Pipeline: Transfer files via SSH

9,490 views
Skip to first unread message

Sverre Moe

unread,
Jun 2, 2016, 10:10:16 AM6/2/16
to Jenkins Users
I need to transfer some files to a server. 
Have followed the suggestion mention in https://issues.jenkins-ci.org/browse/JENKINS-27963
Tried sshagent with both scp and rsync. Neither works.

I have created a Credential for this server in Jenkins.

Using rsync
sshagent(['repository']) {
    sh "rsync -av *.rpm ro...@server.company.com:/srv/www/htdocs/staging_rpms/"
}

[ssh-agent] Using credentials build (repohost)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Java/JNR ssh-agent
[ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
[master] Running shell script
+ rsync -av *.rpm ro...@server.company.com:/srv/www/htdocs/staging_rpms
Host key verification failed.
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(641) [sender=3.0.4]


Using scp
sshagent(['repository']) {
    sh "scp *.rpm ro...@server.company.com:/srv/www/htdocs/staging_rpms/"
}

[ssh-agent] Using credentials build (repohost)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Java/JNR ssh-agent
[ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
[master] Running shell script
+ scp *.rpm ro...@server.company.com:/srv/www/htdocs/staging_rpms/
Host key verification failed.
lost connection

Problem because of this:
The authenticity of host 'server.company.com (192.24.17.73)' can't be established.
ECDSA key fingerprint is 00:00:00:00:00:00:00:bc:cc:51:3f:39:f8:06:df:18 [MD5].
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server.company.com' (ECDSA) to the list of known hosts.

Fixing this first "manually" and continued.

Using rsync
[ssh-agent] Using credentials build (repohost)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Java/JNR ssh-agent
[ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
[master] Running shell script
+ rsync -av *.rpm ro...@server.company.com:/srv/www/htdocs/staging_rpms/
Permission denied (publickey,keyboard-interactive).
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(641) [sender=3.0.4]

Using scp
[ssh-agent] Using credentials build (repohost)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Java/JNR ssh-agent
[ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
[master] Running shell script
+ scp *.rpm ro...@server.company.com:/srv/www/htdocs/staging_rpms/
Permission denied (publickey,keyboard-interactive).
lost connection

Baptiste Mathus

unread,
Jun 4, 2016, 9:15:48 AM6/4/16
to jenkins...@googlegroups.com

Did you try passing the host key checking ssh parameter to "no"?

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fb3f547a-32ad-49b0-a012-9dfa69f91a35%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Sverre Moe

unread,
Jun 6, 2016, 3:06:59 AM6/6/16
to Jenkins Users, m...@batmat.net
Using the following with ssh I can disable host key verification
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@server.company.com
also 
scp  -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no *.rpm root@server.company.com:/tmp

Warning: Permanently added 'server.company.com,145.235.17.27' (ECDSA) to the list of known hosts
But it does not actually add it to know_hosts, which is actually a good thing. Ignoring host key verification does have consequences.


However my next problem still remains. Getting Permission denied (publickey,keyboard-interactive)
How does it use the credentials private key from Jenkins in the ssh/scp/rsync command?

Sverre Moe

unread,
Jun 6, 2016, 7:50:36 AM6/6/16
to Jenkins Users, m...@batmat.net
I could perhaps circumvent this problem by adding the build users public key from each slave node to authorized_keys on the server. Then I would not need to use the credentials on Jenkins. However I see that only as a fallback option. Best approach would be to use authentication from Jenkins Crendentials.

Sverre Moe

unread,
Jun 13, 2016, 5:53:29 AM6/13/16
to Jenkins Users
Am i missing something in my script content?
sshagent(['repository']) {
    sh 'ssh -Xf bu...@repo.company.com ls -l /home/build/ '
}

When executing ssh within sshagent I am getting
Permission denied (publickey,keyboard-interactive).

The credential repository has the private key for the user build.

Baptiste Mathus

unread,
Jun 13, 2016, 8:36:38 AM6/13/16
to jenkins...@googlegroups.com
Indeed in my case I had disabled host key checking. 

