Multibranch Pipeline - GIT - SSH authentication

2,888 views
Skip to first unread message

Samuel Mutel

unread,
Oct 24, 2017, 10:48:10 AM10/24/17
to Jenkins Users
Hello,

I setup a multibranch pipeline job in Jenkins.

In branch sources, I used GIT.

With this job, for GIT authentication I tried to use credentials stored in Jenkins:
  - SSH private key stored in the master
  - Login/Password

Unfortunately it does not work ...

ERROR: [Tue Oct 24 16:15:13 CEST 2017] Could not update folder level actions from source 61faff97-9161-4212-87c4-399a6b858ae0
hudson.plugins.git.GitException: Command "git ls-remote git@XXXXX:XXXXXX.git" returned status code 128:
stdout: 
stderr: 
Permission denied, please try again.
Permission denied, please try again.
Received disconnect from XX.XX.XX.XX port 22:2: Too many authentication failures
Authentication failed.
fatal: Could not read from remote repository.

Thanks


Robert Hales

unread,
Oct 24, 2017, 10:52:57 AM10/24/17
to Jenkins Users
I use both these methods on jobs. Usually I use the Login/Password on https urls. But it definitely works. Not sure how I can give you more information to help in your situation. It just seems to be bad ID or PW/ssh key. 

Mark Waite

unread,
Oct 24, 2017, 10:59:26 AM10/24/17
to jenkins...@googlegroups.com
Username / password is supported only with http/https protocol.  If you're using ssh protocol, you'll need to use a private key.

Private key is supported only with ssh protocol.  If you're using http or https protocol, you'll need to use username / password.

The message "too many authentication failures" may hint that the target system has "locked you out".

Mark Waite

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/8474205d-69d5-458c-9908-1356bbdbf7da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Samuel Mutel

unread,
Oct 24, 2017, 12:55:18 PM10/24/17
to Jenkins Users
I tried with the private key in /var/lib/jenkins/.ssh/id_rsa and without authentication in the job => it works fine.
I tired with the private key in /var/lib/jenkins/.ssh/id_jenkins, setup the path to this private key in the credentials + job config and it does not work.
Where do you specify SSH or http/https ?

Samuel Mutel

unread,
Oct 25, 2017, 3:56:31 AM10/25/17
to Jenkins Users

Here is my multibranch config:


Here is my credential config:


Started

[Wed Oct 25 09:47:52 CEST 2017] Starting branch indexing...

 > git --version # timeout=10

 > git ls-remote ssh://git.xit.rxcorp.com/CIO/schedular/schedular-frontend.git # timeout=10

ERROR: [Wed Oct 25 09:48:00 CEST 2017] Could not update folder level actions from source f1c31476-efde-455c-983b-1a3c120cf9a0

hudson.plugins.git.GitException: Command "git ls-remote ssh://git.xit.rxcorp.com/CIO/schedular/schedular-frontend.git" returned status code 128:

stdout: 

stderr: 

Permission denied, please try again.

Permission denied, please try again.

Received disconnect from 10.121.1.11 port 22:2: Too many authentication failures

Mark Waite

unread,
Oct 25, 2017, 6:10:12 AM10/25/17
to Jenkins Users
Those settings seem reasonable to me.  I don't see anything in that which should be any problem.  If you insert the content of that file in the "enter directly" selection, does it behave any differently?  I generally use "enter directly" myself, though I know of no reason why the other techniques would not work equally as well.

I assume the private key in that file does not require a passphrase, since there isn't one in the passphrase field.

Mark Waite

Samuel Mutel

unread,
Oct 25, 2017, 6:45:27 AM10/25/17
to Jenkins Users
I tried also to "enter directly" the private key but it does not work.
Something curious ... When I parse the log file of the SSH server located on the GITLAB server, I see error message related to a connection with login/password and not related to a connection with ssh key.
It's mean that the job is not using ssh key at all.

Mark Waite

unread,
Oct 25, 2017, 7:00:03 AM10/25/17
to jenkins...@googlegroups.com
You may need to look more carefully at the configuration of the multibranch pipeline job.  If it is using a username/password credential, then either the credential named "jenkins" in your configuration is not a private key (which it seems to be to me) or there is a location in the job which defines an https URL to the repository.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/dcc7d24b-7cc5-49e7-9787-dacdc69843cc%40googlegroups.com.

Stephen Connolly

unread,
Oct 25, 2017, 7:57:44 AM10/25/17
to jenkins...@googlegroups.com
If it was a github server, you would need the username in the credentials to be `git` and not `jenkins` because GitHub only accepts SSH connections with the username `git`. I wonder if something similar is happening with gitlab?

On 25 October 2017 at 03:59, Mark Waite <mark.ea...@gmail.com> wrote:
You may need to look more carefully at the configuration of the multibranch pipeline job.  If it is using a username/password credential, then either the credential named "jenkins" in your configuration is not a private key (which it seems to be to me) or there is a location in the job which defines an https URL to the repository.
On Wed, Oct 25, 2017 at 4:45 AM Samuel Mutel <samuel...@gmail.com> wrote:
I tried also to "enter directly" the private key but it does not work.
Something curious ... When I parse the log file of the SSH server located on the GITLAB server, I see error message related to a connection with login/password and not related to a connection with ssh key.
It's mean that the job is not using ssh key at all.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtEWHEKGn%3Da3%2BGuYZ2MLG8%3D38XzA19GqoTjkJuoYdvc%2BKw%40mail.gmail.com.

Samuel Mutel

unread,
Oct 26, 2017, 3:44:13 AM10/26/17
to Jenkins Users
Hello,

I think I found the explanation of my issue. I setup the private key directly on the jenkins home and it works fine.
All my project are private in GITLAB and the module Multibranch Pipeline is not using the private key setup inside the job for the branch indexing.
The module use the private key after. We can see this in the log below (using GIT_SSH to set credentials toto).
Now the question is : could we setup a private project in GITLAB but authorize the branch indexing to public ... ?

Started by user Mutel, Samuel
[Thu Oct 26 09:38:03 CEST 2017] Starting branch indexing...
 > git --version # timeout=10
 > git ls-remote ssh://g...@git.xit.rxcorp.com/CIO/schedular/schedular-frontend.git # timeout=10
 > git rev-parse --is-inside-work-tree # timeout=10
Setting origin to ssh://g...@git.xit.rxcorp.com/CIO/schedular/schedular-frontend.git
 > git config remote.origin.url ssh://g...@git.xit.rxcorp.com/CIO/schedular/schedular-frontend.git # timeout=10
Fetching & pruning origin...
Fetching upstream changes from origin
 > git --version # timeout=10
using GIT_SSH to set credentials toto
 > git fetch --tags --progress origin +refs/heads/*:refs/remotes/origin/* --prune
Listing remote references...
 > git config --get remote.origin.url # timeout=10
using GIT_SSH to set credentials toto
 > git ls-remote -h ssh://g...@git.xit.rxcorp.com/CIO/schedular/schedular-frontend.git # timeout=10
Checking branches...
  Checking branch master
      ‘Jenkinsfile-test’ found
    Met criteria
No changes detected: master (still at 055c9f366de388694ac5d9970da8208b8d8ea935)
Processed 1 branches
[Thu Oct 26 09:38:08 CEST 2017] Finished branch indexing. Indexing took 5 sec
Finished: SUCCESS

Stephen Connolly

unread,
Oct 26, 2017, 4:16:07 AM10/26/17
to jenkins...@googlegroups.com
On 26 October 2017 at 00:44, Samuel Mutel <samuel...@gmail.com> wrote:
Hello,

I think I found the explanation of my issue. I setup the private key directly on the jenkins home and it works fine.
All my project are private in GITLAB and the module Multibranch Pipeline is not using the private key setup inside the job for the branch indexing.
The module use the private key after. We can see this in the log below (using GIT_SSH to set credentials toto).
Now the question is : could we setup a private project in GITLAB but authorize the branch indexing to public ... ?

Indexing requires read access to the repository... so that it can, you know, see what branches have a Jenkinsfile

If you can figure out a way to keep a repository private but allow public read access then you are a smarter person than me
 

Started by user Mutel, Samuel
[Thu Oct 26 09:38:03 CEST 2017] Starting branch indexing...
 > git --version # timeout=10
 > git ls-remote ssh://g...@git.xit.rxcorp.com/CIO/schedular/schedular-frontend.git # timeout=10
 > git rev-parse --is-inside-work-tree # timeout=10
Setting origin to ssh://g...@git.xit.rxcorp.com/CIO/schedular/schedular-frontend.git
 > git config remote.origin.url ssh://g...@git.xit.rxcorp.com/CIO/schedular/schedular-frontend.git # timeout=10
Fetching & pruning origin...
Fetching upstream changes from origin
 > git --version # timeout=10
using GIT_SSH to set credentials toto
 > git fetch --tags --progress origin +refs/heads/*:refs/remotes/origin/* --prune
Listing remote references...
 > git config --get remote.origin.url # timeout=10
using GIT_SSH to set credentials toto
 > git ls-remote -h ssh://g...@git.xit.rxcorp.com/CIO/schedular/schedular-frontend.git # timeout=10
Checking branches...
  Checking branch master
      ‘Jenkinsfile-test’ found
    Met criteria
No changes detected: master (still at 055c9f366de388694ac5d9970da8208b8d8ea935)
Processed 1 branches
[Thu Oct 26 09:38:08 CEST 2017] Finished branch indexing. Indexing took 5 sec
Finished: SUCCESS

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.

Samuel Mutel

unread,
Oct 26, 2017, 5:34:01 AM10/26/17
to Jenkins Users
Indexing requires read access to the repository... so that it can, you know, see what branches have a Jenkinsfile
=> OK but why the module does not use the SSH key for that operation? Is-it a bug?

Stephen Connolly

unread,
Oct 26, 2017, 8:52:30 AM10/26/17
to jenkins...@googlegroups.com
On 26 October 2017 at 10:34, Samuel Mutel <samuel...@gmail.com> wrote:
Indexing requires read access to the repository... so that it can, you know, see what branches have a Jenkinsfile
=> OK but why the module does not use the SSH key for that operation? Is-it a bug?

Are you using Jenkins Git Plugin 3.6.1 or 3.6.2? If so, yes it's JENKINS-47629 and I have a PR to fix... if not, we'll need more details 

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.

Samuel Mutel

unread,
Oct 30, 2017, 4:36:58 AM10/30/17
to Jenkins Users
It works now with Git Plugin 3.6.3. Thanks.
Reply all
Reply to author
Forward
0 new messages