By Bart C


2018-12-05 16:20:52 8 Comments

I'm creating a job in Jenkins 2.152 running on Windows Server 2016 which needs to pull from a git repo hosted on bitbucket.org. I tested the ssh key through git-bash so I know it works and there is no passphrase. When I try to use the very same private key with Jenkins I get an error message.

Failed to connect to repository : Command "git.exe ls-remote -h 
[email protected]:mygroup/myrepo HEAD" returned status code 128:
stdout: 
stderr: Load key 
"C:\\Users\\JE~1\\AppData\\Local\\Temp\\ssh2142299850576289882.key": invalid format 
[email protected]: Permission denied (publickey). 
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

The Credentials are set up as

 scope: Global
 user: git
 Private Key -> Enter Directly -> copy and past - generated by ssh-keygen -t rsa in gitbash
 Passphrase: empty
 ID: empty
 description: bitbucket.org

I noticed that on another Windows Jenkins server the private key has a different number of characters per line

Does anybody know what is the expected format of Private Key in Jenkins Credentials? Or maybe there is something else that I could check.

Any help is greatly appreciated.

6 comments

@exceed007 2020-07-31 08:55:37

following worked for me

  1. Create a folder (say testkey), cd inside the folder and right click and select git bash

  2. now create OPENSSH Key using following command in git bash. here test.key is name of your OPENSSH key (note that passphrase is optional)

ssh-keygen -f test.key

  1. Copy that key connect, you can open the key using notepad, and paste that key into github. Remember Git accepts only OPENSSH key.

enter image description here

  1. Now convert that key into PEM format, using same bash window, run following command (note that passphrase is optional)

ssh-keygen -f test-pem.key -m PEM -p

  1. Now the key is converted into PEM key, copy the content of the key using notepad.

  2. Go Jenkins -> Credentials -> Add New Credentials.

enter image description here

7.Select Kind SSH Username and Key , Provide username , and paste the PEM key content copied in step 5 and paste into private key, note that passphrase is optional.

enter image description here

  1. Now add repo for ssh like this,

Original SSL Command Copied from GITHUB - [email protected]:test/goto.git

change it to  - ssh://[email protected]/test/goto.git

@erpel 2020-04-08 07:50:49

So just to add an answer to actually convert a key from the new OPENSSH format to the older PEM format:

$ ssh-keygen -f blah.key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in blah.key.
Your public key has been saved in blah.key.pub.
The key fingerprint is:
SHA256:ndMFvZjbD7M3MoqFy8+me74gPhcuoDVLF2/Oh+hXQ8I [email protected]
$ head -n 1 blah.key
-----BEGIN OPENSSH PRIVATE KEY-----
$ ssh-keygen  -f blah.key -m PEM -p
Key has comment 'redacted'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.
$ head -n 1 blah.key
-----BEGIN RSA PRIVATE KEY-----

ssh-keygen -p changes the passphrase but it does not mind the new passphrase being the same (even none) as the old one and in the process can convert the format.

@Panda World 2019-08-20 04:46:02

Somehow I got it work again but the real steps that fix the issue is unclear.

what I did is to regenerate the ssh key again and put everything to its default location. Reupload the public key, replace the private key in the credential and then it starts to work.

@Houcheng 2019-01-29 10:18:38

I also got this error message and eventually found out that the Jenkins credential should be RSA secret key, not public key. Below is my steps for configuring Jenkins to clone from bitbucket:

  1. Add credential in Jenkins credentials
   Kind: SSH username and private key
   Scope: Global
   Username: <my username in bitbucket>
   Private key: <Enter directly>
         -----BEGIN RSA PRIVATE KEY-----
         ......
         -----END RSA PRIVATE KEY-----
  1. Create a job and configure the repository path and credential as following:

enter image description here

@VonC 2018-12-06 06:06:43

Check the version of Git for Windows that you are using: Starting 2.19.2, it comes with OpenSSH v7.9p1 (from 7.7 before)

And... openssh 7.8 just changed the default ssh-keygen format, from a classic PEM 64-chars, to an OPENSSH one 70 chars!

Only ssh-keygen -m PEM -t rsa -P "" -f afile would generate the old format (-m PEM)

ssh-keygen(1):

write OpenSSH format private keys by default instead of using OpenSSL's PEM format.

The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys.
If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key.

@Bart C 2018-12-06 15:04:37

Thanks! I just realized that the ssh key I'm trying to use was generated on an older Linux machine. I'll test and report back.

@Can YILDIZ 2019-02-21 12:17:44

After solving my problem with this comment I realized that previous key had a title "-----BEGIN OPENSSH PRIVATE KEY-----" while new one has "-----BEGIN RSA PRIVATE KEY-----". Thanks @VonC

@Ewert 2019-02-26 08:27:36

did not understand why my key wouldn't work thanks for this!

@Eric Blade 2019-10-10 14:51:30

... note that this is not an answer to the question. It's an attempt to help the user, but it provides no useful information.

@VonC 2019-10-10 15:04:23

@EricBlade It does answer the question "Does anybody know what is the expected format of Private Key in Jenkins Credentials?" (from the OP): PEM, not OpenSSH

@Bart C 2018-12-11 15:56:08

In the end, I couldn't find a way to make pasting private keys to Jenkins credentials work.

While it might common knowledge for many, I decided to put the workaround below anyway.

Here is what I did as a workaround to pull my private repositories from Bitbucket.org:

  1. Log in to your Windows host as the user which runs Jenkins Service. In my case, Jenkins Service runs as a dedicated user because I needed to access network shares with write privileges restricted to this user only.
  2. Open Git-bash and generate SSH keys with ssh-keygen command accepting all defaults
  3. In Jenkins, enter the git repo URL as [email protected]:team_name/repo_name and leave the credentials as None

This way Git and SSH will be able to find SSH keys in the default location, which usually is c:\Users\username.ssh\

Hope this helps somebody.

Related Questions

Sponsored Content

21 Answered Questions

[SOLVED] Best way to use multiple SSH private keys on one client

  • 2010-03-10 18:40:58
  • Justin
  • 467711 View
  • 907 Score
  • 21 Answer
  • Tags:   ssh ssh-keys openssh

19 Answered Questions

[SOLVED] Git error: "Host Key Verification Failed" when connecting to remote repository

  • 2012-11-13 15:26:36
  • bootsz
  • 399879 View
  • 242 Score
  • 19 Answer
  • Tags:   git ssh ssh-keys

29 Answered Questions

[SOLVED] How to specify the private SSH-key to use when executing shell command on Git?

  • 2010-12-30 19:42:01
  • Christoffer
  • 1161741 View
  • 1211 Score
  • 29 Answer
  • Tags:   git bash shell ssh

1 Answered Questions

create jenkins ssh username with private key credential via rest xml api

2 Answered Questions

[SOLVED] Connecting to bitbucket repository from jenkins server

8 Answered Questions

[SOLVED] Git clone / pull continually freezing at "Store key in cache?"

1 Answered Questions

Jenkins-bitbucket ( Difference between Git-bash/Openssh and WIndows prompt/pageant )

  • 2016-09-24 09:25:46
  • Mohan Radhakrishnan
  • 140 View
  • 0 Score
  • 1 Answer
  • Tags:   jenkins ssh bitbucket

1 Answered Questions

[SOLVED] jenkins in cloudbees The remote end hung up unexpectedly

Sponsored Content