Denied access to sencond git repository via ssh in pipeline


  • Why is there an error for "Warning: Permanently added the ECDSA host "? …when I’ve setup the manually provided keys for hosts in Configure Global Security

  • Why is permission denied? I know the key is good.

  • Is there any further logging I can enable to check if its actually using the right key etc…

Our Jenkins project pulls a repo from our regular repository bitbucket where the Jennkinsfile pipeline is found… Then in the pipeline is another git pull for some code in another third-party repository. Because We’re using automatically deployed EC2 build agents I don’t want to setup hosts and ssh config on the build agent. The credentials should be propagated from the server to the to the agents via credentials plugins.

Build Log

The recommended git tool is: NONE
using credential aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
Fetching changes from the remote Git repository git rev-parse --resolve-git-dir /home/ubuntu/repo/aosp/.git # timeout=10 git config remote.origin.url # timeout=10
00:55:54  Fetching upstream changes from git --version # timeout=10 git --version # 'git version 2.17.1'
using GIT_SSH to set credentials som
Verifying host key using manually-configured host key entries > git fetch --tags --progress -- +refs/heads/*:refs/remotes/origin/* # timeout=10
ERROR: Error fetching remote repo 'origin'
hudson.plugins.git.GitException: Failed to fetch from
	at hudson.plugins.git.GitSCM.fetchFrom(
	at hudson.plugins.git.GitSCM.retrieveChanges(
	at hudson.plugins.git.GitSCM.checkout(
	at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(
	at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$
	at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$
	at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(
	at java.base/java.util.concurrent.Executors$
	at java.base/
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(
	at java.base/java.util.concurrent.ThreadPoolExecutor$
 	at java.base/
Caused by: hudson.plugins.git.GitException: Command "git fetch --tags --progress -- +refs/heads/*:refs/remotes/origin/*" returned status code 128:
stderr: Warning: Permanently added the ECDSA host key for IP address 'www.xx.yy.zzz' to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Project Config

script {
	git branch: 'master',
		credentialsId: 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee',
		url: ''

(I’ve also tried using ‘checkout GIT-SCM’ block, same result)

Dashboard > Manage Jenkins > Configure Global Security

  • Git Host Key Verification Configuration
    – Manually Provided Keys ecdsa-sha2-nistpxxxxxxxxxxxxxxxxxxxxxxxxxxx

Dashboard > Manage Jenkins > Credentials …

  • SSH Username with private key
    – Username blank (not sure why its here?)
    – Private key confirmed to connect on another system

Jenkins setup:
Jenkins 2.387.1 server running amazon linux in EC2
Jenkins build agents managed by the Amazon EC2 plugin in this case running Ubuntu 18. (requried by tird-party repository)

  • [SSH Credentials Plugin Version 305.v8f4381501156 ]
  • [SSH Build Agents plugin Version 2.877.v365f5eb_a_b_eec ]
  • [SSH server Version 3.303.vefc7119b_ec23 ]
  • [SSH Agent Version 333.v878b_53c89511 ]
  • [Git client Version 4.2.0 ]
  • [Git plugin Version 5.0.2 ]

I think I’m passed the worst of it. The issue was the non-standard ssh port on the git url. So far the solution is to add something like:

Configure Global Security > Git Host Key Verification Configuration >
[]:8407 ecdsa-sha2-nistp256 AAAAE2V…

The mission continues.