Is it possible for the Jenkins "Execute shell" to execute SSH commands?
Jenkins has a number of pre and post build options which cater specifically for SSH type commands however i have a single script which does both build and then SCP and SSH commands. Is Jenkins forcing users to break up build scripts into multiple steps?
The "Execute Shell" is the one I'm trying to execute my SSH commands from however i've had no success.
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /var/lib/jenkins/.ssh/identity
debug1: Trying private key: /var/lib/jenkins/.ssh/id_rsa
debug1: Trying private key: /var/lib/jenkins/.ssh/id_dsa
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
Permission denied (publickey,password).
SSH Access not available for build engine
As long as you use a publickey, you'll be able to send commands via ssh and copy files via scp. We use this to spawn some specific processes and publish certain artifacts that can't be pushed via existing commands for various reasons.
It's necessary to be careful which keys you are using and what users you are addressing on the remote server. Often, we use explicit -i arguments in ssh and we always use explicit user names to make sure that everything goes as expected
ssh -i <key_path> <user>#<fqdn_host> <command>
If you do this in your script, you should be fine. Of course, the key file will have to be readable by your Jenkins process and you will need to make sure that the key is installed on both sides.
I would also strongly suggest using ssh's built-in policy controls to control:
Which hosts can use this key
What commands can be used by this key
In particular, you can use settings in the ~/.ssh/authorized_keys on the host that is the target of the ssh/scp command to limit the hosts that can attach (host=) and even pre-load the command so that particular key always executes just one particular command (command=).
For the truly adventurous, you can specify a command= and send the commands to a restricted shell command which limits either the directory access or command access.
Instead of explicitly executing ssh command from an "Execute shell" step, you could use one of existing Jenkins add-ons:
Publish Over SSH Plugin - execute SSH commands or transfer files over SCP/SFTP.
SSH plugin - execute SSH commands.
Related
I want to use SSH to automatically push my private Gitlab project to GitHub.com.
I configured ssh key with GitHub.com, and execute git clone git#github.com:my-project.git successfuly.
sudo ssh -vT git#github.com is ok
debug1: Authentication succeeded (publickey).
Authenticated to github.com ([20.205.243.166]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00#openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
Hi muxianliangqin! You've successfully authenticated, but GitHub does not provide shell access.
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3572, received 2912 bytes, in 0.6 seconds
Bytes per second: sent 6123.4, received 4992.0
debug1: Exit status 1
but use gitlab -> Mirroring repositories push failed.
Here are some of my Settings:
Git repository URL=ssh://git#github.com/username/project.git
Mirror direction=push
detect host keys
Authentication method=SSH public key
error:
13:get remote references: create git ls-remote: exit status 128, stderr: "git#github.com: Permission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n".
What's my problem?
This my settings on GitHub
This my settings on gitlab.
The GitLab Mirroring documentation includes:
SSH authentication is mutual:
You must prove to the server that you’re allowed to access the repository.
The server must also prove to you that it’s who it claims to be.
If you’re mirroring over SSH (using an ssh:// URL), you can authenticate using:
Password-based authentication, just as over HTTPS.
Public key authentication. This method is often more secure than password authentication, especially when the other repository supports deploy keys
So double-check those settings.
My problem is the following. I wish to configure the .ssh/config as such, that when I write
ssh exampleX
It is the same as if I wrote
ssh -i /path/to/key.pem user#address
Note that the above command works.
Following the answers here I tried to create the file as
Host exampleX
HostName address
User user
IdentityFile /path/to/key.pem
Taken from
ssh -i /path/to/key.pem user#address
Yet when I run
ssh exampleX
I get the error
ssh: Could not resolve hostname exampleX: Name or service not known
But if I manually run the command
ssh -i /path/to/key.pem user#address
everything works. Where am I making the mistake in creating the file?
Edit
If I run
sudo ssh exampleX -v
I get the output
OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
ssh: Could not resolve hostname exampleX: Name or service not known
but if I run it without sudo i get a longer stream, that ends with
debug1: Authentications that can continue: publickey
debug1: Trying private key: /path/to/key.pem
Load key "/path/to/key.pem": Permission denied
debug1: No more authentication methods to try.
Permission denied (publickey).
Edit 2
Due to some confusion , I restate my question
What does the config file has to look like, so that running
ssh exampleX
will work the same as running
ssh -i /path/to/key.pem user#address
When you run your command through sudo, you are using the .ssh/config file that corresponds to the user that sudo runs as. If you really need to run this ssh command as root, you need the configuration added to ~root/.ssh/config instead of ~/.ssh/config.
If possible, run your ssh as a normal user, not as root.
(Since the question was edited, I edited accordingly my answer)
Check the permissions of the file ~/.ssh/config: it must have strict permissions: read/write for the user, and not accessible by others, as explained in the man page.
Check also you have read access (as a user) to the file /path/to/key.pem. The debug option you used with ssh suggests you don't have.
I'm trying to run the following scenario, using TCL script -
Scenario -
Host A runs the TCL script. Host A script connects to Host B through ssh. Then the script invokes an scp file transfer from Host C (server) to Host B (client).
Problem -
The script doesn't actually implement a timeout scenario. However, scp fails with no error message exactly after 10 seconds(probably timeout). If done manually, i.e. Logging in to Host B from Host A, and then scp from Host C to Host B, there is no timeout observed, and the file transfer is successful.
Implemented the ssh connection from tcl script using "expect" package.
What could be the reason? Kindly suggest some solutions.
Thank You.
Did you set
RSAAuthentication yes
on Host C, add the public key of Host B's user to Host C's user authorized_keys file?
See https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2 for more details.
Simple test:
Try to run the scp manually (or try ssh): It shouldn't ask you for a password. Running ssh -v from Host B to Host C should include the following lines:
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/xyz/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 1047
debug1: Authentication succeeded (publickey).
I am trying to ssh login to my remote server. But whenever i try to login through terminal using ssh command:
ssh root#{ip_address}
I get error:
Connection closed by {ip_address}
I checked hosts deny and hosts allow, there is nothing in the file. I am not getting why it happening?
It happened when i changed my workstation and key got changed. When i tried ssh login, it asked to add key and i entered yes and then it closed the connection.
Is there any way to get connected with ssh again?
Your help is appreciated.
Thank you.
Edit:
Output of ssh -v -v -v -v root#{ip_address} is
OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to {ip_address} [{ip_address}] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/mona/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/mona/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/mona/.ssh/id_rsa-cert type -1
debug1: identity file /home/mona/.ssh/id_dsa type -1
debug1: identity file /home/mona/.ssh/id_dsa-cert type -1
debug1: identity file /home/mona/.ssh/id_ecdsa type -1
debug1: identity file /home/mona/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "{ip_address}" from file "/home/mona/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
Connection closed by 151.236.220.15
Had the same issue but a simple remote server reboot helped.
Are you sure your server is permitting root logins via SSH?
If not, I suggest using a different account with sudo privileges instead of enabling root login - especially if the server's SSH port is accessible from the whole inernet.
try sudo ssh root#{ip_address}, it works for me.
I tried to connect with a user, which had :/bin/false in /etc/passwd. After changing it to :/bin/bash the connection was not closed anymore.
I had a similar issue that was resolved by lowering the MTU on the client side with the following command:
ip li set mtu 1400 dev eth0
I found this solution from a separate thread on serverfault.
I was getting the same "Connection closed by {ip_address}" error on one of my SSH connections. I tried all the usual solutions and nothing worked. Finally I found that the ~/.ssh/authorized_keys file on the host was corrupted. Someone had tried to append a key to the file, but they copied and pasted it with embedded line feeds where each line wrapped at the end. So what should have been one continuous string spanning three lines was actually three separate strings -- one per line. Since the embedded line feed was exactly at the end of the line, it was not apparent from looking at it.
I deleted the offending key and added my own. Then everything worked as expected.
I temporarily disabled my antivirus firewall and this maybe helped a bit.
Now it suddenly says Shell access is not enabled on yr account! Connection closed.
So I logged into my WHM server.domain_name:2087 and clicked on Modify domain and enabled Shell Access for the website.
(Or ask your host provider to enable SSh for you if you do not have a WHM server)
Login success, it now says:
Last login: 03:37 from . [user#whm_domain_name ~]$
I myself had same problems while working with cloud9 editor. Mine was cause from high CPU usage. It would get fine after stopping apache connection.
Check the name being used to connect to the ftp site, its either wrong or multiple names are being sent for uthentication.
This is what I tried to do ten times today without success:
make a key with ssh-keygen.
open ~/.ssh/id_rsa.pub with Gedit or Notepad++ and copy the contents.
Go to account settings on github.com
Go to SSH Keys
Click on the Add Key button.
give the key a title
paste the key into the key box.
Save the key (enter my github password to verify).
Then, I run '$ ssh -vT git#github.com' in cygwin, but it always hang on there. Here is the output:
$ ssh -vT git#github.com
OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /home/eason.wu/.ssh/config
debug1: /home/eason.wu/.ssh/config line 1: Applying options for github.com
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to github.com [207.97.227.239] port 22.
debug1: Connection established.
debug1: identity file /home/eason.wu/.ssh/id_rsa type 1
debug1: identity file /home/eason.wu/.ssh/id_rsa-cert type -1
Does any one meet this problem, any solution will be appreciated
Make sure you did copy the public key as one line, because a copy from an editor can sometime buffer the content of that key as several lines.
If you still have an issue, check other SSH debug tips at "Unable to Git-push master to Github".
A ssh -vvvT git#github.com can display more debug information.
The OP Eason Wu comments:
I found the real reason of this problem, it is caused by my network.
Some websites are prohibited by my company, I would think it also affects GitHub service.
After I turn on an VPN connection, and retest again with ssh -vvvT git#github.com, it passed successfully
For anyone coming here recently looking for a solution, this was happening to me too, however in the debug (as per above instruction) the connection to GitHub never established.
My output looked like:
OpenSSH_7.9p1 Ubuntu-10, OpenSSL 1.1.1b 26 Feb 2019
debug1: Reading configuration data /home/preston/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "github.com" port 22
debug2: ssh_connect_direct
debug1: Connecting to github.com [2607:7700:0:1a:0:1:c01e:ff70] port 22.
I noticed the IPv6 address in the last line and thought that might be the issue. So I sourced an article on changing it to use an IPv4 address in the global ssh settings.
Changing to IPv4 worked.
Source: https://stackoverflow.com/a/35113901/3818056
For me, the issue was the router I was connected to was using WPA, not WPA2/3. Once I changed to a network that didn't have this issue my repo was instantly cloned with ssh.
I solved this by adding GitHub "github.com" in the whitelist of my router. You can also overcome this by VPN however it will require another set of steps to find a VPN and setup.