Make use of manually provided ssh host keys during manual git operations

Hi there,

I have the following scenario:

Jenkins running on K8s cluster, configured via CASC and specifically the gitHostKeyVerificationConfiguration as the following:

        approvedHostKeys: |-
          some keys

This works totally fine when using the builtin checkout step.

But now I have a requirement to also run some custom git commands. For this I would like to use git over ssh over user/password auth.

Currently I don’t know I can make use of the manually configured known_hosts in that scenario. I have tried to setup the ~/.known_hosts file on the controller, but this seems not to be enough and I would need to add this as well to each and every agent container variation?

I like the idea of having this in a central place and I would like to avoid adding the keys to multiple containers. Is there a way to access these keys somehow during a pipeline run and write the to the known_hosts file during the pipeline run, or just wrap my sh "git .." commands with something to make this work?

I am happy for alternative approaches as well as long as they add just a little overhead and makes the entries centrally configurable…

Thanks in advance!

As far as I understand command line git usage in Jenkins, there is no easy way to use git over ssh with password based authentication. When using git with ssh protocol (URL forms and ssh://, you must provide an SSH private key.

I’m sure there are ways that you could carefully craft a shell script or batch file that provides the password to command line git when using ssh protocol, but Jenkins does not provide any facilities to make that easy to create or easy to maintain.

It is better to use private keys with ssh and to use username / password with HTTPS when using private repositories with Jenkins.

The config file provider plugin allows administrators to define specific configuration files to workspaces.

Hi @MarkEWaite,

thanks for the fast feedback. The config file provider looks like an interesting approach.

Sorry for the confusion here, what I wanted to say was: I would like to use git via ssh instead of git via HTTPS :slight_smile: So I think we are good here.

This is kind of a working workaround that I came up with for the time being:

withCredentials([sshUserPrivateKey(credentialsId: 'id-rsa-jenkins', keyFileVariable: 'SSH_KEY_FILE', usernameVariable: 'jenkins')]) {
            sh "mkdir -p ~/.ssh && chmod 700 ~/.ssh"
            sh "touch ~/.ssh/known_hosts && chmod 600 ~/.ssh/known_hosts"
            sh "curl >> ~/.ssh/known_hosts"
            sh "GIT_SSH_COMMAND='ssh -i $SSH_KEY_FILE' git clone $DST_URL --depth 1 --branch $DST_BRANCH"

My main point is that I would like to avoid fetching the known hosts keys all the time (which is also a bit useless without verifying them), but instead manage them centrally. I would also like to prevent hard coding into the container or in the pipeline directly.

Would it be enough to add them to the jnlp container only? I guess they would need to be inside each container executing a build?

I hope I could explain my problem better now. The plugin kind of solves the issue already, but maybe there is a solution without a plugin or even better, a solution where I could access directly the keys, which I have configured in the controller?


Each container that needs to access an ssh authenticated git repository will need that host key.