how to setup ssh keys for jenkins to publish via ssh - jenkins

Jenkins requires a certificate to use the ssh publication and ssh commands. It can be configured under "manage jenkins" -> "Configure System"-> "publish over ssh".
The question is: How does one create the certificates?
I have two ubuntu servers, one running Jenkins, and one for running the app.
Do I set up a Jenkins cert and put part of it on the deployment box, or set up a cert on the deployment box, and put part of it on Jenkins? Does the cert need to be in the name of a user called Jenkins, or can it be for any user? We don't have a Jenkins user on the development box.
I know there are a number of incompatible ssh types, which does Jenkins require?
Has anyone found a guide on how to set this all up (how to generate keys, where to put them etc.)?

You will need to create a public/private key as the Jenkins user on your Jenkins server, then copy the public key to the user you want to do the deployment with on your target server.
Step 1, generate public and private key on build server as user jenkins
build1:~ jenkins$ whoami
jenkins
build1:~ jenkins$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/jenkins/.ssh/id_rsa):
Created directory '/var/lib/jenkins/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /var/lib/jenkins/.ssh/id_rsa.
Your public key has been saved in /var/lib/jenkins/.ssh/id_rsa.pub.
The key fingerprint is:
[...]
The key's randomart image is:
[...]
build1:~ jenkins$ ls -l .ssh
total 2
-rw------- 1 jenkins jenkins 1679 Feb 28 11:55 id_rsa
-rw-r--r-- 1 jenkins jenkins 411 Feb 28 11:55 id_rsa.pub
build1:~ jenkins$ cat .ssh/id_rsa.pub
ssh-rsa AAAlskdjfalskdfjaslkdjf... jenkins#myserver.com
Step 2, paste the pub file contents onto the target server.
target:~ bob$ cd .ssh
target:~ bob$ vi authorized_keys (paste in the stuff which was output above.)
Make sure your .ssh dir has permissoins 700 and your authorized_keys file has permissions 644
Step 3, configure Jenkins
In the jenkins web control panel, nagivate to "Manage Jenkins" -> "Configure System" -> "Publish over SSH"
Either enter the path of the file e.g. "var/lib/jenkins/.ssh/id_rsa", or paste in the same content as on the target server.
Enter your passphrase, server and user details, and you are good to go!

You don't need to create the SSH keys on the Jenkins server, nor do you need to store the SSH keys on the Jenkins server's filesystem. This bit of information is crucial in environments where Jenkins servers instances may be created and destroyed frequently.
Generating the SSH Key Pair
On any machine (Windows, Linux, MacOS ...doesn't matter) generate an SSH key pair. Use this article as guide:
GitHub: Generating a new SSH key and adding it to the ssh-agent (you can skip the section "Adding your SSH key to the ssh-agent")
On the Target Server
On the target server, you will need to place the content of the public key (id_rsa.pub per the above article) into the .ssh/authorized_keys file under the home directory of the user which Jenkins will be using for deployment.
In Jenkins
Using "Publish over SSH" Plugin
Ref: https://plugins.jenkins.io/publish-over-ssh/
Visit: Jenkins > Manage Jenkins > Configure System > Publish over SSH
If the private key is encrypted, then you will need to enter the passphrase for the key into the "Passphrase" field, otherwise leave it alone.
Leave the "Path to key" field empty as this will be ignored anyway when you use a pasted key (next step)
Copy and paste the contents of the private key (id_rsa per the above article) into the "Key" field
Under "SSH Servers", "Add" a new server configuration for your target server.
Using Stored Global Credentials
Visit: Jenkins > Credentials > System > Global credentials (unrestricted) > Add Credentials
Kind: "SSH Username with private key"
Scope: "Global"
ID: [CREAT A UNIQUE ID FOR THIS KEY]
Description: [optionally, enter a decription]
Username: [USERNAME JENKINS WILL USE TO CONNECT TO REMOTE SERVER]
Private Key: [select "Enter directly"]
Key: [paste the contents of the private key (id_rsa per the above article)]
Passphrase: [enter the passphrase for the key, or leave it blank if the key is not encrypted]