What works for me is:

sshagent(['some-id']) { 
 
        sh """
             ssh -o StrictHostKeyChecking=no marmotte@marmotte "docker create -v /var/jenkins_home --name ze-data jenkins:1.642.1 || echo 'data container already existing?' "
             ....
        """
}

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/db0ba327-53d3-46f4-a09d-feeb3d539104%40googlegroups.com.

Sverre Moe

unread,
Jun 13, 2016, 9:21:54 AM6/13/16
to Jenkins Users, m...@batmat.net
I have already added the host to ~/.ssh/known_hosts, so using StrictHostKeyChecking=no is no longer necessary.
What I am experiencing now is authentication problem. It does not use the credentials with the ssh connection. Thus I receive Permission denied (publickey,keyboard-interactive).

My credentials contain the private key for the username I use in the ssh command.

Wonder if the problem lies not with sshagent, but elsewhere.
I have tried the following command manually with the same private-key stored in Jenkins for this user and it still asks for password.
ssh -i private.key build@server.company.com
Password: 
Password: 
Password: 
Permission denied (publickey,keyboard-interactive).

However still do sshagent supply the private key when executing ssh?

Zoratto Thomas

unread,
Jun 13, 2016, 1:21:10 PM6/13/16
to jenkins...@googlegroups.com
Hi,

Try to ssh in verbose mode and you'll know what's happening. 

ssh -v ... 

(The more v you put, the more verbose it will be)

Sverre Moe

unread,
Jun 14, 2016, 2:20:24 AM6/14/16
to Jenkins Users
It looks like it is trying the private key credentials from Jenkins, but fails. When it fails it tries the public key for the user, then finally trying password which it cannot get.
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: build (company-server)
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering RSA public key: /home/build/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/build/.ssh/id_dsa
debug1: Trying private key: /home/build/.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive
debug1: read_passphrase: can't open /dev/tty: No such device or address

debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: read_passphrase: can't open /dev/tty: No such device or address

debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: read_passphrase: can't open /dev/tty: No such device or address

debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).

I don't think the problem is with either Jenkins og Agent SSH Plugin as I am getting almost the same problem manually executing ssh with the private key.
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: private.key
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:

Zoratto Thomas

unread,
Jun 14, 2016, 2:41:17 AM6/14/16
to jenkins...@googlegroups.com
Your private keys seems to be protected by a passphrase. As you are not in an interactive shell there is no tty so it fails when trying to ask for passphrase. 

Sverre Moe

unread,
Jun 14, 2016, 2:54:44 AM6/14/16
to Jenkins Users
The private key is actually not password protected. I chose empty password when I generated the private key on the server.

Zoratto Thomas

unread,
Jun 14, 2016, 3:47:08 AM6/14/16
to jenkins...@googlegroups.com
Ok, then try to ssh manually with full verbose mode (-vvv)

Sverre Moe

unread,
Jun 14, 2016, 4:29:30 AM6/14/16
to Jenkins Users
Got the following debug output.

Wonder if it could have something to do with:
key_parse_private2: missing begin marker
However, the private key file has header "-----BEGIN RSA PRIVATE KEY-----" and footer "-----END RSA PRIVATE KEY-----"

debug2: key: private.key ((nil)), explicit
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: private.key
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug3: sign_and_send_pubkey: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 [MD5]
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1

Zoratto Thomas

unread,
Jun 14, 2016, 6:46:38 AM6/14/16
to jenkins...@googlegroups.com
Message has been deleted

Ryan Kuharske

unread,
Jun 23, 2017, 4:18:32 PM6/23/17
to Jenkins Users
I know this is an old thread but I thought I'd post how I was able to get the issue resolved.

The issue we were having is that the ID which Jenkins runs with doesn't have access to the directory we needed to publish our artifacts to.  In order to get around this, we needed to ssh back into the server Jenkins is running on with a different ID that does have access to this directory.

To get it working, we had to copy the public key generated for our Jenkins ID into the authorized_keys file in the .ssh directory for the other user we wanted to connect as.  When setting up our credentials in Jenkins then, we set the username as the ID we wanted to connect with and chose to pull the private key from the Jenkins master folder (~/.ssh).

After that we were able to successfully connect to the server with those credentials.  It's probably fairly basic but it could be easy to mix up that step.

Hopefully it helps someone!
Reply all
Reply to author
Forward
0 new messages