Jenkinsサーバー(RHEL6)で、「BatchMode yes」と一緒にSCPを使用してリモートシステムからファイルをコピーするスクリプトを起動します。スクリプトはJenkinsの外部でうまく実行されますが、内部では失敗します。詳細なSCPログは次のようになります。
debug1: Next authentication method: publickey
debug1: Offering public key: /var/lib/jenkins/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: Trying private key: /var/lib/jenkins/.ssh/id_dsa
そのため、Jenkinsユーザーはログインに必要なものがありません。 Known_hosts エントリではないか、少なくとも正しいホストが /var/lib/jenkins/.ssh/known_hosts にリストされています。また何がありますか?
編集する:要求どおり、コマンドは次のようになります。
scp -vvv -o "BatchMode yes" [email protected]:myfile.txt .
以下はより詳細なログフラグメントです。
Executing: program /usr/bin/ssh host myserver.com, user myuser, command scp -v -f myfile.txt
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to myserver.com [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /var/lib/jenkins/.ssh/identity type -1
debug1: identity file /var/lib/jenkins/.ssh/identity-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_rsa type 1
debug1: identity file /var/lib/jenkins/.ssh/id_rsa-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_dsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_dsa-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 960 bytes for a total of 981
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 1005
debug2: dh_gen_key: priv key bits set: 131/256
debug2: bits set: 773/1536
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 208 bytes for a total of 1213
debug3: check_host_in_hostfile: host myserver.com filename /var/lib/jenkins/.ssh/known_hosts
debug3: check_host_in_hostfile: host myserver.com filename /var/lib/jenkins/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug3: check_host_in_hostfile: host xxx.xxx.xxx.xxx filename /var/lib/jenkins/.ssh/known_hosts
debug3: check_host_in_hostfile: host xxx.xxx.xxx.xxx filename /var/lib/jenkins/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug1: Host 'myserver.com' is known and matches the RSA host key.
debug1: Found key in /var/lib/jenkins/.ssh/known_hosts:2
debug2: bits set: 759/1536
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 1229
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1277
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /var/lib/jenkins/.ssh/identity ((nil))
debug2: key: /var/lib/jenkins/.ssh/id_rsa (0x7f38a83ee310)
debug2: key: /var/lib/jenkins/.ssh/id_dsa ((nil))
debug2: key: /var/lib/jenkins/.ssh/id_ecdsa ((nil))
debug3: Wrote 64 bytes for a total of 1341
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred: ,gssapi-with-mic,publickey
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /var/lib/jenkins/.ssh/identity
debug3: no such identity: /var/lib/jenkins/.ssh/identity
debug1: Offering public key: /var/lib/jenkins/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1709
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: SHA1 fp 72:a5:45:d3:f2:6d:15:c4:2e:f9:37:34:44:10:2b:b9:59:ee:18:c0
debug3: sign_and_send_pubkey: RSA 72:a5:45:d3:f2:6d:15:c4:2e:f9:37:34:44:10:2b:b9:59:ee:18:c0
debug1: Trying private key: /var/lib/jenkins/.ssh/id_dsa
debug3: no such identity: /var/lib/jenkins/.ssh/id_dsa
debug1: Trying private key: /var/lib/jenkins/.ssh/id_ecdsa
debug3: no such identity: /var/lib/jenkins/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).
答え1
以下は、何が起こったのかを示すログの一部です。
debug1: Trying private key: /var/lib/jenkins/.ssh/identity
debug3: no such identity: /var/lib/jenkins/.ssh/identity
debug1: Offering public key: /var/lib/jenkins/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1709
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: SHA1 fp 72:a5:45:d3:f2:6d:15:c4:2e:f9:37:34:44:10:2b:b9:59:ee:18:c0
debug3: sign_and_send_pubkey: RSA 72:a5:45:d3:f2:6d:15:c4:2e:f9:37:34:44:10:2b:b9:59:ee:18:c0
debug1: Trying private key: /var/lib/jenkins/.ssh/id_dsa
debug3: no such identity: /var/lib/jenkins/.ssh/id_dsa
debug1: Trying private key: /var/lib/jenkins/.ssh/id_ecdsa
debug3: no such identity: /var/lib/jenkins/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).
ここで悪いことが起こるのを見てください。
まず、公開鍵として提供されますが、/var/lib/jenkins/.ssh/id_rsa
実際には秘密鍵でなければなりません。 sshd設定ファイルを見ると役に立ちます。
次に秘密鍵を検索しますが、どこにも見つかりません。
/var/lib/jenkins/.ssh/id_dsa
/var/lib/jenkins/.ssh/id_ecdsa
ログファイルの前半で次のファイルが存在すると主張するので、これは奇妙です。
debug1: identity file /var/lib/jenkins/.ssh/identity type -1
debug1: identity file /var/lib/jenkins/.ssh/identity-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_rsa type 1
debug1: identity file /var/lib/jenkins/.ssh/id_rsa-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_dsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_dsa-cert type -1
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa type -1
debug1: identity file /var/lib/jenkins/.ssh/id_ecdsa-cert type -1
私がしようとしていることは次のとおりです。
chmod go-rwx /var/lib/jenkins/.ssh/*
これにより、ユーザーにのみキーファイルへの読み取りアクセス権が付与されます。 OpenSSH は、セキュリティが設定されている場合は、一般的に読み取り可能なキーファイルの使用を拒否するため、これは重要です。- キーファイルはパスワードで生成されますか?パスワードで保護されたキーファイルは自動化には適していないため、キーファイルがパスワードで保護されていないことを確認してください。
/home/myuser/.ssh/authorized_keys
myserver.comにキーファイルがインストールされ実行されていますかchmod go-rwx /home/myuser/.ssh/*
?
答え2
しばらくすると、「sudo ssh-keygen」というキーを直接生成したことに気づきました。これは、キーが実際にはrootユーザーに属し、jenkinsユーザーにはキーを読み取る権限がないことを意味します。 sshが私にこれを教えてくれたら大丈夫です。ただし、sshがキーを読み取れない場合は、最初に行うことはパスワードを求めることです。しかし、バッチモードで実行されているため、パスワードを要求できず、ただ放棄してキーで失敗します。 jenkinsユーザーにキーファイルを提供すると、すべてがうまく機能します。