Jenkins - can the "Execute Shell" execute SSH commands

5
votes

Is it possible for the Jenkins "Execute shell" to execute SSH commands?

Jenkins has a number of pre and post build options which cater specifically for SSH type commands however i have a single script which does both build and then SCP and SSH commands. Is Jenkins forcing users to break up build scripts into multiple steps?

The "Execute Shell" is the one I'm trying to execute my SSH commands from however i've had no success.

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /var/lib/jenkins/.ssh/identity
debug1: Trying private key: /var/lib/jenkins/.ssh/id_rsa
debug1: Trying private key: /var/lib/jenkins/.ssh/id_dsa
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
Permission denied (publickey,password).
SSH Access not available for build engine
2
sshjenkins

2 Answers

16
votes

As long as you use a publickey, you'll be able to send commands via ssh and copy files via scp. We use this to spawn some specific processes and publish certain artifacts that can't be pushed via existing commands for various reasons.

It's necessary to be careful which keys you are using and what users you are addressing on the remote server. Often, we use explicit -i arguments in ssh and we always use explicit user names to make sure that everything goes as expected

ssh -i <key_path> <user>@<fqdn_host> <command>

If you do this in your script, you should be fine. Of course, the key file will have to be readable by your Jenkins process and you will need to make sure that the key is installed on both sides.

I would also strongly suggest using ssh's built-in policy controls to control:

  • Which hosts can use this key
  • What commands can be used by this key

In particular, you can use settings in the ~/.ssh/authorized_keys on the host that is the target of the ssh/scp command to limit the hosts that can attach (host=) and even pre-load the command so that particular key always executes just one particular command (command=).

For the truly adventurous, you can specify a command= and send the commands to a restricted shell command which limits either the directory access or command access.

3
votes

Instead of explicitly executing ssh command from an "Execute shell" step, you could use one of existing Jenkins add-ons: