Generate Key As Jenkins User
Generate Key As Jenkins User 3,5/5 1406 reviews
  1. Generate Ssh Key For Jenkins User
  2. Jenkins Admin User
  3. Generate Key As Jenkins User List
  4. Jenkins Change User
  5. Generate Ssh Key Jenkins User

If you're trying to create a key that your local jenkins user can access, you won't be able to use ssh-copy-id. The best approach will be to run bash with the jenkins user like i described in the answer and then create the key in /var/lib/jenkins/.ssh. I can run the command within git bash using the Jenkins user login. We did change Jenkins to run as a specific Jenkins user. That user is an administrator of the Jenkins server machine. I even setup a new SSH for that jenkins user and put it in Github for my account. I did not use a passphrase at all. Configure the SSH public key component of this key pair (which you can copy and paste from the Blue Ocean interface) for the remote Git server’s user account (e.g. Within the authorizedkeys file of the machine’s gituser/.ssh directory). Note: This process allows your Jenkins user to access the repositories that your Git server’s user account (e.g. Gituser) has access to. Configuring SSH authentication between GitHub and Jenkins. Mohit Goyal CI/CD February 27, 2017 February 16. Generate SSH Key on Jenkins Server. That user is an administrator of the Jenkins server machine. I even setup a new SSH for that jenkins user.

With many of the tools commonly used in a Continuous Delivery pipeline, Windows is not the original OS the tool was developed for. Although support and adoption are growing all the time, there can still be some pain points and gotchas in configuring some of them to work as you would expect on a Windows OS.

The Automation workflow uses the IAM user account's Access key and Secret key to authenticate the Jenkins server during execution. To create a user account for the Jenkins server From the Users page on the IAM console, choose Add User.

In this post, we’re going to combine two of the big hitters in this space, Jenkins and Git. Jenkins is the most widely adopted solution for automating build and CI/CD pipelines and Git is the dominant force in source control management. We’re going to get Jenkins talking to a remote Git repository, specifically a private GitHub repository, using SSH authentication.

Git was developed specifically for managing the development of the Linux kernel (by Linus Torvolds himself no less) and was brought to Windows as an afterthought. Git comes bundled with OpenSSH, which does not yet have a production-ready implementation on Windows, although Microsoft is working on one that is currently pre-release [Win32-OpenSSH]. For this reason, Git for Windows is bundled with MINGW, a minimal GNU development environment that runs on Windows.

With that background out of the way, let’s get started.

Requirements

ToolVersion used in this postLinkNotes
Jenkins2.60.2https://jenkins.io/
Git Plugin/Git Client Plugin (Jenkins)3.5.1/2.5.0https://wiki.jenkins.io/display/JENKINS/Git+Plugin
Git for Windows2.14.1https://git-scm.com/downloadsIncludes MINGW and OpenSSH
PsExec2.2https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

A note on installing Git for Windows

The first “gotcha” is how you install Git on the Jenkins worker in the first place. The Git plugin for Jenkins is not yet compatible with the Git Credential Manager for Windows. Ensure that you uncheck the box for this option at installation time.

If you see Jenkins hanging and timing out after ten minutes when executing a git fetch, this is a sign that you have the Git Credential Manager installed. The job is hanging because the Git Credential Manager has intercepted the command and is ignoring any other preconfigured authentication mechanism.

The only way around this at the moment is to choose not to install it.

Telling Jenkins where to find Git

After installation, our first job is to configure the Tool Location for Git. First, let’s figure out what the location is. Open PowerShell and input:

This will output something similar to:

Copy the path to git.exe.

In Jenkins, click Manage Jenkins then Configure System. In Global properties check Tool Locations, select (Git) Default and enter the path to git.exe in the Home textbox.

Save and exit the page.

Generating SSH keys for the Jenkins service

On Windows, the Jenkins services run as the Local System user by default, not your own user identity. It’s important to understand that Jenkins will be executing the Git commands and authenticating in the context of that user identity. This is important because OpenSSH will look for the SSH keys in the home directory of the user and the Local System account does not use the same home directory that your own personal account has.

Finding the Local System home directory

You probably don’t know what your Local System account considers its home directory. To find out, you need to start a command prompt as the Local System user and resolve %UserProfile%, but that’s easier said than done.

