Here is my setup:
Jenkins is running on my linux machine as 'jenkins' user.
I have generated a ssh key-pair as described in Linux - Setup Git, for the 'jenkins' user.
When I sudo su jenkins and try ssh -vT git#github.com, I am always asked my passphrase, but I am always eventually authenicated. (the verbose option shows which key is used, among others).
I could clone my repo from GitHub using jenkins:
Thusly:
jenkins#alpm:~/jobs/test git/workspace$ git pull
Enter passphrase for key '/var/lib/jenkins/.ssh/id*_rsa':
Already up-to-date.
Up to this point I have followed the instructions to the letter. The problem is that the Jenkins job fails with the following error:
status code 128:
stdout:
stderr: Permission denied (publickey).
fatal: The remote end hung up unexpectedly
This is same error as I get when I typo the passphrase (but of course, Jenkins does not ask me for the passphrase). The following pages:
GitHub - SSH Issues
Using SSH Agent Forwarding
indicate to me that ssh-agent could help remember the passphrase, which it does when I am using my own user, but not the jenkins id. Note that while running as my normal user yields:
echo "$SSH_AUTH_SOCK"
/tmp/keyring-nQlwf9/ssh
While running the same command as my 'jenkins' yields nothing (not even permission denied)
My understanding of the problem is that the passphrase is not remembered.
Do you have any idea?
Shall I start a ssh-agent or key ring manager for the jenkins user? How?
Or is ssh forwarding suitable when forwarding to the same machine?
Any brighter idea?
ps: I never sudo gitted, I always used jenkins or my user account (as mentioned in this SO post - Ubuntu/GitHub SSH Key Issue)
Since nobody wrote the answer from the comments for several months, I will quickly do so.
There are 2 possible problems/solutions:
id_rsa created with wrong user
Create id_rsa as the jenkins user (see hudson cannot fetch from git repository)
Leave passphrase empty
To summarise what must be done on the Jenkins server:
# 1. Create the folder containing the SSH keys if necessary
if [ ! -e ~jenkins/.ssh ]; then mkdir ~jenkins/.ssh; fi
cd ~jenkins/.ssh/
# 2. Create the SSH pair of keys
# The comment will help to identify the SSH key on target systems
ssh-keygen -C "jenkins" -f ~jenkins/.ssh/id_rsa -P ""
# 3. Assign the proper access rights
chown -R jenkins ~jenkins/.ssh/
chmod 700 ~jenkins/.ssh
chmod 600 ~jenkins/.ssh/*
Remember:
Please keep the default "id_rsa" name when generating the keys, as other such as "id_rsa_jenkins" won't work, even if correctly set up.
Do not use a passphrase for your key
Check that the public key (id_rsa.pub) has been uploaded on the git server (GitHub, Bitbucket, etc). Once done, test your SSH key by running: ssh -vvv git#github.com (change address according to your git server)
I got around this problem by simply leaving the passphrase empty when creating the keys.
I would add that if you created the keys by hand, they might still be owned by you and not readable by jenkins, try:
sudo chown jenkins -R /var/lib/jenkins/.ssh/*
To check are the following:
if the right public key (id_rsa.pub) is uploaded to the git-server.
jenkins user will access to github -> to CHECK if the right private key (id_rsa) is copied to /var/lib/jenkins/.ssh/
if the known_hosts file is created inside ~/.ssh folder. Try ssh -vvv git#github.com to see debug logs. If thing goes well, github.com will be added to known_hosts.
if the permission of id_rsa is set to 755 (chmod 755 id_rsa)
After all checks -> try ssh -vvv git#github.com
Dont try to do config in jenkins until ssh works!
If you are running jenkins as a service in windows, you need to verify the user running the service. If you created the keys using the user "MACHINENAME\user", change the service so the user running it can match
For Mac users, the issue can be solved by removing the existing keys and creating new Private and Public Keys by following these steps:
1.Remove all Public and Private keys located at /Users/Username/.ssh
2.Remove all the credentials saved under the Credentials tab in Jenkins.
3.Remove the existing Public SSH keys defined in the Github Repository Settings.
4.Create new SSH keys (private and public: id_rsa and id_rsa.pub) by following the steps from https://confluence.atlassian.com/bitbucketserver/creating-ssh-keys-776639788.html#CreatingSSHkeys-CreatinganSSHkeyonLinux&MacOSX
5.Set the newly created public SSH key (id_rsa.pub) in Github or an equivalent Repository Settings.
6.In Jenkins,create new credentials by adding the private SSH key(id_rsa) for your Github username.
7.The Error should be removed now.
keys need to generated from jenkins user.
sudo su jenkins
ssh-keygen
once the key is generated, it should be added as ssh key in bitbucket or github.
