials)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Exec ssh-agent (binary ssh-agent on a remote machine)
SSH_AUTH_SOCK=/tmp/ssh-V4G1oYutEMCW/agent.16446
SSH_AGENT_PID=16448
Running ssh-add (command line suppressed)
ssh-agent
Identity added: /home/jenkins/workspace/Utilities/Playground/test-ec2-fleet-ssh@tmp/private_key_2248848783998450720.key (/home/jenkins/workspace/Utilities/Playground/test-ec2-fleet-ssh@tmp/private_key_2248848783998450720.key)
Cloning into 'myrepo'...

+ git ls-remote git@bitbucket.org:project/myrepo.git
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to bitbucket.org [18.205.93.2] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version conker_d603cef0bf app-133
debug1: no match: conker_d603cef0bf app-133
debug1: Authenticating to bitbucket.org:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I know I'm using the correct creds, and that the repo exists. I have another build node, and it works on THAT node, so I know my Jenkins is set up correctly, and the problem is on the new build node.

Any clues on how to solve this?

Chris F
  • 14,337
  • 30
  • 94
  • 192

2 Answers2

0

Check first the same key works when doing a git ls-remote git@bitbucket.org:project/myrepo.git in a session using the same user as the one running Jenkins.

And check the myUser-creds is the actual passphrase (not password: passphrase) protecting the SSH private key. Where it comes to SSH, the is no "credentials" as in username/password.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Thanks. `myUser-creds` is just the name of the credentials defined in the Jenkins credentials console, which are an ssh pub/priv key pair. – Chris F Jan 25 '20 at 06:22
  • @ChrisF OK: is your private ssh key passphrase protected? In other word, do you need the ssh agent? – VonC Jan 25 '20 at 06:24
  • No it's NOT paraphrase protected – Chris F Jan 25 '20 at 06:28
  • @ChrisF You could add an `env GIT_SSH_COMMAND="ssh -v'`, to see what is going one. – VonC Jan 25 '20 at 06:32
  • y that helped - it's not seeing a private key in the `/home/ubuntu/.ssh` dir. But I thought that's what the sshagent() does, although sometimes I don't see the `Identity added ...` line. WT...??? – Chris F Jan 25 '20 at 06:59
  • It can happen if Jenkins is not running with the same user as the one with the keys. Or if the Jenkins SSH credentials has not reference the private key. – VonC Jan 25 '20 at 07:00
  • But that's what the `sshagent(credentials: ['myUser-creds'])` ensures. – Chris F Jan 25 '20 at 07:02
0

First of all, check which user owns the Jenkins. You can find it out by listing the owner of jenkins install directory (/var/lib/jenkins is the default). Then log in with that user and check out .ssh folder for that user. As Jenkins is using SSH for the checkout, based on this answer here you should have a problem in $HOME/.ssh/known_hosts. Follow the guidelines for the link provided for the correct user running jenkins to make git checkout work. The problem is that myUser actually does not have any ssh repository to be able to check the ssh keys. Either create myUser in your machine and add .ssh folder, or use another user.

aLuViAn
  • 312
  • 3
  • 16
  • I'm running as user ubuntu (`whoami` shows that) when the job runs, but because of the `.gitconfig`, the ssh-user is actually `myUser`. Note that I'm not building a ~/.ssh/know_hosts file, which can be a clue. – Chris F Jan 25 '20 at 07:22
  • Try changing the user to "ubuntu" in your .gitconfig file. See what is the result – aLuViAn Jan 25 '20 at 07:27
  • Changing the user to `ubuntu` did help, and i didn't expect it to. – Chris F Jan 25 '20 at 07:34
  • The problem is that `myUser` actually does not have any ssh repository to be able to check the ssh keys. Either create `myUser` in your machine and add `.ssh` folder, or use another user. – aLuViAn Jan 25 '20 at 07:36
  • but i have another Ubuntu box running that is set up similarly, and i don't have issues there. that is, no user `myUser` on it either. that's what bugs me. – Chris F Jan 25 '20 at 07:43
  • Well, there is a difference, for sure. Most of the times problems in this area come from permissions, different users running different services, etc. As this happened to me before, I mention this scenario : During your previous ubuntu box setup, you might have done some extra work that might have seem trial-and-error and has been overlooked for the new setup but actually played a key role. For me it was a chmod change I had for one of my test machines. Took me a week to find it lol. – aLuViAn Jan 25 '20 at 07:50
  • for sure there's a difference. I said `similar` not the same. – Chris F Jan 25 '20 at 07:52
  • You're right. You have to find the change to find out the root cause. I would appreciate it a lot if you mention the difference below this question, after finding it. – aLuViAn Jan 25 '20 at 07:54
  • Getting nearer. I copied the `known_hosts` file on the working Ubuntu machine to the non-working one, and it worked. But how come new machine is NOT creating a `known_hosts` file on its own? – Chris F Jan 25 '20 at 08:02
  • Maybe it does not have permission to write in `.ssh` folder. Only the owner can access that. – aLuViAn Jan 25 '20 at 08:23