SSH Connection Succeeds, But Script Execution Fails to Recognize SSH Key on VM

[DominikWunderlich]

I’m using Tart with Jenkins to establish an SSH connection from a Jenkins agent to a VM running on that agent. The SSH connection itself is successful, but when I try to execute a script on the VM, it seems that the script does not recognize or use the SSH key that was passed.

Steps to Reproduce:

1. Store the SSH private key in Jenkins Credentials.
2. In a Jenkins pipeline, use the withCredentials block to pass the key to the agent.
3. Write the key to a temporary file on the agent.
4. Establish an SSH connection to the VM using the key.
5. Execute a script on the VM that requires SSH access (e.g., to pull from a Git repository).

Here’s the relevant portion of my Jenkins pipeline script:

withCredentials([sshUserPrivateKey(credentialsId: 'xyz123', keyFileVariable: 'PK')]) {
    sh """
    printf "%s" "$PK" > /tmp/temp_ssh_key
    chmod 600 /tmp/temp_ssh_key
    sshpass -p $VM_PW ssh -i /tmp/temp_ssh_key -o 'StrictHostKeyChecking=no' $VM_USER@$(tart ip $IMAGE_NAME) 'bash -s' < '${env.WORKSPACE}/myScript.sh'
    rm -f /tmp/temp_ssh_key
    """
}

Expected Behavior:

The script executed on the VM should be able to use the SSH key to perform operations like cloning a Git repository or accessing other SSH-protected resources.

Actual Behavior:

The script on the VM seems to fail when it requires SSH access, indicating that it doesn’t recognize or cannot use the SSH key passed from the Jenkins agent.

Additional Information:

• The SSH connection itself is successful.
• The script execution fails only when it tries to perform SSH-related tasks that require the key.

Is there something specific about how Tart handles SSH keys or sessions that might cause this issue? Could it be related to the environment in which the script is executed on the VM?

Any guidance or insights would be greatly appreciated!

[edigaryev]

Is there something specific about how Tart handles SSH keys or sessions that might cause this issue? Could it be related to the environment in which the script is executed on the VM?

This is unlikely, because the Tart is pretty net-neutral unless --net-softnet is used, and we don't do anything special to the VM environments, you can check the base.pkr.hcl to see that it's mostly about installing Homebrew and assorted software.

Regarding the pipeline script you've posted, I think it needs to either (1) copy of the private key into the VM or (2) forward the agent connection to the VM to achieve what you want.

The latter can be accomplished by first starting a new instance of the SSH agent, adding a private key to it, and then forwarding the agent connection when connecting to the VM using the -A command-line argument of ssh:

withCredentials([sshUserPrivateKey(credentialsId: 'xyz123', keyFileVariable: 'PK')]) {
    sh """
        eval \$(ssh-agent -s)
        ssh-add ${PK}
        sshpass -p $VM_PW ssh -A -o 'StrictHostKeyChecking=no' $VM_USER@$(tart ip $IMAGE_NAME) 'bash -s' < '${env.WORKSPACE}/myScript.sh'
        ssh-agent -k
    """
}

Note that you can use the PK directly to simplify things up. From the sshUserPrivateKey documentation:

The file is deleted when the build completes.

[DominikWunderlich]

Thanks for your response! It turns out that the issue was related to the known_hosts file. Forwarding the agent indeed solved the problem, but I needed to add the host to the known_hosts file first. Once I did that, everything worked as expected.

I appreciate your help!