Related
I have a school and a personal Github, so I made an SSH key for my personal account and linked it up. It always works only once, then gives me
Push Failed
Git#github.com: Permission denied (publickey). Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
It works fine again after I delete the old SSH and make a new one, but this is obviously a huge hassle. I am on Windows 10, using Git Bash, and IDE is IntelliJ.
Any ideas? Thanks.
I solved this problem in the following way:
1.Create a file named config in the path $USER_HOME/.ssh/, then add following content.
# For school account
Host school_github
HostName github.com
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa_school
# For personal account
Host personal_github
HostName github.com
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa_personal
2.Run following command using git bash:
Change your school github repository configuration
git remote rm origin
git remote add origin git#school_github:your_github_username/your_repo_name.git
You can hava a try.
You don't need to create SSH keys for each git service just upload the same public key to both personal and school accounts and it will work.
SSH public key is tied to you local account you have generate SSH keys only if you are using different local(machine) account or different machine
Seems to me like when you try to authenticate, you are probably not using your keys.
If you run the command
ssh-add -l
You (should) see a list of all your keys. Each time you start a new session, make sure to start up the agent and add your keys.
eval `ssh-agent`
ssh-add ~/.ssh/id_rsa
I have created a Github repo to where I push my local changes using Git Bash, without any problems. I can also use Git Bash to connect to my remote web server (shared hosting) and navigate to the folder where I want to clone my Laravel site.
This is where the problems begin. When I do
$ git clone git#github.com:myusername/mylaravelsite.git
I get the error message:
Permission denied (publickey)
After some searching for a solution I found that I should make sure that I have a key by doing this:
$ eval "$(ssh-agent -s)"
Which gave this answer:
Agent pid 122372
Then according to the instructions I should do this
$ ssh-add -l
Which gave me this message:
The agent has no identities
Reading up a bit more I try to add the key again by doing
$ssh-keygen -t rsa
...which generated a key pair that I added with ssh-add, I was prompted for a passphrase which I entered twice.
Now, I still get Permission denied (publickey) when I try to access my github repo with ssh. I should also mention that I have created a new SSH key at the github account where I pasted the key I created (I opened .ssh/id_rsa-pub with notepad and copied the content).
What more can I try?
Finally found the answer in case anyone else has the same problem. It turns out that the public key also must exist in the remote web server (in the .ssh folder I uploaded the same rsa_id and rsa_id.pub files, that I created locally), not only locally and in the Github account.
Once I had figured that out and uploaded those files to the webserver, it worked to clone my github repo :-).
Summary:
As I'm integrating CI to the development workflow, I'm also trying to move the executions of Bitrise workflows to our local iOS Mac Computer which is setup as a Jenkins slave.
The projects that I'm trying to build therefore needs to be built on this iOS Computer.
Problem:
I'm trying to establish an ssh connection to an integration user (a GitHub account that has access to my repositories) and I have created a key and added it to the GitHub user as well as to the .bitrise.secrets.yml file.
But when the initial step, the activate-ssh-key step is executed, it results with an error that I can't add the SSH key to the ssh-agent with empty passphrase. (Is this somehow configurable? Can I just evade this?)
Here is the output log:
https://pastebin.com/FCHhZNDb
Step in bitrise.yml:
- activate-ssh-key#4.0.2: {getenv "SSH_RSA_PRIVATE_KEY"}
.bitrise.secrets.yml:
envs:
- SSH_RSA_PRIVATE_KEY: ssh-rsa *KEY*
|------------------------------------|
I have also tried putting the ssh key directly in the .ssh directory which did not work.
Any help is really appreciated! :)
TL;DR
Trying to connect bitrise cli with github via ssh, doesn't work.
The SSH key you used seem to be protected with a passphrase. You should generate one that does not require a passphrase to be specified, and register that for the repository.
How to generate such an SSH key: https://devcenter.bitrise.io/faq/how-to-generate-ssh-keypair/
ssh-keygen -t rsa -b 4096 -P '' -f ./bitrise-ssh -m PEM
Alternatively you can replace the Activate SSH Key step with a script one and activate the SSH key any way you like.
Or if you prefer to not to use SSH keys you could switch to using https:// git clone urls (instead of the SSH / git# one) and replace the Activate SSH Key step with the Authenticate with GitHub OAuth one (https://www.bitrise.io/integrations/steps/authenticate-with-github-oauth).
I use my project at work, but I would like to work with him from home as I can log into my home machine to work with my project.
However, from home, I see the following message:
The authenticity of host 'github.com (ip)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)?
How can I get past it?
You should simply be able to answer 'yes', which will update your ~/.ssh/known_hosts file.
A better approach, to avoid any MITM (Man-In-The-Middle) attack, would be (as commented below by Mamsds) to verify Github's public key first (see "GitHub's SSH key fingerprints") and, if you find a match, then you can answer 'yes'.
