问题
I am trying to debug a Jenkins Plugin that seems to be failing due to an SSH permission problem. Basically the plugin allows me to SSH from a master machine into a specific Jenkins build on the slave machine, but for some reason it fails on the system that I'm trying to use it on.
When executed, the plugin tells me that I can use something like the following command to SSH into the slave build from the master machine:
ssh.config
Host=*.localhost
Port=43689
ProxyCommand=ssh -p 43689 localhost diagnose-tunnel -suffix .localhost %h
command:
ssh -F ssh.config Test.localhost
This works on a test system I've set up (using two machines), but fails in the production environment with the error Permission denied (publickey).
While I'm certainly willing to debug the permission problem myself, I'm really confused as to how this ssh command works :/ What exactly is it trying to do? I researched the matter but I'm still confused as to how this works with the proxy command.
I imagine that it connects to some custom port in localhost (the jenkins master machine), but how would this allow me to ssh into the slave machine? Can this command be rewritten into one line for readability? What could possibly cause a permission denied error?
Thanks for any help! I imagine this is probably a really simple question, but I'm new to SSH and am still trying to understand it :)
Update
Output of ssh -vF test_ssh <job>.<host>, as requested! ^^ (with the job and host replaced by tags for readability)
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data test_ssh
debug1: Applying options for *.<host>
debug1: Executing proxy command: exec ssh -p 44078 <host> diagnose-tunnel -suffix .<host> <job>
debug1: permanently_drop_suid: 497
debug1: identity file /var/lib/jenkins/.ssh/identity type -1
debug1: identity file /var/lib/jenkins/.ssh/identity-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_rsa type 1
debug1: identity file /var/lib/jenkins/.ssh/id_rsa-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_dsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_dsa-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa-cert type -1
Permission denied (publickey).
ssh_exchange_identification: Connection closed by remote host
回答1:
your ssh.config should also contain something like
User USERNAME
PubKeyAuthentication yes
IdentityFile /path/to/key
where USERNAME is the actual user which is allowed to connect to your prod server, /path/to/key is their private key and before that you should have been done
ssh-copy-id -i /path/to/key.pub SERVER
where SERVER is your prod host
回答2:
I've had the same problem..
Now, I'll try to answer you.
What exactly is it trying to do?
ssh -p <port> <server> diagnose-tunnel -suffix .<server> %h
diagnose-tunnel -suffix .<server> %h is command which executes on <server>:<port>. As I understand, it is Jenkins' specific command which helps to establish connection with slave node.
Permission denied (publickey).
There is solution which helps me:
- Generate private & public keys via
ssh-keygen; - Copy public key (id_rsa.pub) to your user settings
(http://
<jenkins_server>:8080/user/<jenkins_user_name>/configure); Edit
~/.ssh/configfile: you should addjenkins_user_nametoProxyCommandline:ProxyCommand ssh -p <port> <jenkins_user_name>@<jenkins_server> diagnose-tunnel -suffix .<jenkins_server> %hAlso it is needed to add
User <jenkins_user_name>andIdentityFile /path/to/private_keyhow @sotona is written
来源:https://stackoverflow.com/questions/36081742/ssh-help-understanding-proxy-command