Continuous Integration

Jenkins SSH Errors and How to Fix Them


Dealing with Jenkin’s SSH issues is definitely not enjoyable to troubleshoot. It’s a curse of Jenkins plugin architecture, connecting with SSH requires multiple SSH plugins to work together and to Jenkins, it just reports an error somewhere down in the plugin layer. The good news, is once you get through this issue, it tends to not come back up again.

Your Jenkins probably has these plugins installed and depending on which one you are using, the errors can look different :

  • SSH Agent Plugin
  • SSH Build Agents plugin
  • SSH Credentials Plugin
  • SSH plugin
  • Publish Over SSH

[SSH] Exception:Auth fail

If you are getting this error, it means your username/password is invalid, you do not have an SSH Agent passing a public key, or the remote server does not have this key setup in its authorized_keys file.

[SSH] executing...
[SSH] Exception:Auth fail
com.jcraft.jsch.JSchException: Auth fail
	at com.jcraft.jsch.Session.connect(Session.java:519)
	at org.jvnet.hudson.plugins.CredentialsSSHSite.createSession(CredentialsSSHSite.java:132)
	at org.jvnet.hudson.plugins.CredentialsSSHSite.executeCommand(CredentialsSSHSite.java:208)
	at org.jvnet.hudson.plugins.SSHBuilder.perform(SSHBuilder.java:104)

SOLUTIONS

If you are using public key authentication, make sure to have the Build Environment > SSH Agent enabled

Then double check that the remote host has this public key is in its ~/.ssh/authorized_keys

You can add add this line to the top of the jenkin’s script to add it.

ssh-keyscan zazeski.com -t rsa >> ~/.ssh/known_hosts

If this connection used to work but has stopped, it might be due to the server having a different SSH fingerprint. This also could mean that a server is impersonating your real server, so if you didn’t do something to the remote server you may want to take this as a warning. Otherwise, I would recommend logging into the Jenkins instance that is making the connection and trying to ssh into the remote host. You will then see the error that is occurring:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:aB1cDEFgHIJK2lmNOpQR345STuvoWLoxPDEuKIrZWtU.
Please contact your system administrator.
Add correct host key in /home/steve/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/steve/.ssh/known_hosts:6
  remove with:
  ssh-keygen -f "/home/steve/.ssh/known_hosts" -R "zazeski.com"
ECDSA host key for aws-m5.zazeski.com has changed and you have requested strict checking.
Host key verification failed.

[SSH] Session is Down

If you are getting this error, it really means that something went wrong after SSH started the connection but before it successfully connected. Most likely you have a missing SSH fingerprint. You know how when you first connect to a new server it asks if you want to add the server fingerprint to your list. Well Jenkins connects to the server, asks the non-existent terminal user if it can add the fingerprint, then fails the build.

[SSH] executing... 
[SSH] Exception:session is down 
com.jcraft.jsch.JSchException: session is down 
   at com.jcraft.jsch.Channel.sendChannelOpen(Channel.java:762) 
   at com.jcraft.jsch.Channel.connect(Channel.java:151)
   at com.jcraft.jsch.Channel.connect(Channel.java:145)
   at org.jvnet.hudson.plugins.CredentialsSSHSite.doExecCommand(CredentialsSSHSite.java:250)

SOLUTION
add this command to your Jenkins script before it makes a SSH call or if the job immediately uses SSH, just add a new job and have it run this code in the local execute shell for that executor. This will add the fingerprint if there isn’t already a fingerprint in the file and its recommended to have at the start of all of your jenkins jobs so it can move to other executors and bootstrap itself.

HOSTNAME=example.com
ssh-keygen -F ${HOSTNAME} || ssh-keyscan ${HOSTNAME} -t rsa >> ~/.ssh/known_hosts

If you have a different issue, please write a comment below as I would like to expand this page to cover more issues.

openanalytics 718 views

I'm a 33 year old UIUC Computer Engineer building mobile apps, websites and hardware integrations with an interest in 3D printing, biotechnology and Arduinos.

View Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.