Example:
ssh-keyscan -t ecdsa github.com 2>&1 |ssh-keygen -lf -
256 SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM github.com (ECDSA)
After that, you can use a GitHub SSH URL (provided you have generated the SSH public/private keys, and registered the public one to your GitHub profile)
Note: the ssh key generation should use the base64 old PEM format (option -m PEM), rather than the new current 70 chars OpenSSH one.
See "What is the correct format for private key in Credentials":
ssh-keygen -m PEM -t rsa -P "" -f afile
That or you can switch to an HTTPS URL.
As you are attempting to connect to Github using SSH for the first time (no existing entry for Github in ~/.ssh/known_hosts yet), you are being asked to verify the key fingerprint of the remote host. Because, if an intruder host represents itself as a Github server, it's RSA fingerprint will be different from that of a GitHub server fingerprint.
You have two options.
You may just accept, considering you don't care about the authenticity of the remote host (Github in this case), or,
You may verify that you are actually getting connected to a Github server, by matching the RSA fingerprint you are presented to (in the prompt), with GitHub's SSH key fingerprints in base64 format.
The latter option is usually more preferable.
Just add Github fingerprint to known hosts this way:
mkdir -p ~/.ssh
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts
Use one of the following two solutions:
1) Set up the SSH key
Follow the steps discussed on this GitHub help page.
https://help.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh
2) Clone using git with HTTPS
Type (copy/paste) the following commands in a terminal on the machine where you would like to clone the repository
git config --global url."https://github.com/".insteadOf git#github.com:
git config --global url."https://".insteadOf git://
You can revert this change using the following commands
git config --global url."git#github.com:".insteadOf https://github.com/
git config --global url."git://".insteadOf https://
Try these steps:
Open Git Bash
Check for existing SSH keys:
$ ls -al ~/.ssh
If you already have them, you will see:
id_rsa.pub
id_ecdsa.pub
id_ed25519.pub
If you don't, generate one (Press Enter to accept the default file location):
$ ssh-keygen -t rsa -b 4096 -C "your_email#example.com"
To copy the key to clipboard:
$ clip < ~/.ssh/id_rsa.pub
Go to your account on Github/Settings/SSH and GPG keys/New SSH key
Paste your key there
Next, type:
$ git remote
If you see origin, remove it:
$ git remote remove origin
Continue with the last 2 steps provided on GitHub repo page...
$ git remote add origin git#github.com:USERNAME/REPONAME.git
$ git push -u origin master
Refresh your GitHub repo page
Voila!
1- Create SSH key
if you don't have the ssh-key create it like this:
ssh-keygen -t rsa -b 4096 -C "youremail#example.com"
2- Check your SSH key
For this go to your folder ssh, example:
cd ~/.ssh
after that, run this command line : ls
if you have the files: id_rsa, id_rsa.pub so the all is good
now you need to copy your id_rsa.pub ! (⚠️ NOT the id_rsa)
for this run cat id_rsa.pub and copy the result
3- Github / Gitlab
Go to your github / gitlab.
Follow the step by your hosting:
github: Click on your profile -> Settings -> SSH and GPG Keys -> New SSH key
gitlab: Click on your profile -> preferences -> SSH keys
past your id_rsa.pub that you have already copied !
4- If you have already did it and it's already not working ??
When your enter your ssh-key in github / gitlab your key have a Expiration date so you just need to change it
That it ! Have a good work 😀
You just need to type yes and it will work, for more information you can refer to the Official Github documentation. This will give an output saying
Hi <username>! You've successfully authenticated, but GitHub does not provide shell access.
In my Microsoft.PowerShell_profile.ps1 document, I've had to add ssh-add ~/.ssh/github_rsa following the poshgit examples in order for it to connect to my GitHub repos.
# Load posh-git example profile
. 'C:\tools\poshgit\dahlbyk-posh-git-8aecd99\profile.example.ps1'
ssh-add ~/.ssh/github_rsa
If I don't have that in my profile, I Github gives me permissions errors when I try to connect.
If I do it manually, it will work for the entire duration of my desktop session, but as soon as I reboot my computer, I need to re-run the command.
Why doesn't poshgit and ssh-add remember the rsa that I've added? It seems wrong to have to re-add it every time.
It's because your rsa key is not the default name ( id_rsa ) so you either need to use ssh-add (which adds it to a running service that remembers the key decrypted with your passphrase) or just add an entry into your ~\.shh\config
~\.ssh\config (create or edit):
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/github_rsa
Or, if github is the only thing you use ssh keys for, just rename the key to id_rsa and then git (well ssh.exe) will find it for you automatically AND poshgit will ssh-add it for you (to handle passphrases).