I’ll show how to set up Jenkins and SSH keys to clone a git repo in a build step in the Jenkins pipeline. This wasn’t straight forward at all and several obstacles were in the way and had to be removed.
I am using an Ubuntu 22.04 host, Jenkins 2.375.1, Jenkins Pipeline and docker based agents running Ubuntu as well.
SSH Setup for git clone
Pipeline is able to do the git clone, so we don’t need to hassle with running ‘git clone’ on the agent, which comes with its own problems. In this case we would have to find a safe and secure way to put your ssh keys into the agent. Luckily, Pipeline can do the git checkout, and the key stays with the host.
Basically, what we need to do is generate ssh keys for the jenkins user on Ubuntu, distribute them correctly to the git server, and set up the credentials in Jenkins. Then we can add the git step in the Pipeline.
You might easily run into the problems here, as it is a bit tricky to find the right settings. This is what worked for me, lets start:
Create an ssh key under the jenkins user. The easiest way to do this is by logging in into the user, and create the keys in its home dir. First, give the jenkins user a password:
sudo passwd jenkinsNow you can login as this user:
su jenkinsThis users home dir, JENKINS_HOME, is under /usr/lib/jenkins/ (at least on Ubuntu 22.04). Make sure you stand in this directory when you create your key.
ssh-keygenYou can leave the passphrase empty. It generates a secret and an id file under /usr/lib/jenkins/.ssh/ The .ssh folder and the files need the following permissions:
-rw------- 1 jenkins jenkins 2602 Dec 6 11:10 id_rsa
-rw-r--r-- 1 jenkins jenkins 569 Dec 6 11:10 id_rsa.pubwhich corresponds to 600 and 644. The .ssh folder itself has 700 (drwx——)
Add the key to your git server:
ssh-copy-id git@yourgitserverTest it:
ssh -vvv git@yourgitserverIf something goes wrong with your key, ssh will offer you password login and it looks like this:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /var/lib/jenkins/.ssh/id_rsa RSA SHA256:*************************
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /var/lib/jenkins/.ssh/id_ecdsa
debug3: no such identity: /var/lib/jenkins/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /var/lib/jenkins/.ssh/id_ecdsa_sk
debug3: no such identity: /var/lib/jenkins/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /var/lib/jenkins/.ssh/id_ed25519
debug3: no such identity: /var/lib/jenkins/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /var/lib/jenkins/.ssh/id_ed25519_sk
debug3: no such identity: /var/lib/jenkins/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /var/lib/jenkins/.ssh/id_xmss
debug3: no such identity: /var/lib/jenkins/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /var/lib/jenkins/.ssh/id_dsa
debug3: no such identity: /var/lib/jenkins/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
git@victory's password: Check everything again, also permissions of the files on the git server side, e.g. authorized_keys (spelling, 600/-rw——-)
If things go well, it looks like this:
debug3: receive packet: type 60
debug1: Server accepts key: /var/lib/jenkins/.ssh/id_rsa RSA SHA256:*************************
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with RSA SHA256:*************************
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:*************************
debug3: send packet: type 50
debug3: receive packet: type 52
...
debug2: shell request accepted on channel 0
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64)Now you can set up an identity to use this key. Go to Dashboard – your project and click on Configure. Click on Pipeline Syntax (at the bottom), choose the Snippet Generator and choose git. Under Credentials is a + button to add one. Choose ssh username with private key, leave the scope as it is. ID and Description according to what makes sense to you. Username jenkins. Private key – enter directly. Here you paste the content of your ~/.ssh/id_rsa file (the private part). Caution here, this shouldn’t slip anywhere else, sharpen your copy and paste skills. Then click add.
Git in the Pipeline
Now, when you also put your git repo there, you get right away the right git clone snippet for your Jenkins pipeline:
git credentialsId: 'jenkins-git', url: 'git@yourgitserver:/your-repo.git'
Embedded in the pipeline it can look like this:
pipeline {
agent any
stages {
stage('Git Checkout') {
steps {
git credentialsId: 'jenkins-git', url: 'git@yourgitserver:/your-repo.git'
}
}Now, under Dashboard – Manage Jenkins – Manage Credentials you should see your key, and you can change it there.
Host key acceptance
In order to use git in Jenkins Pipeline, you must also ensure they host key is accepted. I got errors in the clone step indicating the host key is not known and cannot be accepted.
stdout:
stderr: No ECDSA host key is known for victory and you have requested strict checking.To fix this, you go to Dashboard – Manage Jenkins – Configure Global Security, look for Git Host Key Verification Configuration and change the strategy to Accept first connection.
Now you can build your project and it should be able to clone your git repo.