One way to run a process as the Local System account is to use PsExec, a Sysinternals tool that is normally used to execute programs on remote hosts. Using the -s parameter starts the process as Local System, so execute the following from PowerShell:

This will open a command prompt as Local System. Then resolve %UserProfile%:

This will output a path similar to:

So for me, C:WINDOWSsystem32configsystemprofile is the home directory of my Local Service account.

Generating keys with OpenSSH

One approach to enabling your Local Service account to work over SSH with a remote repo is to copy the .ssh directory from your personal home directory (containing previously generated and configured keys) over to the Local Service home directory, so that it effectively uses the same identity as your personal account over SSH. But I prefer to keep Local Service as a separate identity with its own keys, so generating new SSH keys is what we will be doing next.

From the Local Service command prompt you started with PsExec earlier, execute:

This will start Bash in a MINGW window, the minimal GNU environment for Windows that I mentioned earlier, as the Local System user.

Execute the following to generate a new public and private RSA key with OpenSSH:

Generate Key As Jenkins User

The proposed location of the keys will default to the home directory of the Local Service account that you discovered earlier, keep this default. When OpenSSH asks for a passphrase, just press Enter (and again on confirmation) to opt for no passphrase.

It is, of course, better to use SSH keys that are encrypted with a passphrase, but I have found that the Git plugin for Jenkins does not work very well with SSH keys that require a passphrase, even though its Credentials UI does allow you to enter one.

That whole workflow should look similar to the below:

You should see that there is now a .ssh directory in the Local Service home directory containing a public and private key pair. id_rsa.pub is the public key and is_rsa is the private key. The local Jenkins server will use the private key and the remote Git server will use the public key.

Adding the public key in GitHub

This next part is quite simple, we’re going to register the public key with our remote Git server. I’m going to use my personal GitHub, but it should be simple to replace these steps with the equivalents for the likes of BitBucket, etc.

  1. In your web browser, log in to GitHub.
  2. From your GitHub profile, click Settings, then SSH and GPG keys, then New SSH key.
  3. Give the key a name. I like SYSTEM@COMPUTER (substitute the name of your machine) because the name will remind me that it’s associated with the Local System account of my machine.
  4. On your local machine, open id_rsa.pub in a text editor, e.g. Notepad++. The contents will begin with: sshrsa.
  5. Press CTRL+A to select the entire file contents, then CTRL+C to copy it to your clipboard.
  6. Paste (CTRL+V) into the Key area in the web UI.
  7. Click Add SSH key.

And we’re done. Let’s test that we can now authenticate successfully with the corresponding private key.

Testing the SSH keys

Back in the MINGW shell (still running as our Local Service account) enter the following to connect to GitHub with SSH:

You will probably find that github.com is not yet a known host and you will get a prompt similar to below.

Just enter yes to accept the connection. On successfully connecting you will see:

We can see that the keys are correctly associated with our GitHub account.

Testing with a Jenkins project

Now all that remains is to test everything with a Jenkins project. For this I have a private GitHub repository containing the following Jenkinsfile:

Generate Ssh Key For Jenkins User

This pipeline script just outputs “Hello, World!” to the console output, so nothing too interesting. Now we just need a Jenkins job to execute it:

The “Pipeline script from SCM” option means that the job definition lives in the SCM system itself and must be fetched to run. Our job won’t work at all if Jenkins isn’t successful in authenticating with GitHub using our SSH keys.

Jenkins Admin User

Make sure that the Repository URL is in a form that will use SSH to authenticate. A HTTPS URI, e.g. https://github.com/user/repo.git, will be expecting a username and password. See Git – The Protocols for more information.

Because OpenSSH will default to looking in %UserProfile%.ssh for keys, we don’t actually need to tell Jenkins what the private key is. So I’ve associated no credentials with this test job. Of course, you could choose to if you had a need.

If we run this, we should see:

User

We can see “Hello, World!” so we successfully fetched the job definition from the private Git repository.

  • Setting up your Pipeline project
    • For a Git repository
    • For a repository on GitHub
    • For a repository on Bitbucket Cloud

Blue Ocean makes it easy to create a Pipeline project in Jenkins.

A Pipeline can be generated from an existing Jenkinsfile in source control, oryou can use the Blue Ocean Pipeline editor to create anew Pipeline for you (as a Jenkinsfile that will be committed to sourcecontrol).

Setting up your Pipeline project

To start setting up your Pipeline project in Blue Ocean, at the top-right of theBlue Ocean Dashboard, click the New Pipeline button.

If your Jenkins instance is new or has no Pipeline projects or other itemsconfigured (and the Dashboard is empty), Blue Ocean displays a Welcome toJenkins message box on which you can click the Create a new Pipeline buttonto start setting up your Pipeline project.

You now have a choice of creating your new Pipeline project from a:

  • repository on GitHub or GitHub Enterprise

  • repository on Bitbucket Cloud orBitbucket Server

For a Git repository

To create your Pipeline project for a Git repository, click the Git buttonunder Where do you store your code?

In the Connect to a Git repository section, enter the URL for your Gitrepository in the Repository URL field.

You now need to specify a local or aremote repository from which to build your Pipelineproject.

Local repository

If your URL is a local directory path (e.g. beginning with a forward slash /such as /home/cloned-git-repos/my-git-repo.git), you can proceed to click theCreate Pipeline button.

Blue Ocean will then scan your local repository’s branches for a Jenkinsfileand will commence a Pipeline run for each branch containing a Jenkinsfile. IfBlue Ocean cannot find any Jenkinsfile, you will be prompted to begin creatingone through the Pipeline editor.

Local repositories are typically limited to file system access. They are usuallyonly visible from the master node. Local repositories are also knownto require more complicated path names on Windows computers than mostusers want to manage. Users are advised to run jobs on agents ratherthan running them directly on the master. For those reasons, use aremote repository rather than a local repository for the best BlueOcean experience.

Remote repository

Since the Pipeline editor saves edited Pipelines to Git repositories asJenkinsfiles, Blue Ocean only supports connections to remote Gitrepositories over the SSH protocol.

Word for Mac 2011 Excel for Mac 2011 Outlook for Mac 2011 PowerPoint for Mac 2011. All of your Office for Mac 2011 apps will continue to function. However, you could expose yourself to serious and potentially harmful security risks. Outlook 2011 mac product key generator.

If your URL is for a remote Git repository, then as soon as you begin typingthe URL, starting with either:

  • ssh:// - e.g.ssh://gituser@git-server-url/git-server-repos-group/my-git-repo.git
    or

  • user@host:path/to/git/repo.git - e.g.gituser@git-server-url:git-server-repos-group/my-git-repo.git,

Blue Ocean automatically generates an SSH public/private key pair (or presentsyou with an existing one) for your current/logged in Jenkins user. Thiscredential is automatically registered in Jenkins with the following details forthis Jenkins user:

  • Domain: blueocean-private-key-domain

  • ID: jenkins-generated-ssh-key

  • Name: <jenkins-username> (jenkins-generated-ssh-key)

You need to ensure that this SSH public/private key pair has been registeredwith your Git server before continuing. If you have not already done this,follow these 2 steps. Otherwise, continue on.

  1. Configure the SSH public key component of this key pair (which you can copyand paste from the Blue Ocean interface) for the remote Git server’s useraccount (e.g. within the authorized_keys file of the machine’sgituser/.ssh directory).
    Note: This process allows your Jenkins user to access the repositories thatyour Git server’s user account (e.g. gituser) has access to. Read more aboutthis inSetting Up the Serverof the Pro Git documentation.

  2. When done, return to the Blue Ocean interface.

Blue Ocean will then scan your local repository’s branches for a Jenkinsfileand will commence a Pipeline run for each branch containing a Jenkinsfile. IfBlue Ocean cannot find any Jenkinsfile, you will be prompted to begin creatingone through the Pipeline editor.

For a repository on GitHub

To create your Pipeline project directly for a repository on GitHub, click theGitHub button under Where do you store your code?

In the Connect to GitHub section, enter your GitHub access token into theYour GitHub access token field.
If you previously configured Blue Ocean to connect to GitHub using a personalaccess token, Blue Ocean takes you directly to thechoosing your GitHub account/organization and repositorysteps below.

If you do not have a GitHub access token, click the Create an access key herelink to open GitHub to theNew personal access token page.

Create your access token

  1. In the new tab, sign in to your GitHub account (if necessary) and on theGitHub New Personal Access Token page, specify a brief Token descriptionfor your GitHub access token (e.g. Blue Ocean).
    Note: An access token is usually an alphanumeric string that respresentsyour GitHub account along with permissions to access various GitHub featuresand areas through your GitHub account. The new access token process (triggeredthrough the Create an access key here link above) has the appropriatepermissions pre-selected, which Blue Ocean requires to access and interactwith your GitHub account.