For Windows:
Install the necessary plugins for the repository (ex: GitHub install GitHub and GitHub Authentication plugins) in Jenkins.
You can generate a key with Putty key generator, or by running the following command in git bash: $ ssh-keygen -t rsa -b 4096 -C your_email#example.com
Private key must be OpenSSH. You can convert your private key to OpenSSH in putty key generator
SSH keys come in pairs, public and private. Public keys are inserted in the repository to be cloned. Private keys are saved as credentials in Jenkins
You need to copy the SSH URL not the HTTPS to work with ssh keys.

Username it takes is "jenkins" while setting up the key credentials,
and then we need to switch to that user (in cli) in order to generate
key pair to make git connection work.
here are the steps
switch to jenkins user
sudo su - jenkins -s /bin/bash
Generate key pair
ssh-keygen
Configure private key in jenkins as described
Configure public key on git repository side in deploy key section
Test connection, it should work.
Note: This steps are for jenkins in local machine , ubuntu 20.04.

Related

Not able to add SSH Key in Jenkins Configuration

I Have installed 'Publish Over SSH' plugin in Jenkins and would like to transfer few files to SSH Server after each Build .
I have generated the private key using puttygen with passphrase and have given the OpenSSH Public Key in 'authorization_keys' in SSH Server.
Using the generated private key and passphrase , I'm able to login to the SSH Server through PuTTY.
But in Jenkins I'm not able to add the SSH Key. Getting the below Error.
jenkins.plugins.publish_over.BapPublisherException: Failed to add SSH key. Message [The cipher 'aes256-cbc' is required, but it is not available.
Most of the tools (including Jenkins) support keys in OpenSSH format (generated using ssh-keygen), not in the PuTTY format (generated using PuTTYgen). Generate a new key using ssh-keygen or convert the PPK to OpenSSH format.
I wrote the following information in the SO Documentation.
Convert PPK (PuTTY key) to OpenSSH format
You might receive from your peer private key in PPK format, which seems it does not work in OpenSSH (command-line ssh). The client will be asking for the passphrase, because of OpenSSH bug.
$ ssh -i mykey.ppk example.com
Enter passphrase for mykey.ppk:
You need to convert the key to OpenSSH format using PuTTYgen (command-line version):
puttygen mykey.ppk -o mykey.key -O private-openssh
Or in GUI version:
Open PuttyGen
Click Load
Load your private key
Go to Conversions->Export OpenSSH and export your private key
Copy your private key to ~/.ssh/id_rsa
Source: SO answer, Unix SE answer

Jenkins CLI authentication - Getting java.io.EOFException

I've checked several threads regarding CLI access:
Jenkins CLI Authentication
Using the jenkins CLI (on fedora 23)
Jenkins CLI connection refused
And unfortunately it's not my case.
I'm trying to run the following command:
java.exe -jar jenkins-cli.jar -i C:\Users\myuser\.ssh\id_rsa -s http://MasterJenkins:port/ list-jobs All
And I'm getting the following execption:
Exception in thread "main" java.io.EOFException
at java.io.DataInputStream.readBoolean(DataInputStream.java:244)
at hudson.cli.Connection.readBoolean(Connection.java:93)
at hudson.cli.CLI.authenticate(CLI.java:565)
at hudson.cli.CLI._main(CLI.java:476)
at hudson.cli.CLI.main(CLI.java:387)
Going to : http://MasterJenkins:port/me/configure I made sure that the "SSH Public Keys" section is the same key I have in my public key. I was a month abroad, before leaving it worked, now it doesn't and my team member swears nothing changed in the system.
Any ideas?
I had a similar issue last week with my own ssh private/public key.
I fixed it by
Generating a new public/private key combination using ssh-keygen
bash-4.1$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/users/xxxxx/.ssh/id_rsa): JenkinsCLI
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in JenkinsCLI.
Your public key has been saved in JenkinsCLI.pub.
The key fingerprint is:
f6:4c:be:fc:cb:cd:d3:ee:8c:80:26:a2:57:df:67:14 xxxxx#eeeee
The key's randomart image is:
+--[ RSA 2048]----+
Private file
Copy and paste the content of JenkinsCLI in your .private file
Public file
log into Jenkins>Click your Login id dropdown>Configure>SSH Public Keys
copy and paste the content of JenkinsCLI.pub file into SSH Public Keys text area
You should be able to authenticate.

Jenkins Publish over ssh authentification failed with private key

I can authenticate successfully with putty on the server with my private key and passphrase. But when I try to do it with jenkins publish over SSH plugin (using Test for configuration), I get the following error message:
jenkins.plugins.publish_over.BapPublisherException: Failed to connect session for config myconfig. Message [Auth fail]
I entered the same information as in putty:
Hostname : myhostname
Username : myusername
Remote Directory :
Use password authentication, or use a different key Passphrase / Password
Path to key : checked
Path to key : mypath
Passphrase : mypasssword
Key:
Port:22
Timeout(ms):300000
If you have any idea ...
Thanks for your help.
Looks like you're using keyfile authentication, so you'll get this error from Jenkins if you haven't set the permissions correctly on your .ssh folder and/or ~/.ssh/authorized_keys file.
the .ssh folder should have drwx------ permissions (read/write/execute owner only)
the authorized_keys file should have -rw------- permissions (read/write owner only)
To fix it:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
I ran into the same issue today and it turned out i was accidentally supplying the path to the public key instead of the private one.
So the "path to key" should be something like
.ssh/id_rsa
instead of
.ssh/id_rsa.pub
Because your linux login need password, the answer is :
1. Passphrase: your passphrase
2. path to key: your private key path
3. key : blank
4. Disable exec : un-check
SSH Servers
1. Name: remote_user#remotehost.com
2. hostname: remotehost.com
3. Username: remote_user
4. Remote Directory: empty
Advanced --
5. check the box "use passsword authentication, or use a different key"
`important`
6. Passphrase / Password: your linux login password`important`
7. path to key: blank
8. key:blank
9. port: 22
10. Timeout(ms): 300000
'Test Configuration'
success
Check that the public key is in the .ssh/authorized_keys file on the target server, even if the target server is the same as the jenkins server. I had what is probably the same problem, and it turned out that I needed this, even though ssh localhost worked fine.
(Addendum: also check that the jenkins server has the target server in its .ssh/known_hosts file, as that can affect this as well.)
I think as it says this is a authentication issue:
Use password authentication, or use a different key
Selecting this option will produce 3 more configuration boxes that mirror the options available for the Jenkins SSH Key.
Passphrase / Password
If either Path to key or Key are configured then this is the passphrase to use with the encrypted key.
If no key is configured then this is the password that will be used for password authentication.
Path to key
See description above.
Key
See description above.
Disable exec
This option will remove the ability to execute commands using this configuration.
LINK HERE
I am facing same issue , the following steps work for me:- ( i am using jenkins 1.57)
Go to http:///jenkins/manage
Configure System
Browse to Publish over SSH section
Passphrase: blank
path to key: blank
key : blank
Disable exec : un-check
SSH Servers
-- Name: remote_user#remotehost.com
-- hostname: remotehost.com
-- Username: remote_user
-- Remote Directory: empty
-- Advanced
-- check the box "use passsword authentication, or use a different key"
-- port: 22
-- Timeout(ms): 300000
-- 'Test Configuration'
success
Try restarting ssh of remote server
/etc/init.d/sshd restart
Don't do any ssh-keygen. Just enter the pem key details under key field,
Add SSH server details: Name, Hostname and Username as ec2-user.
Click test connection and it works.
Sometimes the SSH connection would fail, if the destination server doesnt have enough disk space to perform PUT operation
{ERROR: Exception when publishing, exception message [Failure]}
Make sure to verify the destination server has enough disk space.
In case of Linux, you can use 'df -kh /directoryname' to check the disk space
Just copy jenkins-user's id_rsa.pub to the end of ~/.ssh/authorized_keys on remote host.
I was having the same exact issue today and thought I would share what worked for me
Normally when I would SSH into my ec2 instance AWS likes the username to be
ubuntu#[ip address/url]
Jenkins likes it to be just the username so remove the rest
ubuntu
If you use RSA key, and see string like this in your private key:
-----BEGIN RSA PRIVATE KEY-----
***************************************
-----END RSA PRIVATE KEY-----
You need edit config file sshd on remote machine:
sudo vim /etc/ssh/sshd_config
add in this file stoke:
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
I have the same problem,I am on windows, the solution:
open the openssh debug model, no can see the error detail, detail click
Stop the sshd service
Type 'sshd -d' in PowerShell
no if you connect again ,you can see the error detail, my error is
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
we can add PubkeyAcceptedKeyTypes=+ssh-rsa in server sshd_config file, detail click
now test success, if still has error like Failed to connect SFTP channel and debug is
debug1: subsystem: cannot stat sftp-server.exe: No such file or directory
this because the openssh no in windows system path. detail click

