【问题标题】:jenkins - can't ssh to remote server (key - permission denied) but works from clijenkins - 无法通过 ssh 连接到远程服务器(密钥 - 权限被拒绝),但可以从 cli 工作
【发布时间】:2013-08-10 10:41:19
【问题描述】:

我让 Jenkins 在我的本地机器上运行,试图找出我在服务器上遇到的远程 ssh 问题。我收到此权限被拒绝错误,这表明密钥有问题,但从 shell 上的同一用户帐户,我绝对可以连接。

Started by user anonymous
Building in workspace /Users/jgoodwin/jenkins/workspace/app
[postprocessor] $ /bin/sh -xe /var/folders/b0/h_wtmzss6cx11p6153y9h2cr0000gn/T/hudson4163212101874527747.sh
+ echo /Users/jgoodwin
/Users/jgoodwin
+ whoami
jgoodwin
+ ssh -i /Users/jgoodwin/.ssh/id_rsa remoteuser@server 'echo success'
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Build step 'Execute shell' marked build as failure
Finished: FAILURE

这是直接在 shell 上运行的:

Jasons-MacBook-Air:~ jgoodwin$ echo $HOME
/Users/jgoodwin
Jasons-MacBook-Air:~ jgoodwin$ whoami
jgoodwin
Jasons-MacBook-Air:~ jgoodwin$ ssh -i /Users/jgoodwin/.ssh/id_rsa remoteuser@server 'echo success'
success

我很难过 - 过去我在 hudson 做过很多工作,但我认为我在做这类工作时没有任何问题。该错误表明键有问题,但它们显然很好。

编辑:

根据请求的详细日志

OpenSSH_5.9p1, OpenSSL 0.9.8x 10 May 2012
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug1: Connecting to hostname [ip] port 22.
debug1: Connection established.
debug1: identity file /Users/jgoodwin/.ssh/id_rsa type 1
debug1: identity file /Users/jgoodwin/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA ed:d4:92:3f:33:bd:dd:b9:eb:d1:b2:19:4c:f1:70:e9
debug1: Host 'hostname' is known and matches the RSA host key.
debug1: Found key in /Users/jgoodwin/.ssh/known_hosts:6
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/jgoodwin/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Build step 'Execute shell' marked build as failure

编辑:在 8 月 15 日添加了成功尝试

OpenSSH_5.9p1, OpenSSL 0.9.8x 10 May 2012
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug1: Connecting to hostname [ip] port 22.
debug1: Connection established.
debug1: identity file /Users/jgoodwin/.ssh/id_rsa type 1
debug1: identity file /Users/jgoodwin/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 40:bf:b5:74:1c:5f:b6:93:00:4b:ca:1d:fc:0f:39:ec
debug1: Host 'hostname' is known and matches the RSA host key.
debug1: Found key in /Users/jgoodwin/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/jgoodwin/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to hostname ([54.226.250.218]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_CA.UTF-8
Last login: Thu Aug 15 13:09:32 2013 from 66.199.39.230

【问题讨论】:

    标签: ssh jenkins ssh-keys


    【解决方案1】:

    多种原因可能导致此行为,例如使用代理/钥匙串管理器进行密钥缓存等。

    我建议使用 -v 参数来比较 2 个输出:

    ssh -v -i /Users/jgoodwin/.ssh/id_rsa remoteuser@server
    

    这将使您以更详细的方式比较正在发生的事情。如果您仍然无法解决它,请发布您的详细输出以进行比较。

    注意:您最多可以添加 3 个 -v 参数以增加详细程度。

    更新

    @JasonG 从我看到的失败细节是:

    debug1:提供 RSA 公钥:/Users/jgoodwin/.ssh/id_rsa debug1:服务器接受密钥:pkalg ssh-rsa blen 279 debug1:key_parse_private_pem:PEM_read_PrivateKey 失败 debug1:读取 PEM 私钥完成:输入 debug1: read_passphrase: can't open /dev/tty: Device not configured

    您的密钥似乎有密码,但由于我们不在交互式外壳中,因此无法输入密码。您的标准 shell 中的命令行可能会受益于 Keycahin,它会为您“输入密码”。

    如果您可以为成功的命令生成相同的详细信息,以便我们进行比较...

    【讨论】:

    • 谢谢 - 我会试试这个并回复你。今天有点忙,但我很欣赏这个方向,我会尽快完成。
    • 我在问题中添加了详细日志,因为它太长了,无法放入此处。
    • @JasonG 更新我的答案,因为 cmets 格式不正确
    • 我的密钥上没有密码
    • 我已更正:-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED 他们的密钥上一定有某种我不知道的密码。
    【解决方案2】:

    Jenkins 运行 shell 脚本与环境中的 cmd 行略有不同

    您的情况存在一些环境差异,我们没有注意到。像初始脚本,路径设置。

    除了@coffeebreaks提供的方法,下面试试

    • 检查系统环境,如show命令env
    • 将上述步骤写入 bash 脚本并在 cmd 行和 jenkins 作业中运行脚本
    • 使用其他用户而不是启动 jenkins 实例的初始用户

    【讨论】:

      【解决方案3】:
      【解决方案4】:

      在我的情况下,我使用的是一个钥匙串(正如@coffeebreaks 建议的那样),当我在 jenkins 用户 .bashrc 文件中获取时正在设置它。不幸的是,jenkins 后端似乎不像标准的 shell 登录那样获取这个文件。

      解决方案是在 Jenkins 管道中的 scp 调用之前添加以下代码:

      . ~/.bashrc
      

      【讨论】:

        【解决方案5】:

        看起来 /Users/jgoodwin/.ssh/id_rsa.pub 下缺少公钥,而不是 id_rsa 那里....您能否仔细检查并为该文件提供权限 600 并重新运行您的詹金斯作业

        debug1:提供 RSA 公钥:/Users/jgoodwin/.ssh/id_rsa debug1:服务器接受密钥:pkalg ssh-rsa blen 279 debug1: key_parse_private_pem: PEM_read_PrivateKey 失败

        【讨论】:

          猜你喜欢
          • 2020-02-11
          • 2016-02-29
          • 2021-06-16
          • 2021-05-15
          • 2018-08-07
          • 2020-12-28
          • 2023-04-08
          • 1970-01-01
          • 2016-10-15
          相关资源
          最近更新 更多