2

I manage a Jenkins CI server running on Ubuntu 14.04 with a few requirements:

  • Jobs make use of public/private key authentication for security, so an identity must have been added to ssh-agent prior to executing them
  • Our private key files must be passphrase protected
  • We cannot store that passphrase in an insecure location (like a script source-code or Jenkins configuration files)

Ideally, I want to ssh-add and enter passphrase on the order of once per reboot. But I can't figure out how to get Jenkins CI to run its jobs in a way that takes advantage of this authentication.

Is it possible to get Jenkins to take advantage of identities added to an ssh-agent in advance?
Is there an alternative strategy I'm not seeing here?

Improve this question

1 Answer 1

Reset to default
2

Run ssh-agent with a static socket path, under the same UID as Jenkins uses:

sudo -u jenkins ssh-agent -a /tmp/ssh-agent.jenkins

Make sure the $SSH_AUTH_SOCK environment variable points to that path. You will want to set it 1) manually before ssh-add'ing your keys, and 2) in the Jenkins startup script (e.g. /etc/init.d/jenkins or equivalent):

export SSH_AUTH_SOCK="/tmp/ssh-agent.jenkins"

sudo -E -u jenkins ssh-add ...
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .