What i am trying seems quite simple, but i cant really get my head wrapped around what i need to do:
Inside a job, i have a build-step that executes shell-commands. This shell command tries using the Jenkins CLI.
So basically it says "java -jar theCliFile -s jenkinsURL / command
So inside of a job, i am trying to make a SSH connection to the jenkins-server itself.
This fails, console output says that "[WARN] Failed to authenticate with your SSH keys. Proceeding as anonymous
You must authenticate to access this Jenkins.".
I could provide a username and password as clear text inside of the shell, but i would like to avoid that.
What do i need to setup in order to allow an automatic authentication? I don't understand who needs what kind of keys.
The Jenkins CLI Wiki says to configured a /me/configure user. I just don't see how this makes sense. I guess this was meant to be for use cases where someone tries to build a SSH connection from a remote machine, not from the Jenkins itself, as in my case.
Actually, i solved it myself:
I had both a private and public key on the Jenkins-Server (incase you don't have those, just generate them on the server machine that the Jenkins runs on (there are tons of tutorials on how to do so out there)).
To allow what i was trying in my question, i had to take the public key and enter it in some user existing for the jenkins-application.
As far as i understand, entering the Jenkins Servers public key in any user will make the SSH request authenticate as this user and thus the shell will have the rights of said user.
Related
I wanted to know if you can help me with this problem, I am currently using Newman to load a collection of test cases that I made in Postman, I am trying to run a JOB in Jenkins, when I run the command:
newman run collection.json -e sendoment.json
It works, the collection runs in Jenkins but it shows me this error:
connect ECONNREFUSED 127.0.0.1:8095
I know that I have to pass the ssh code to it so that it recognizes the port and gives me access, but I don't know what commands to use to send it.
I currently have an id_rsa.pub that I use to perform this action locally.
My question is, how can I send this file or how can I make sure the ports will be there? I do not have privileges to enter the Managment, so I cannot add the variable as a plugin, I have seen this in other blogs either here or in Postman.
It is just a collection in json format with various calls to various EndPoints, where the states they have are validated.
To solve this action I had to create a method that would allow me to log in to the virtual machine that I have in Jenkins, since, when performing the action, this port is blocked. 2 Cookies are sent to perform the Log In action.
I have seen similar questions, but nothing helped.
Like here:
SSH login with no authentication
SSH session without ANY authentication
My problem is as the question states. I want to setup ssh to work without any password prompt or any keys. Means, doing
ssh computer#IP_address
should give me access to the remote machine.
Question ends here^^^^^^^^^^^. Details of what I'm trying to achieve:
I have a docker image of Ubuntu in which I'm trying to install ssh. This has 2 reasons: easy file transfer using scp and the other is, that I sometimes, by mistake I close docker without committing and end up losing all my progress/data. So I want to make it such that I run the docker container in the background and only access it using ssh. Also, I am working in a team and I'll need to some other outside people(who download my docker image) to be able to work with it easily as well, which is why I want it to be ssh-accessible without a login.
You should look at setting PermitEmptyPasswords to yes in your sshd_config file and restard sshd service.
PermitEmptyPasswords
When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is ''no''.
I am trying to generate a ssh key for a user entered email id using rails.
In the action, I'm running all the commands needed to do the process using system() call.
Locally on Ubuntu 14.04, everything seems to work fine. But on Ubuntu Server 14.04 on AWS, the key is generated successfully but it fails on ssh-add.
The problem:
On my local system, ssh-agent is up and running all the time, but on the server it never starts automatically for each shell session. Which is the reason why ssh-add fails on server.
For that, I added some code in server's .bash_profile file which would start the ssh-agent on every session. Now, the ssh-agent runs on every time I set up a session with the server via ssh, but it won't run for th ruby's system() call.
I was doing:
system('ssh-add id_rsa')
which said Could not open a connection to your authentication agent
. So, next thing I did was this:
system('eval "$(ssh-agent -s)" & ssh-add id_rsa')
But still not able to resolve the problem.
I don't know why locally I didn't need to start the ssh-agent manually and all of the code ran without any problem. And how can I make ssh-agent work as it is working on my local system.
I want to be able to add the newly generated ssh key using ssh-add some-key and make it persistent so that I don't have to add that again later if I reboot the server. I am doing all this in a rails method which is issuing all the commands using system() calls.
Help would be very appreciated. Thanks.
I want to clone and pull code from a person's git repository, that may be private in which case I am generating a pair of ssh keys and adding the public key to the person's github account using the API.
It's like the server will be accessing 5-10 people's private github repositories by creating ssh keys for all of them and adding the public keys into their account. Example: http://gist.github.com/jexchan/2351996
To access remote repository using git you don't need ssh-agent. Specifying the keys in the ssh_config such as
Host github.com-user1
HostName github.com
IdentityFile ~/.ssh/id_rsa_user1
and then cloning using:
git clone git#github.com-user1:user1/whatever.git whatever
works the same way. But make sure the config file is accessible.
Also using ssh-agent does not scale, since the agent is offering all the keys that he has, regardless the user (in the linked example). If you grow up over ~5 repositories, you would start seeing authentication failures.
I have one windows service which will use plink.exe for SSH connection and I found that Plink cannot find the running Pageant.
Here is the steps I have done so far.
Install Windows service to run as particular user
Before starting Windows service, I log in as that user and start Pageant with PuTTY generated key.
Then I start the Windows service (but I can't manage to make it work since Plink cannot find Pageant and server reply as No supported authentication methods available.)
Note: If I run Windows service as console application with that user, everything is working fine.
PLink will be run in Service session (Session\0) while pageant runs in user session (Session\1). Plink uses some interprocess communication which, as it looks from your problem, doesn't work across sessions. Most likely there's MMF communication inside and objects are created without prefix, i.e. they become session-only (not global). You would need to build custom version of plink to solve the problem.
Pageant explicitly allows feeding keys to an application (PuTTY, PSFTP, PSCP, WinSCP, FileZilla) running in the same Windows session only. This is obviously for security reasons, not to allow a different user on the same machine hijack private keys loaded by another users. And even for convenience (ironically), so that you do not inadvertently use keys of a different user (leading possibly to having your account locked due to invalid login attempts).
Also note that the Pageant is not intended for an automation anyway. For the automation, use the private key explicitly, using the -i command-line parameter.
See https://the.earth.li/~sgtatham/putty/latest/htmldoc/Chapter3.html#using-cmdline-identity
Such private key have to be unencrypted. Note that this imposes security risk, if someone gains access to the key. You should consider restricting an access to the unprotected private key file to the local account that runs the script only (using Windows file system permissions).
As #Eugene point out, it is Session 0 Isolation.
I managed to solve the issue by not using agent but directly passed the private key and password to plink.exe. By doing that, I'm able to run without using pageant.
To start plink.exe without agent;
plink.exe -noagent -i private_key.ppk -pw mypassword -P 1234 user#host.com
I have an Ant build that will sometimes execute a 'git push' within a directory on my server. I can do this fine interactively because it asks for the passphrase for my key, but this becomes problematic if you set up a cron job to run the build unattended.
Are there options for me beyond not using a passphrase? I've heard of using ssh-agent, but I've also heard for unattended processes that route won't work. Does anyone have any recommendations for this, and perhaps an example of how to implement it?
I saw that someone suggested to run the cron as a daemon here:
Accessing SSH key from bash script running via a cron job -- but I'm not sure how I could do that or put in my passphrase without compromising it by putting it in plain text, etc.
Any help greatly appreciated.
First, set yourself up for password-less login.
Use ssh-keygen to generate a public/private key pair with no password. Append the public key to ~/.ssh/authorized_keys on the server.
Then run ssh -i /path/to/private_key server to confirm that the password-less login is working.
Finally, configure git to use that ssh -i ... command.
As #mah suggests, you might want to create a specific git account on the server. You add the public key to ~git/.ssh/authorized_keys to enable the password-less login.
authorized_keys also has options to restrict what commands the incoming connection can run. If you are interested in those features, read the SSH documentation.
And of course, you want to keep the private key file readable only by you.
I would solve this by creating a restricted account on the git server and have the ant client use a keyless cert to that restricted account.