First, storing sensitive information in our Jenkins may not be best idea. You should be aware that there are known ways to get root access on builders.

How about storing the password in build recipe itself? It should be accessible only to project owners (and Jenkins admins).

@mizdebsk I honestly hadn't thought about that. Density is one of my strong subjects some days.

for the POC this is fine.

Let me confirm it works and then we can close

@mizdebsk the password will show in the console output

How about:

set +x
export SEKRIT=...
set -x
<rest of the script>

@mizdebsk that worked. Now I am stuck with ssh-add hanging forever, even after overriding the password entry.

I need to think on this some more, but so far I haven't found a way to load a key without putting it into Jenkins, and I can't put it in Jenkins :).

For reference, I am doing this:

1. Starting an ssh-agent
2. Setting DISPLAY and SSH_ASKPASS to create a situation where the askpass will be run. The SSH_ASKPASS echos the password.
3. Executing cat /dev/null | ssh-add keyfile and get a hang.

The above sequence works fine in a container and on my workstation.

testing with sshpass has gotten me no further. ssh commands to add the host key succeed, but git commands hang. Still working.

Ok - figured out that the shipping version of sshpass in Fedora does not work with the passphrase prompts ... requested package update to 1.0.6 and will build locally for a bit

Alright. I think I have this working, except for triggers based on commits (issue opened in pagure).

I'd like to offer some advice to others, so before I add this to the Fedora Jenkins page, can you review?

Running jobs requiring password-protected SSH keys

1. Store your password in the Jenkins configuration script:

   set +x export SSHPASS=noOneLikesPWs set -x bash my_build_script

   The SSHPASS environment variable is consumed by sshpass.

   In this example, the actual build script is stored, as recommended, with your code and not in Jenkins.

2. In your code, use sshpass version 1.06 or later. At the time of this addition, only sshpass-1.05 is available in Fedora and loaded on the builders, therefore you should build your own version of sshpass. Because you cannot install RPMs on the builders and because sshpass is hosted on sourceforge.net (which has a download redirector) it is probably best to store the code either in your repo or in a second repo where you can check it out. The example below assumes you have built sshpass 1.06+ and it is now in your Jenkins Workspace.

   2a. Only a few SSH commands

   Just provide the password for each one in your build script.

   /path/to/your/sshpass -P assphrase -v -e ssh -i /path/to/your/private/key foo@bar.com command /path/to/your/sshpass -P assphrase -v -e scp -i /path/to/your/private/key local_content foo@bar.com:/destination

   2b. Lots of SSH commands (or git and the like)

   In your build script, start an ssh-agent and load the key. Then run your commands:

   ```
   eval "$(ssh-agent -s)"
   /path/to/your/sshpass -P assphrase -v -e ssh-add /path/to/your/private/key

   git ...
   ```

3. A word about Host Keys

   You may need to use -o stricthostkeychecking=no on your first SSH connection to save the hostkey.

Looks good to me. Can you let us know when the updated ssh-pass is out and we can update all the builders. Or if there are builds of it already we can update now and just avoid that complication?

:twisted_rightwards_arrows:

Looks good to me. Can you let us know when the updated ssh-pass is out and we can update all the builders. Or if there are builds of it already we can update now and just avoid that complication?

ssh-pass is out, however the package is not ready for Fedora. I hope the packager will respond soon.

https://bugzilla.redhat.com/show_bug.cgi?id=1414699

I went ahead and pushed the update and then updated the f25 jenkins builder with it.

So I guess we can close this out now. Feel free to reopen if there's anything more to be done.

:mahjong:

@kevin I will update the jenkins wiki page. I believe this can be closed.