22

I have some Jenkins jobs defined using a Jenkins Pipeline Model Definition, which builds NPM projects. I use Docker containers to build these projects (using a common image with just Node.js + npm + yarn).

The results of the builds are contained in the dist/ folder that I zipped using a zip pipeline command.

I want to copy this ZIP file to another server using SSH/SCP (with private key authentication). My private key is added to the Jenkins environment (credentials manager), but when I use Docker containers, an SSH connection cannot be established.

I tried to add agent { label 'master' } to use the master Jenkins node for file transfer, but it seems to create a clean workspace with new Git fetch, and without my built files.

After I tried the SSH Agent Plugin, I have this output:

Identity added: /srv/jenkins3/workspace/myjob-TFD@tmp/private_key_370451445598243031.key (rsa w/o comment)
[ssh-agent] Started.
[myjob-TFD] Running shell script
+ scp -r dist test@myremotehost:/var/www/xxx
$ docker exec bfda17664965b14281eef8670b34f83e0ff60218b04cfa56ba3c0ab23d94d035 env SSH_AGENT_PID=1424 SSH_AUTH_SOCK=/tmp/ssh-k658r0O76Yqb/agent.1419 ssh-agent -k
unset SSH_AUTH_SOCK;
unset SSH_AGENT_PID;
echo Agent pid 1424 killed;
[ssh-agent] Stopped.
Host key verification failed.
lost connection

How do I add a remote host as authorized?

3
  • I have the same issue, the sshagent plugin does not workin in a container
    – red888
    Jan 30, 2018 at 1:33
  • 6
    use withCredentials and delete sshAgent plugin withCredentials([sshUserPrivateKey(credentialsId: 'ssh-credentials-id', keyFileVariable: 'keyfile')]) { sh "mkdir -p ~/.ssh && cp ${keyfile} ~/.ssh/id_rsa" other_stuff}
    – SZMER
    May 25, 2018 at 13:03
  • backing up with @SZMER said: sshagent plugin broken on Windows 10 version 1803
    – steven87vt
    Apr 8, 2020 at 14:48

4 Answers 4

35

I had a similar issue. I did not use the label 'master', and I identified that the file transfer works across slaves when I do it like this:

Step 1 - create SSH keys in a remote host server, include the key to authorized_keys

Step 2 - Create credential using SSH keys in Jenkins, use the private key from the remote host

Use the SSH agent plugin:

stage ('Deploy') {
    steps{
        sshagent(credentials : ['use-the-id-from-credential-generated-by-jenkins']) {
            sh 'ssh -o StrictHostKeyChecking=no [email protected] uptime'
            sh 'ssh -v [email protected]'
            sh 'scp ./source/filename [email protected]:/remotehost/target'
        }
    }
}
4
  • Don't disable StrictHostKeyChecking. This is terribly insecure, especially in a CI/CD environment.
    – Lie Ryan
    Aug 18, 2023 at 7:11
  • 1
    @LieRyan is right. You can easily get rid of this warning if you login to you Jenkins via SSH and execute ssh-keyscan -H 192.168.1.162 >> ~/.ssh/known_hosts. Of course you have to adjust the command to your needs.
    – Murolack
    Aug 19, 2023 at 11:19
  • @Murolack Still this is not a good solution. You will trust any host regardless and one more line will added at every run. Much better to create known_hosts manually once.
    – sekrett
    Nov 2, 2023 at 17:29
  • 1
    @sekrett my solution is to create the know_hosts file manually or at least add the new host to the already existing file. You execute this command on the server to add this one server you want to connect to.
    – Murolack
    Nov 17, 2023 at 14:17
9

Use the SSH agent plugin:

When using this plugin you can use the global credentials.

2
  • I tried the plugin you specified and updated question consequently.
    – Loïc
    May 29, 2017 at 10:09
  • How to use credentials from SSH plugin in pipeline script? Nov 3, 2017 at 22:52
2

To add a remote host to known hosts and hopefully cope with your error try to manually ssh from the Jenkins host to the target host as the Jenkins user.

Get on the host where Jenkins is installed. Type

sudo su jenkins

Now use ssh or scp like

ssh username@server

You should be prompted like this:

The authenticity of host 'server (ip)' can't be established. ECDSA key fingerprint is SHA256:some-weird-string. Are you sure you want to continue connecting (yes/no)?

Type yes. The server will be permanently added as a known host. Don't even bother passing a password, just Ctrl + C and try running a Jenkins job.

1
  • why down vote? It is a correct answer to updated question. Dec 18, 2017 at 15:29
1

Like @haschibaschi recommends, I also use the ssh-agent plugin. I have a need to use my personal UID credentials on the remote machine, because it doesn't have any UID Jenkins account. The code looks like this (using, for example, my personal UID="myuid" and remote server hostname="non_jenkins_svr":

sshagent(['e4fbd939-914a-41ed-92d9-8eededfb9243']) {
    // 'myuid@' required for scp (this is from UID jenkins to UID myuid)
    sh "scp $WORKSPACE/example.txt myuid@non_jenkins_svr:${dest_dir}"
}

The ID e4fbd939-914a-41ed-92d9-8eededfb9243 was generated by the Jenkins credentials manager after I created a global domain credentials entry.

After creating the credentials entry, the ID is found under the "ID" column on the credentials page. When creating the entry, I selected type 'SSH Username with private key' ('Kind' field), and copied the RSA private key I had created for this purpose under the myuid account on host non_jenkins_svr without a passphrase.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.