plink won't find pageant when ran over jenkins

1.1k views Asked by At

I'm trying to setup automatic backups using a Jenkins build in Windows. The config is:

  • Windows 7
  • Jenkins 1.594
  • putty tools beta 0.63

I'm running Jenkins as a service under a unprivileged 'jenkins' user. I have created a public/private key pair and uploaded it to the SSH server and I have validated that I'm able to login without informing the user password while running pageant with the private key loaded while logged in with the jenkins user.

The Jenkins build invokes a batch script which uses plink to run a postgres backup on the SSH server and after runs pscp to copy the backup locally. The issue is that, if I run the same script as the jenkins user via commandline everything works but when the script is invoked through Jenkins looks like it doesn't detect pageant is running. The jenkins user has an active session with pageant running.

The question is: how to make plink/pscp find the pageant instance?

MANUAL RUN OUTPUT:

plink -v -batch -agent -l user -P 22 <IP> "<COMMAND>"
Looking up host "<IP>"
Connecting to <IP> port 22
Server version: SSH-2.0-OpenSSH_5.3
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.63
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 <FINGERPRINT>
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Pageant is running. Requesting keys.
Pageant has 1 SSH-2 keys
Using username "user".
Trying Pageant key #0
Authenticating with public key "jenkins@build" from agent
Sending Pageant's response
Access granted
Opening session as main channel
Opened main channel
Started a shell/command
...

JENKINS RUN OUTPUT:

plink -v -batch -agent -l user -P 22 <IP> "<COMMAND>" 
Looking up host "<IP>"
Connecting to <IP> port 22
Server version: SSH-2.0-OpenSSH_5.3
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.63
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 2048 <FINGERPRINT>
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Using username "user".
Using SSPI from SECUR32.DLL
Attempting GSSAPI authentication
GSSAPI authentication request refused
Disconnected: Unable to authenticate
1

There are 1 answers

0
Abhishek On

The Session# and Session Name for the pageant.exe is different when started from normal CMD & from Jenkins. Via CMD the Session Name is "Console". Via Jenkins it is "Services".

As pointed by Martin Prikryl correctly, the plink.exe of a session can only access pagent.exe of same session. Hence, plink.exe of Jenkins (Session Name = Services) cannot access pagent.exe of Windows User session (Session Name = Console)

Command Used: tasklist /FI "IMAGENAME eq pageant.exe"

I tried starting pagent.exe from Jenkins and then let plink.exe from Jenkins use this pageant session, but somehow Jenkins could not start pageant :(

Workaround for this is to start Jenkins from CMD and not from Services: java -jar jenkins.war This will ensure that both pageant & plink have same Session Name i.e. Console and now plink is able to communicate with pageant :)