Jenkins Host key verification failed

I have a problem with jenkins, setting "git", shows the following error:
Failed to connect to repository : Command "git ls-remote -h https://person#bitbucket.org/person/projectmarket.git HEAD" returned status code 128:
stdout:
stderr: fatal: Authentication failed
I have tested with ssh:
git#bitbucket.org:person/projectmarket.git
This is error:
Failed to connect to repository : Command "git ls-remote -h git#bitbucket.org:person/projectmarket.git HEAD" returned status code 128:
stdout:
stderr: Host key verification failed.
fatal: The remote end hung up unexpectedly
I've also done these steps with "SSH key".
Login under Jenkins
sudo su jenkins
Copy your github key to Jenkins .ssh folder
cp ~/.ssh/id_rsa_github* /var/lib/jenkins/.ssh/
Rename the keys
mv id_rsa_github id_rsa
mv id_rsa_github.pub id_rsa.pub
but still not working git repository in jenkins.
thanks by help!.
Change to the jenkins user and run the command manually:
git ls-remote -h git#bitbucket.org:person/projectmarket.git HEAD
You will get the standard SSH warning when first connecting to a new host via SSH:
The authenticity of host 'bitbucket.org (207.223.240.181)' can't be established.
RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40.
Are you sure you want to continue connecting (yes/no)?
Type yes and press Enter. The host key for bitbucket.org will now be added to the ~/.ssh/known_hosts file and you won't get this error in Jenkins anymore.
Jenkins is a service account, it doesn't have a shell by design. It is generally accepted that service accounts. shouldn't be able to log in interactively.
To resolve "Jenkins Host key verification failed", do the following steps. I have used mercurial with jenkins.
1)Execute following commands on terminal
$ sudo su -s /bin/bash jenkins
provide password
2)Generate public private key using the following command:
ssh-keygen
you can see output as ::
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/jenkins/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
3)Press Enter --> Do not give any passphrase--> press enter
Key has been generated
4) go to --> cat /var/lib/jenkins/.ssh/id_rsa.pub
5) Copy key from id_rsa.pub
6)Exit from bash
7) ssh#yourrepository
8) vi .ssh/authorized_keys
9) Paste the key
10) exit
11)Manually login to mercurial server
Note: Pls do manually login otherwise jenkins will again give error "host verification failed"
12)once manually done, Now go to Jenkins and give build
Enjoy!!!
Good Luck
Or you can use:
ssh -oStrictHostKeyChecking=no host
This will be insecure (man in the middle attacks) but easiest solution.
The better way to do that is to generate correct mappings between host and ip address, so ssh will not complain:
#!/bin/bash
for domain in "github.com" "bitbucket.org"; do
sed -i "/$domain/d" ~/.ssh/known_hosts
line=$(ssh-keyscan $domain,`nslookup $domain | awk '/^Address: / { print $2 ; exit }'`)
echo $line >> ~/.ssh/known_hosts
done
Excerpt from gist.
I think, that many people didnt recognize, at least available since jenkins 2.361:
btw. No Verification is for sure not the best option.
Had same problem, i fix it like that :
reset permission on id_rsa* only for current user no group no other
chmod o-rwx ~/.ssh/id*
chmod G-rwx ~/.ssh/id*
ls -lart ~/.ssh/
-rw------- 1 jenkins nogroup 398 avril 3 09:34 id_rsa.pub
-rw------- 1 jenkins nogroup 1675 avril 3 09:34 id_rsa
And clear ~/.ssh/know_hosts
Now Connect as jenkins
sudo su jenkins
Try the jenkins commands
git ls-remote -h git#bitbucket.org:user/project.git HEAD
If no problem appears, now jenkins will be able to connect the repo (for me ^^ at least)
As for the workaround (e.g. Windows slave), define the following environment variable in global properties:
GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
Note: If you don't see the option, you probably need EnvInject plugin for it.
login as jenkins using: "sudo su -s /bin/bash jenkins"
git clone the desired repo which causes the key error
it will ask you to add the key by showing Yes/No (enter yes or y)
that's it!
you can now re-run the jenkins job.
I hope you this will fix your issue.
using https://bitbucket.org/YYYY/XX.git
you shoud delete username#
Make sure we are not editing any of the default sshd_config properties to skip the error
Host Verification Failed - Definitely a missing entry of hostname in known_hosts file
Login to the server where the process is failing and do the following:
Sudo to the user running the process
ssh-copy-id destinationuser#destinationhostname
