Setting up Debian GNU/Linux 8 slave node: SSH authentication failed

I am trying to add a Debian GNU/Linux 8 slave node to an already existing Jenkins CI-system (configured by a colleague of mine that has in the meanwhile left our company). Unfortunately, my new agent won’t launch as it cannot launch the agent process on the new slave node. There seems something wrong with the SSH connection from the master to the slave. This is the error that I get:

SSHLauncher{host='10.2.2.41', port=22, credentialsId='1ace657c-17a6-4880-9b9e-82fd7aa9d393', jvmOptions='', javaPath='', prefixStartSlaveCmd='', suffixStartSlaveCmd='', launchTimeoutSeconds=60, maxNumRetries=10, retryWaitTime=15, sshHostKeyVerificationStrategy=hudson.plugins.sshslaves.verifiers.ManuallyTrustedKeyVerificationStrategy, tcpNoDelay=true, trackCredentials=true}
[01/10/22 09:15:38] [SSH] Opening SSH connection to 10.2.2.41:22.
[01/10/22 09:15:38] [SSH] SSH host key matches key seen previously for this host. Connection will be allowed.
ERROR: Server rejected the 1 private key(s) for jenkins (credentialId:1ace657c-17a6-4880-9b9e-82fd7aa9d393/method:publickey)
[01/10/22 09:15:38] [SSH] Authentication failed.
Authentication failed.
[01/10/22 09:15:38] Launch failed - cleaning up connection
[01/10/22 09:15:38] [SSH] Connection closed.

I can SSH from the Master to the slave using a password:

barvan@s-ebl-jnks01-15:~$ ssh jenkins@10.2.2.41
jenkins@10.2.2.41's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jan 10 09:25:45 2022 from 10.2.2.38
jenkins@s-be-jnks07-21:~$

but it is not clear to me how I have to configure the credentials on the Jenkins Master. I see that my colleague had already setup the following, which works for another Debian GNU/Linux 9 slave node that is up and running:

The ID for the ‘SSH login from master to slaves based on private key’ matches with the one I see in my log message:

SSHLauncher{host='10.2.2.41', port=22, credentialsId='1ace657c-17a6-4880-9b9e-82fd7aa9d393', jvmOptions='', javaPath='', prefixStartSlaveCmd='', suffixStartSlaveCmd='', launchTimeoutSeconds=60, maxNumRetries=10, retryWaitTime=15, sshHostKeyVerificationStrategy=hudson.plugins.sshslaves.verifiers.ManuallyTrustedKeyVerificationStrategy, tcpNoDelay=true, trackCredentials=true}

but for some reason this credential fails for the Debian GNU/Linux 8 host that I’m trying to setup.

What am I overlooking?

Please remember to use agent not slave.

Sounds like to me your using different keys somehow. I would recommend recreating your credentials with the private key you think it is.

Edit: or use something like Groovy Script To Retrieve Jenkins Credentials Using Jenkins Libraries to retrieve the credential to confirm

OK. Sorry for that. I didn’t know that was the correct terminology. I will try to pay attention to it.

OK. Thanks for this tip. I didn’t know how I could figure out what the private key was that belongs to a certain credential. I used the groovy script

import jenkins.*
import jenkins.model.* 
import hudson.*
import hudson.model.*
def jenkinsCredentials = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
        com.cloudbees.plugins.credentials.Credentials.class,
        Jenkins.instance,
        null,
        null
);
for (creds in jenkinsCredentials) {
  if (creds.id == "1ace657c-17a6-4880-9b9e-82fd7aa9d393") {
    println(creds.id)
    println(creds.username)
    println(creds.privateKey)
  }
}

to find out the private key. This gave me something like:

1ace657c-17a6-4880-9b9e-82fd7aa9d393
jenkins
-----BEGIN RSA PRIVATE KEY-----
... snipping private key here of course... :-)
-----END RSA PRIVATE KEY-----

However, now I’m puzzled. As that is the private key that was long time ago added as a credential by my colleague. The Debian 9 agent (10.2.2.40) that was setup by him long time ago works successfully with this credential, as can be seen from its log:

SSHLauncher{host='10.2.2.40', port=22, credentialsId='1ace657c-17a6-4880-9b9e-82fd7aa9d393', jvmOptions='', javaPath='', prefixStartSlaveCmd='', suffixStartSlaveCmd='', launchTimeoutSeconds=60, maxNumRetries=0, retryWaitTime=0, sshHostKeyVerificationStrategy=hudson.plugins.sshslaves.verifiers.ManuallyTrustedKeyVerificationStrategy, tcpNoDelay=true, trackCredentials=true}
[01/05/22 18:16:10] [SSH] Opening SSH connection to 10.2.2.40:22.
[01/05/22 18:16:10] [SSH] SSH host key matches key seen previously for this host. Connection will be allowed.
[01/05/22 18:16:11] [SSH] Authentication successful.

However, I don’t find any private key on that agent:

jenkins@s-ebl-jnks05-15:~$ /sbin/ifconfig | grep "10.2.2.40"
        inet 10.2.2.40  netmask 255.255.255.0  broadcast 10.2.2.255
jenkins@s-ebl-jnks05-15:~$ ls -al .ssh/*
-rw-r--r-- 1 jenkins jenkins 419 Mar  1  2016 .ssh/authorized_keys

Since the Debian 9 node at 10.2.2.40 is authenticating successfully, I would assume that that private key must be on it somewhere? Is there a way to find out at what location, so I can confirm that the private key that is in my Jenkins credentials is actually the one from this node?

Problem solved after adding the public RSA key from the Jenkins Server (is that the correct terminology?) to the .ssh/authorized_keys file on the agent node.

you can test on the cli with ssh -v and it’ll tell you all the keys it tries and which one it uses.
There’s also a /etc/ssh/authorized_keys
you can also take a look at /var/log and see, I think it might say where its getting the key from.
Sadly this is a bit out of scope for jenkins help.

Officially it is controller now. Glossary We’re (I’m) less fussy about that one as its only been renamed last year.