how to setup ssh keys for jenkins to publish via ssh

Question

Jenkins requires a certificate to use the ssh publication and ssh commands. It can be configured under "manage jenkins" -> "Configure System"-> "publish over ssh".

The question is: How does one create the certificates?

I have two ubuntu servers, one running Jenkins, and one for running the app.

Do I set up a Jenkins cert and put part of it on the deployment box, or set up a cert on the deployment box, and put part of it on Jenkins? Does the cert need to be in the name of a user called Jenkins, or can it be for any user? We don't have a Jenkins user on the development box.

I know there are a number of incompatible ssh types, which does Jenkins require?

Has anyone found a guide on how to set this all up (how to generate keys, where to put them etc.)?

Answer 1

After Jenkins upgrade to 2.412 the rsa keys are not working and the plugin file trasfer over ssh is not working. To get that working generate the ecdsa ssh keys

ssh-keygen -t ecdsa -m PEM -f key_name

Answer 2

Username it takes is "jenkins" while setting up the key credentials, and then we need to switch to that user (in cli) in order to generate key pair to make git connection work.

here are the steps

1. switch to jenkins user

   sudo su - jenkins -s /bin/bash

2. Generate key pair

   ssh-keygen

3. Configure private key in jenkins as described

4. Configure public key on git repository side in deploy key section

5. Test connection, it should work.

Note: This steps are for jenkins in local machine , ubuntu 20.04.

Answer 3

You don't need to create the SSH keys on the Jenkins server, nor do you need to store the SSH keys on the Jenkins server's filesystem. This bit of information is crucial in environments where Jenkins servers instances may be created and destroyed frequently.

Generating the SSH Key Pair

On any machine (Windows, Linux, MacOS ...doesn't matter) generate an SSH key pair. Use this article as guide:

• GitHub: Generating a new SSH key and adding it to the ssh-agent (you can skip the section "Adding your SSH key to the ssh-agent")

On the Target Server

On the target server, you will need to place the content of the public key (id_rsa.pub per the above article) into the .ssh/authorized_keys file under the home directory of the user which Jenkins will be using for deployment.

In Jenkins

Using "Publish over SSH" Plugin

Ref: https://plugins.jenkins.io/publish-over-ssh/

Visit: Jenkins > Manage Jenkins > Configure System > Publish over SSH

• If the private key is encrypted, then you will need to enter the passphrase for the key into the "Passphrase" field, otherwise leave it alone.
• Leave the "Path to key" field empty as this will be ignored anyway when you use a pasted key (next step)
• Copy and paste the contents of the private key (id_rsa per the above article) into the "Key" field
• Under "SSH Servers", "Add" a new server configuration for your target server.

Using Stored Global Credentials

Visit: Jenkins > Credentials > System > Global credentials (unrestricted) > Add Credentials

• Kind: "SSH Username with private key"
• Scope: "Global"
• ID: [CREAT A UNIQUE ID FOR THIS KEY]
• Description: [optionally, enter a decription]
• Username: [USERNAME JENKINS WILL USE TO CONNECT TO REMOTE SERVER]
• Private Key: [select "Enter directly"]
• Key: [paste the contents of the private key (id_rsa per the above article)]
• Passphrase: [enter the passphrase for the key, or leave it blank if the key is not encrypted]

Answer 4

For Windows:

1. Install the necessary plugins for the repository (ex: GitHub install GitHub and GitHub Authentication plugins) in Jenkins.
2. You can generate a key with Putty key generator, or by running the following command in git bash: $ ssh-keygen -t rsa -b 4096 -C your_email@example.com
3. Private key must be OpenSSH. You can convert your private key to OpenSSH in putty key generator
4. SSH keys come in pairs, public and private. Public keys are inserted in the repository to be cloned. Private keys are saved as credentials in Jenkins
5. You need to copy the SSH URL not the HTTPS to work with ssh keys.

Answer 5

You will need to create a public/private key as the Jenkins user on your Jenkins server, then copy the public key to the user you want to do the deployment with on your target server.

Step 1, generate public and private key on build server as user jenkins

build1:~ jenkins$ whoami
jenkins
build1:~ jenkins$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/jenkins/.ssh/id_rsa): 
Created directory '/var/lib/jenkins/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /var/lib/jenkins/.ssh/id_rsa.
Your public key has been saved in /var/lib/jenkins/.ssh/id_rsa.pub.
The key fingerprint is:
[...] 
The key's randomart image is:
[...]
build1:~ jenkins$ ls -l .ssh
total 2
-rw-------  1 jenkins  jenkins  1679 Feb 28 11:55 id_rsa
-rw-r--r--  1 jenkins  jenkins   411 Feb 28 11:55 id_rsa.pub 
build1:~ jenkins$ cat .ssh/id_rsa.pub
ssh-rsa AAAlskdjfalskdfjaslkdjf... jenkins@myserver.com

Step 2, paste the pub file contents onto the target server.

target:~ bob$ cd .ssh
target:~ bob$ vi authorized_keys (paste in the stuff which was output above.)

Make sure your .ssh dir has permissoins 700 and your authorized_keys file has permissions 644

Step 3, configure Jenkins

1. In the jenkins web control panel, nagivate to "Manage Jenkins" -> "Configure System" -> "Publish over SSH"
2. Either enter the path of the file e.g. "var/lib/jenkins/.ssh/id_rsa", or paste in the same content as on the target server.
3. Enter your passphrase, server and user details, and you are good to go!