6.3 KiB
Jenkins SSH Agent Authentication Troubleshooting
Date: 2026-02-09
Issue: Jenkins cannot authenticate to remote build agent
Error: Authentication failed when connecting to remote SSH agent
Problem Description
Jenkins is configured to connect to a remote build agent via SSH but authentication fails:
SSHLauncher{host='45.16.76.42', port=22, credentialsId='dlx-key', ...}
[SSH] Opening SSH connection to 45.16.76.42:22.
[SSH] Authentication failed.
Root Cause
The SSH public key associated with Jenkins's 'dlx-key' credential is not present in the ~/.ssh/authorized_keys file on the remote agent server (45.16.76.42).
Quick Diagnosis
From jenkins server:
# Test network connectivity
ping -c 2 45.16.76.42
# Test SSH connectivity (should fail with "Permission denied (publickey)")
ssh dlxadmin@45.16.76.42
Solution Options
Option 1: Add Jenkins Key to Remote Agent (Quickest)
Step 1 - Get Jenkins's public key from Web UI:
- Open Jenkins: http://192.168.200.91:8080
- Go to: Manage Jenkins → Credentials → System → Global credentials (unrestricted)
- Click on the 'dlx-key' credential
- Look for the public key display (if available)
- Copy the public key
Step 2 - Add to remote agent:
# SSH to the remote agent
ssh dlxadmin@45.16.76.42
# Add the Jenkins public key
echo "ssh-rsa AAAA... jenkins@host" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# Verify authorized_keys format
cat ~/.ssh/authorized_keys
Step 3 - Test connection from Jenkins server:
# SSH to jenkins server
ssh dlxadmin@192.168.200.91
# Test connection as jenkins user
sudo -u jenkins ssh -o StrictHostKeyChecking=no dlxadmin@45.16.76.42 'echo "Success!"'
Option 2: Create New SSH Key for Jenkins (Most Reliable)
Step 1 - Run the Ansible playbook:
ansible-playbook playbooks/setup-jenkins-agent-ssh.yml -e "agent_host=45.16.76.42"
This will:
- Create SSH key pair for jenkins user at
/var/lib/jenkins/.ssh/id_rsa - Display the public key
- Create helper script to copy key to agent
Step 2 - Copy key to agent (choose one method):
Method A - Automatic (if you have SSH access):
ssh dlxadmin@192.168.200.91
/tmp/copy-jenkins-key-to-agent.sh
Method B - Manual:
# Get public key from jenkins server
ssh dlxadmin@192.168.200.91 'sudo cat /var/lib/jenkins/.ssh/id_rsa.pub'
# Add to agent's authorized_keys
ssh dlxadmin@45.16.76.42
echo "<paste-public-key>" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Step 3 - Update Jenkins credential:
- Go to: http://192.168.200.91:8080/manage/credentials/
- Click on 'dlx-key' credential (or create new one)
- Click Update
- Under "Private Key":
- Select Enter directly
- Copy content from:
/var/lib/jenkins/.ssh/id_rsaon jenkins server
- Save
Step 4 - Test Jenkins agent connection:
- Go to: http://192.168.200.91:8080/computer/
- Find the agent that uses 45.16.76.42
- Click Launch agent or Relaunch agent
- Check logs for successful connection
Option 3: Use Existing dlxadmin Key
If dlxadmin user already has SSH access to the agent:
Step 1 - Copy dlxadmin's key to jenkins user:
ssh dlxadmin@192.168.200.91
# Copy key to jenkins user
sudo cp ~/.ssh/id_ed25519 /var/lib/jenkins/.ssh/
sudo cp ~/.ssh/id_ed25519.pub /var/lib/jenkins/.ssh/
sudo chown jenkins:jenkins /var/lib/jenkins/.ssh/id_ed25519*
sudo chmod 600 /var/lib/jenkins/.ssh/id_ed25519
Step 2 - Update Jenkins credential with this key
Verification Steps
1. Test SSH Connection from Jenkins Server
# SSH to jenkins server
ssh dlxadmin@192.168.200.91
# Test as jenkins user
sudo -u jenkins ssh -o StrictHostKeyChecking=no dlxadmin@45.16.76.42 'hostname'
Expected output: The hostname of the remote agent
2. Check Agent in Jenkins
# Via Jenkins Web UI
http://192.168.200.91:8080/computer/
# Look for the agent, should show "Connected" or agent should successfully launch
3. Verify authorized_keys on Remote Agent
ssh dlxadmin@45.16.76.42
cat ~/.ssh/authorized_keys | grep jenkins
Expected: Should show one or more Jenkins public keys
Common Issues
Issue: "Host key verification failed"
Solution: Add host to jenkins user's known_hosts:
sudo -u jenkins ssh-keyscan -H 45.16.76.42 >> /var/lib/jenkins/.ssh/known_hosts
Issue: "Permission denied" even with correct key
Causes:
- Wrong username (check if it should be 'dlxadmin', 'jenkins', 'ubuntu', etc.)
- Wrong permissions on authorized_keys:
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys - SELinux blocking (if applicable):
restorecon -R ~/.ssh
Issue: Jenkins shows "dlx-key" but can't edit/view
Solution: Credential is encrypted. Either:
- Replace with new credential
- Use Jenkins CLI to export (requires admin token)
Alternative: Password Authentication
If SSH key auth continues to fail, temporarily enable password auth (NOT RECOMMENDED for production):
# On remote agent
sudo vim /etc/ssh/sshd_config
# Set: PasswordAuthentication yes
sudo systemctl restart sshd
# In Jenkins, update credential to use password instead of key
Files and Locations
- Jenkins Home:
/var/lib/jenkins/ - Jenkins SSH Keys:
/var/lib/jenkins/.ssh/ - Jenkins Credentials:
/var/lib/jenkins/credentials.xml(encrypted) - Remote Agent User:
dlxadmin - Remote Agent SSH Config:
/home/dlxadmin/.ssh/authorized_keys
Related Commands
# View Jenkins credential store (encrypted)
sudo cat /var/lib/jenkins/credentials.xml
# Check jenkins user SSH directory
sudo ls -la /var/lib/jenkins/.ssh/
# Test SSH with verbose output
sudo -u jenkins ssh -vvv dlxadmin@45.16.76.42
# View SSH daemon logs on agent
journalctl -u ssh -f
# Check Jenkins logs
sudo tail -f /var/log/jenkins/jenkins.log
Summary Checklist
- Network connectivity verified (ping works)
- SSH port 22 is reachable
- Jenkins user has SSH key pair
- Jenkins public key is in agent's authorized_keys
- Permissions correct (700 .ssh, 600 authorized_keys)
- Jenkins credential 'dlx-key' updated with correct private key
- Test connection:
sudo -u jenkins ssh dlxadmin@AGENT_IP 'hostname' - Agent launches successfully in Jenkins Web UI