It will prompt like this for the first time, say yes and it will also ask password for the first time:
The authenticity of host 'sample.org (205.214.640.91)' can't be established.
RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40.
Are you sure you want to continue connecting (yes/no)? *yes*
Password prompt ? give password
Now from the server where process is running, do ssh destinationuser#destinationhostname. It should login without a password.
Note: Do not change the default permissions of files in the user's .ssh directory, you will end up with different issues
I ran into this issue and it turned out the problem was that the jenkins service wasn't being run as the jenkins user. So running the commands as the jenkins user worked just fine.
Copy host keys from both bitbucket and github:
ssh root#deployserver 'echo "$(ssh-keyscan -t rsa,dsa bitbucket.org)" >> /root/.ssh/known_hosts'
ssh root#deployserver 'echo "$(ssh-keyscan -t rsa,dsa github.com)" >> /root/.ssh/known_hosts'
Best way you can just use your "git url" in 'https" URL format in the Jenkinsfile or wherever you want.
git url: 'https://github.com/jglick/simple-maven-project-with-tests.git'
SSH
If you are trying it with SSH, then the Host key Verification error can come due to several reasons.Follow these steps to overcome all the reasons.
Set the Environment variable as HOME and provide the address as the root directory of .ssh folder. e.g:- If your .ssh is kept inside Name folder.
C:/Users/Name.
Now make sure that the public SSH key is being provided in the repository link also. Either it is github or bitbucket or any other.
Open git bash. And try cloning the project from the repository. This will help in adding your repository URL in the known_host file, which is being auto created in the .ssh folder.
Now open jenkins and create a new job. Then click on configure.
provide the cloning URL in Source code management under Git. The URL should be start with git#github.com/......... or ssh://proje........
Under the Credential you need to add the username and password of your repository form which you are cloning the project. Select that credential.
And now apply and save the configuration.
Bingo! Start building the project. I hope now you will not get any Host Key verification error!
Try
ssh-keygen -R hostname
-R hostname Removes all keys belonging to hostname from a known_hosts file. This option is useful to delete hashed hosts
Use ssh-keyscan should be much more easier:
ssh-keyscan bitbucket.org >> ~/.ssh/known_hosts
This command will put all required hosts to ~/.ssh/known_hosts. You will need to run this command inside your Jenkins machine. You can also create a job and put that command into the "Execute shell" section of the Configure of that job and then execute the job.
issue is with the /var/lib/jenkins/.ssh/known_hosts. It exists in the first case, but not in the second one. This means you are running either on different system or the second case is somehow jailed in chroot or by other means separated from the rest of the filesystem (this is a good idea for running random code from jenkins).
Next steps are finding out how are the chroots for this user created and modify the known hosts inside this chroot. Or just go other ways of ignoring known hosts, such as ssh-keyscan, StrictHostKeyChecking=no or so.
After ssh-keygen probably one only needs to copy the public key to remote host with:
ssh-copy-id -i ~/.ssh/mykey user#host
There is a safe and (relative easy) way to accomplish this, which should also work if you have separate worker nodes/clouds (like docker/kubernetes).
Adding host keys to Jenkins configuration
First go to a console and execute ssh-keyscan your_git_server.url
Copy the output of that command
Then navigate to https://YOUR_JENKINS_URL/manage/configureSecurity/
Scroll down to Git Host Key Verification Configuration
Paste the output of the command into the window. it should look like this:
Both bitbucket and github have pages about their keys and servers. Read them and ensure that you are adding the proper keys and not some random keys
Getting the ssh-keyscan via your Jenkins installation
If you for some reason do not have ssh-keyscan, you can go to the script console ( https://YOUR_JENKINS_URL/manage/script ) and paste in the following script:
def sout = new StringBuilder(), serr = new StringBuilder()
def proc = 'ssh-keyscan bitbucket.org'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "copy this to jenkins>\n$sout"
//println "err> $serr"

OpenShift Git Clone error

I am a newbie on OpenShift , I have a problem with it ,
When I do
rhc app git-clone mynewapp
Your public ssh key must be uploaded to the OpenShift server. Would you like us to upload it for you? (yes/no) yes
You can enter a name for your key, or leave it blank to use the default name. Using the same name as an existing key will overwrite
the old key.
Since you do not have any keys associated with your OpenShift account,
your new key will be uploaded as the 'default' key
type: ssh-rsa
content:
AAAAB3NzaC1yc2EAAAADAQABAAABAQCuA9kdmq5Pf5JLyHeMpWQ+XYaEzw8UWziUfXohMR8Dt9ZwkIb4WSHLzcGKKpclZvWOi2UZMQCOp8wCij5VS/ps8/3YPQVYyg+GHAAZIr
WsGDnJdpRF/shUnvoPx6XTzzLFHxBOS92LktjvX/T+xqftS6aVugD0cQ0vVkA6e5FwIjwo4JHoJGRFzgdaSbC5nDiHvDX7zhtnQXe1TeTK5nhjDj/uZPaj5h0hRv4Zx0EzfDYu
Uig0GCoFrWsJ9MTw5F7WEeOtPNtp2uFubuDCDpoBtBBDDmL642AY8r9IV4REGSfUDzV+M0Ab33ubRYKmp+ok6MtBrlTKg94PaVvuf2V5
fingerprint: eb:41:87:1b:e8:4e:ec:c0:8d:c8:c6:5e:a2:6a:ad:b4
Uploading key 'default' from /home/toriq/.ssh/id_rsa.pub
Cloning into 'myapp'...
done
Suddenly an error appear:
Error in git clone - Agent admitted failure to sign using the key.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
fatal: The remote end hung up unexpectedly
Any solution for this ?
It could be similar to this GitHub help page:
For most users, simply running ssh-add to load your keys into the SSH agent will fix this issue.
$ ssh-add
# Enter passphrase for /home/you/.ssh/id_rsa: [tippy tap]
# Identity added: /home/you/.ssh/id_rsa (/home/you/.ssh/id_rsa)
If your key does not have the default filename, you'll have to pass the path to ssh-add:
$ ssh-add ~/.ssh/my_other_key
# Enter passphrase for /home/you/.ssh/my_other_key: [tappity tap tap]
# Identity added: /home/you/.ssh/my_other_key (/home/you/.ssh/my_other_key)
You can install rhc openshift client tools
Then run setup which will then upload your ssh keys.
rhc setup

Resources