Configuring SSH authentication between GitHub and Jenkins

CI/CD 3 Minutes

In one of the previous blog post, we have discovered how to build GitHub project using Jenkins. In that post, since it was a public repository, we did not tried to authenticate to GitHub. Here, we’ll cover how to use SSH keys to authenticate to GitHub repos. This applies to both public and private source code repositories.

For this post’s purposes, we’ll use a sample source code repository at https://github.com/goyalmohit/DemoRepo01. You can use any repository on which you have required access.

Generate SSH Key on Jenkins Server

First, we create a directory named githubrepos on the Jenkins server and a hidden directory ssh under that:

-bash-4.2$ mkdir githubrepos
-bash-4.2$ cd githubrepos/
-bash-4.2$ mkdir .ssh
-bash-4.2$ ls -al
total 4
drwxrwxr-x. 3 jenkins jenkins 18 Feb 22 23:33 .
drwxr-xr-x. 30 jenkins jenkins 4096 Feb 22 23:33 ..
drwxrwxr-x. 2 jenkins jenkins 6 Feb 22 23:33 .ssh

After this, we’ll generate ssh key pair and give the new location to save keys:

ssh-keygen -t rsa

We’ll leave the passphrase empty. Below is a sample run:

-bash-4.2$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/jenkins/.ssh/id_rsa): /var/lib/jenkins/githubrepos/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /var/lib/jenkins/githubrepos/.ssh/id_rsa.
Your public key has been saved in /var/lib/jenkins/githubrepos/.ssh/id_rsa.pub.
The key fingerprint is:
63:05:7f:19:ec:d0:26:cd:33:cf:a6:cf:b0:c1:f1:67 jenkins@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
| . =. |
| oo Oo |
| o=o= |
| . .o + |
| S . = |
| . . = . E|
| * o |
| . o |
| |
+-----------------+
-bash-4.2$ ^C

After that, we can get public key from id_rsa.pub:

-bash-4.2$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtyO9WjepA/vbU/0m+e2QCibi6NbyugsfARKo3EWWXHU2pitK8hzl034X0BhqHpXOLkEhyM5Thjd5XoNY8YJW+l45SZ5KrchH6W9eM1TpbvxohCxxR3ziWJctvJrvmowteW9ss/Xy+71xxx/J8k1A24z2Rs0CFMopK1PQV8SYWpegfDGyBmHPQNfLvyGV7fe44BTD5KT6mvfF+ImJDHx/jhMI4w+FvPskqJLy25B5/IGVgseB8U6rLptLKqz7zC7Eh2yD6ou33ezEpRHVA2od4+NCbxSeKyEmMB5OtHiNoPH9CaHGWrgdKQp5iOBDGC1LtkCIaGr9AuoBNee3GALJ5 jenkins@localhost.localdomain

We need to copy this value.

Configure SSH Key for GitHub Project

Once logged in to GitHub, you need to go to sample repository on which you have access. Go to repository settings -> Deploy keys -> Add deploy key:

Key Based integration with GitHub.JPG

Give a name such as ‘Jenkins Build Server’ and add the key. You may select ‘allow write access’ as well. Since we are using Jenkins only to pull repository, we’ll leave this checkbox unchecked.

Install Credentials Plugin for Jenkins

We now need to add a plugin called ‘Credentials Plugin’ inside Jenkins, if its not already added. For this, login to Jenkins console -> Manage Jenkins -> Manage Plugins -> Available and search for credentials plugin:

Select and add Credentials Plugin.JPG

Once you select, install it.

Add SSH Key inside Jenkins

Now go to Credentials from left pane inside Jenkins console and then click global:

add-new-credentials-inside-jenkins

After this, select ‘Add Credentials’:

add-new-credentials-inside-jenkins-2

This will open a new form for us. In the Kind dropdown, select ‘SSH username with private key’ and then give a name for it. We’ll give ‘GitHub-DemoRepo’ so that we can easily identify that it is associated with demorepo repository in GitHub. We’ll then give the value of the key directly (below pic shows a public key pasted into private key area, which is a mistake. You need to put only private key into this area):

Add New Credentials inside Jenkins-3.JPG
Add New Credentials inside Jenkins-3

After this, click ok to save the credentials.

Install Git on Jenkins Server

Do make sure that git is already installed on the build server for this purposes.

Configure Jenkins Job to use SSH keys

Go to Jenkins job in reference, under source code management section, select the saved credentials title name (As mentioned in one of the comments below, the repository url needs to be ssh based url for the github repository):

Configure Jenkins job to use SSH keys.JPG

Once you have added it, click apply and save. It’s time now to go ahead and build our job.

Verify that SSH key is working

If you go to build output, it should clearly list that SSH key is being used for authentication. Below is a sample output highlighting the same:

Verify that ssh keys are being used in build logs.JPG
Verify that ssh keys are being used in build logs.

 

Published

19 thoughts on “Configuring SSH authentication between GitHub and Jenkins

  1. So I setup the SSH credentials but when I build the project it just sits at
    > git.exe fetch –tags –progress https://github.com/xxx/yyy.git +refs/heads/*:refs/remotes/origin/*

    i.e. full output below (with repo masked)
    Started by user Daniel Brown
    [EnvInject] – Loading node environment variables.
    Building in workspace G:\Jenkins\workspace\bic.github.develop
    > git.exe rev-parse –is-inside-work-tree # timeout=10
    Fetching changes from the remote Git repository
    > git.exe config remote.origin.url https://github.com/xxx/yyy.git # timeout=10
    Fetching upstream changes from https://github.com/xxx/yyy.git
    > git.exe –version # timeout=10
    using GIT_SSH to set credentials SSH Private key for Daniel’s Github
    > git.exe fetch –tags –progress https://github.com/xxx/yyy.git +refs/heads/*:refs/remotes/origin/*
    ERROR: Timeout after 10 minutes
    ERROR: Error fetching remote repo ‘origin’
    hudson.plugins.git.GitException: Failed to fetch from https://github.com/xxx/yyy.git
    at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:817)
    at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1084)
    at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1115)
    at hudson.scm.SCM.checkout(SCM.java:495)
    at hudson.model.AbstractProject.checkout(AbstractProject.java:1212)
    at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:566)
    at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:86)
    at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:491)
    at hudson.model.Run.execute(Run.java:1729)
    at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
    at hudson.model.ResourceController.execute(ResourceController.java:97)
    at hudson.model.Executor.run(Executor.java:419)
    Caused by: hudson.plugins.git.GitException: Command “git.exe fetch –tags –progress https://github.com/xxx/yyy.git +refs/heads/*:refs/remotes/origin/*” returned status code -1:
    stdout:
    stderr:
    at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1924)
    at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1643)
    at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$300(CliGitAPIImpl.java:71)
    at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:352)
    at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:815)
    … 11 more
    ERROR: Error fetching remote repo ‘origin’
    Discard old builds…
    Finished: FAILURE

    Like

    Reply

  2. Hello…Please make sure that below things are true:
    1. Check if you are able to run the above command manually on the server.
    2. Make sure Jenkins service is running with the same account and it has local admin access on the server
    3. Make sure that ssh key is configured correctly. Also try to redo the above steps. Do make sure that there are no passphrases in the ssh key pair.

    Like

    Reply

    1. Hi Mohit, thanks for the quick reply. I ended up getting it working with just username and password, but do still want to complete the SSH instead.
      I can run the command within git bash using the Jenkins user login.
      We did change Jenkins to run as a specific Jenkins user. That user is an administrator of the Jenkins server machine. I even setup a new SSH for that jenkins user and put it in Github for my account.
      I did not use a passphrase at all.
      I even have all the commits coming in from Github into Jenkins for the builds.

      Like

      Reply

  3. Failed to connect to repository : Command … returned status code 128:
    stdout:
    stderr: Permission denied (publickey).
    fatal: Could not read from remote repository.
    Please make sure you have the correct access rights
    and the repository exists.

    Like

    Reply

    1. Hello…This tells me that either the key is wrong or you did not have access to the repo considering that url is right. Do make sure that you copy-paste entire key including all spaces and lines. If incoming commits work, then outgoing commits should work too provided you check the box for “allow write access” or may be I mimsinterpreted.

      Like

      Reply

  4. Thanks for the post.

    I was just experimenting with jenkins which was provided by google cloud “Deployment manager”.

    And want to leave two notes:
    1. Seems before you do anything with git you should install it on the server manually
    2. I’m not sure why have you put public key into the “Private key” textarea. In my case I’ve generated the key inside jenkins .ssh (/var/lib/jenkins/.ssh) and allowed jenkins to find it by itself. This worked.

    Regards,

    Like

    Reply

  5. Hello PavelPolyaKov. Thanks for stopping by and mentioning corrections. I can’t remember why I put public key inside private key text area. Seems like a mistake I corrected later and then forgot to update the snap pic. I’ll update post to clarify this. Thanks Again.

    Like

    Reply
  6. Pingback: Installing Jenkins on Centos 7 | The Full Stack Blog
  7. Pingback: Jenkins on CentOS 7 «

  9. What was the fix for this problem since I am facing the same issue. I tried various combinations but nothing seems to work and I get Permission denied (public key) error.

    Like

    Reply

    1. Here is the error message –
      19:52:03 debug1: Authentications that can continue: publickey
      19:52:03 debug1: Trying private key: /root/.ssh/id_rsa
      19:52:03 debug1: Trying private key: /root/.ssh/id_dsa
      19:52:03 debug1: Trying private key: /root/.ssh/id_ecdsa
      19:52:03 debug1: Trying private key: /root/.ssh/id_ed25519
      19:52:03 debug1: No more authentication methods to try.
      19:52:03 Permission denied (publickey).
      [Pipeline] }
      [Pipeline] // stage
      [Pipeline] }
      [Pipeline] // timeout
      [Pipeline] }
      [Pipeline] // timestamps
      [Pipeline] }
      [Pipeline] // node
      [Pipeline] End of Pipeline
      ERROR: script returned exit code 1
      Finished: FAILURE

      Like

      Reply

  10. Hi, The issue wasn’t with the key. It had to do with the user permissions. I had a common account created which was trying to match the public keys but this key wasn’t added to gerrit. I did it today and the job passed.

    Like

    Reply

  11. The instructions need to be updated to include that you need to use the SSH repo URL, not the HTTPS URL as shown in the picture under “Configure Jenkins Job to use SSH keys”. Once I changed from the HTTPS link to the SSH one, everything worked properly.

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s