  2. Scroll down to the end of the page and click Generate token.

  3. On the resulting Personal access tokens page, copy your newly generatedaccess token.

  4. Back in Blue Ocean, paste the access token into the Your GitHub access tokenfield and click Connect.
    Your current/logged in Jenkins user now has access to your GitHub account(provided by your access token), so you can nowchoose your GitHub account/organization and repository.
    Jenkins registers this credential with the following detailsfor this Jenkins user:

    • Domain: blueocean-github-domain

    • ID: github

    • Name: <jenkins-username>/****** (GitHub Access Token)

Choose your GitHub account/organization and repository

At this point, Blue Ocean prompts you to choose your GitHub account or anorganization you are a member of, as well as the repository it contains fromwhich to build your Pipeline project.

  1. In the Which organization does the repository belong to? section, clickeither:

    • Your GitHub account to create a Pipeline project for one of your own GitHubrepositories or one which you have forked from elsewhere on GitHub.

    • An organization you are a member of to create a Pipeline project for a GitHubrepository located within this organization.

  2. In the Choose a repository section, click the repository (within your GitHubaccount or organization) from which to build your Pipeline project.
    Tip: If your list of repositories is long, you can filter this list usingthe Search option.

  3. Click Create Pipeline.
    Blue Ocean will then scan your local repository’s branches for a Jenkinsfileand will commence a Pipeline run for each branch containing a Jenkinsfile.If Blue Ocean cannot find any Jenkinsfile, you will be prompted to begincreating one through the Pipeline editor (by clickingCreate Pipeline again).
    Note: Under the hood, a Pipeline project created through Blue Ocean isactually 'multibranch Pipeline'. Therefore, Jenkins looks for the presence ofat least one Jenkinsfile in any branch of your repository.

For a repository on Bitbucket Cloud

To create your Pipeline project directly for a Git or Mercurial repository onBitbucket Cloud, click the Bitbucket Cloud button under Where do you storeyour code?

Generate Key As Jenkins User List

In the Connect to Bitbucket section, enter your Bitbucket email address andpassword into the Username and Password fields, respectively. Note that:

  • If you previously configured Blue Ocean to connect to Bitbucket with youremail address and password, Blue Ocean takes you directly to thechoosing your Bitbucket account/team and repositorysteps below.

  • If you entered these credentials, Jenkins registers them with the followingdetails for this Jenkins user:

    • Domain: blueocean-bitbucket-cloud-domain

    • ID: bitbucket-cloud

    • Name: <[email protected]>/****** (Bitbucket server credentials)

Click Connect and your current/logged in Jenkins user will now have access toyour Bitbucket account. You can nowchoose your Bitbucketaccount/team and repository.

Choose your Bitbucket account/team and repository

At this point, Blue Ocean prompts you to choose your Bitbucket account or a teamyou are a member of, as well as the repository it contains from which to buildyour Pipeline project.

  1. In the Which team does the repository belong to? section, click either:

    • Your Bitbucket account to create a Pipeline project for one of your ownBitbucket repositories or one which you have forked from elsewhere onBitbucket.

    • A team you are a member of to create a Pipeline project for a Bitbucketrepository located within this team.

  2. In the Choose a repository section, click the repository (within yourBitbucket account or team) from which to build your Pipeline project.
    Tip: If your list of repositories is long, you can filter this list usingthe Search option.

  3. Click Create Pipeline.
    Blue Ocean will then scan your local repository’s branches for a Jenkinsfileand will commence a Pipeline run for each branch containing a Jenkinsfile.If Blue Ocean cannot find any Jenkinsfile, you will be prompted to begincreating one through the Pipeline editor (by clickingCreate Pipeline again).
    Note: Under the hood, a Pipeline project created through Blue Ocean isactually 'multibranch Pipeline'. Therefore, Jenkins looks for the presence ofat least one Jenkinsfile in any branch of your repository.

Jenkins Change User

Please submit your feedback about this page through thisquick form.

Alternatively, if you don't wish to complete the quick form, you can simplyindicate if you found this page helpful?

Generate Ssh Key Jenkins User

See existing feedback here.