You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ant.apache.org by Eric Fetzer <er...@gmail.com> on 2023/01/09 14:09:11 UTC
Re: SSHEXEC Command Line Equivalent
Well it turns out this wasn't the fix. The SA accidentally left security
relaxed. Still need to figure this out. Is there a way to call JSCH from
the command line to reproduce the issue? Thanks - Eric
On Fri, Dec 30, 2022 at 8:51 AM Eric Fetzer <er...@gmail.com> wrote:
> One of our SA's figured out a good work around. I had to regen our
> keypair using pem. Then it worked.
>
> ssh-keygen -m pem
>
> Thanks for all the help guys!
>
> On Wed, Dec 28, 2022 at 2:53 PM ilya Basin <ba...@gmail.com> wrote:
>
>> Have you tried running the Ant task from an interactive shell or was it
>> always being launched by Jenkins?
>>
>> On 29.12.2022 0:14, Eric Fetzer wrote:
>> > OK, here's what we've put together:
>> >
>> > On the server that this is trying to ssh to and run a command, it gets
>> an error: PAM: pam_open_session(): Cannot make/remove an entry for the
>> specified session
>> >
>> > The quick fix (which the SA's aren't willing to make long term is to
>> comment out the line: “session required pam_loginuid.so” in
>> /etc/pam.d/sshd.
>> >
>> > RedHat customer support thinks it's a bug but are not willing to call
>> it so unless we can reproduce it with a native command line. Here's the
>> output from the command being run in Ant:
>> >
>> > parsing buildfile
>> jar:file:/var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/ANT-1.9.4/lib/ant.jar!/org/apache/tools/ant/antlib.xml
>> with URI =
>> jar:file:/var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/ANT-1.9.4/lib/ant.jar!/org/apache/tools/ant/antlib.xml
>> from a zip file
>> > [echo] Creating a file in /my/path on myServer.myDomain to be sure
>> there's something to delete
>> > [sshexec] Connecting to myServer.myDomain:22
>> > [sshexec] Connecting to myServer.myDomain port 22
>> > [sshexec] Connection established
>> > [sshexec] Remote version string: SSH-2.0-OpenSSH_8.0
>> > [sshexec] Local version string: SSH-2.0-JSCH-0.1.54
>> > [sshexec] CheckCiphers:
>> aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
>> > [sshexec] CheckKexes:
>> diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
>> > [sshexec] CheckSignatures:
>> ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
>> > [sshexec] SSH_MSG_KEXINIT sent
>> > [sshexec] SSH_MSG_KEXINIT received
>> > [sshexec] kex: server: curve25519-sha256,curve25519-sha256@libssh.org
>> <mailto:curve25519-sha256@libssh.org
>> >,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
>> > [sshexec] kex: server:
>> rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
>> > [sshexec] kex: server: aes256-gcm@openssh.com <mailto:
>> aes256-gcm@openssh.com>,chacha20-poly1305@openssh.com <mailto:
>> chacha20-poly1305@openssh.com>,aes256-ctr
>> > [sshexec] kex: server: aes256-gcm@openssh.com <mailto:
>> aes256-gcm@openssh.com>,chacha20-poly1305@openssh.com <mailto:
>> chacha20-poly1305@openssh.com>,aes256-ctr
>> > [sshexec] kex: server: hmac-sha2-256-etm@openssh.com <mailto:
>> hmac-sha2-256-etm@openssh.com>,umac-128-etm@openssh.com <mailto:
>> umac-128-etm@openssh.com>,hmac-sha2-512-etm@openssh.com <mailto:
>> hmac-sha2-512-etm@openssh.com>,hmac-sha2-256,umac-128@openssh.com
>> <ma...@openssh.com>,hmac-sha2-512
>> > [sshexec] kex: server: hmac-sha2-256-etm@openssh.com <mailto:
>> hmac-sha2-256-etm@openssh.com>,umac-128-etm@openssh.com <mailto:
>> umac-128-etm@openssh.com>,hmac-sha2-512-etm@openssh.com <mailto:
>> hmac-sha2-512-etm@openssh.com>,hmac-sha2-256,umac-128@openssh.com
>> <ma...@openssh.com>,hmac-sha2-512
>> > [sshexec] kex: server: none
>> > [sshexec] kex: server: none
>> > [sshexec] kex: server:
>> > [sshexec] kex: server:
>> > [sshexec] kex: client:
>> ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
>> > [sshexec] kex: client:
>> ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
>> > [sshexec] kex: client:
>> aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
>> > [sshexec] kex: client:
>> aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
>> > [sshexec] kex: client:
>> hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
>> > [sshexec] kex: client:
>> hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
>> > [sshexec] kex: client: none
>> > [sshexec] kex: client: none
>> > [sshexec] kex: client:
>> > [sshexec] kex: client:
>> > [sshexec] kex: server->client aes256-ctr hmac-sha2-256 none
>> > [sshexec] kex: client->server aes256-ctr hmac-sha2-256 none
>> > [sshexec] SSH_MSG_KEX_ECDH_INIT sent
>> > [sshexec] expecting SSH_MSG_KEX_ECDH_REPLY
>> > [sshexec] Permanently added 'myServer.myDomain' (ECDSA) to the list
>> of known hosts.
>> > [sshexec] SSH_MSG_NEWKEYS sent
>> > [sshexec] SSH_MSG_NEWKEYS received
>> > [sshexec] SSH_MSG_SERVICE_REQUEST sent
>> > [sshexec] SSH_MSG_SERVICE_ACCEPT received
>> > [sshexec] Authentications that can continue:
>> publickey,keyboard-interactive,password
>> > [sshexec] Next authentication method: publickey
>> > [sshexec] Authentications that can continue: password
>> > [sshexec] Next authentication method: password
>> > [sshexec] Disconnecting from myServer.myDomain port 22
>> >
>> > BUILD FAILED
>> > /opt/jenkins/workspace/NAP-OIS-FileStager/build/testTouchNew.xml:14:
>> com.jcraft.jsch.JSchException: Auth cancel
>> > at com.jcraft.jsch.Session.connect(Session.java:518)
>> > at com.jcraft.jsch.Session.connect(Session.java:183)
>> > at
>> org.apache.tools.ant.taskdefs.optional.ssh.SSHBase.openSession(SSHBase.java:225)
>> > at
>> org.apache.tools.ant.taskdefs.optional.ssh.SSHExec.execute(SSHExec.java:312)
>> > at
>> org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
>> > at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>> > at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> > at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> > at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> > at
>> org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
>> > at org.apache.tools.ant.Task.perform(Task.java:348)
>> > at org.apache.tools.ant.Target.execute(Target.java:435)
>> > at org.apache.tools.ant.Target.performTasks(Target.java:456)
>> > at
>> org.apache.tools.ant.Project.executeSortedTargets(Project.java:1393)
>> > at org.apache.tools.ant.Project.executeTarget(Project.java:1364)
>> > at
>> org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
>> > at
>> org.apache.tools.ant.Project.executeTargets(Project.java:1248)
>> > at org.apache.tools.ant.Main.runBuild(Main.java:851)
>> > at org.apache.tools.ant.Main.startAnt(Main.java:235)
>> > at org.apache.tools.ant.launch.Launcher.run(Launcher.java:280)
>> > at org.apache.tools.ant.launch.Launcher.main(Launcher.java:109)
>> >
>> > The task goes smoothly when run from RHEL7 to RHEL7 or RHEL8 to RHEL7.
>> Just not running it TO RHEL 8. Thus if I could reproduce it in a way that
>> the RedHat folks could reproduce it on their end, then I may get a fix for
>> it other than commenting out the PAM module.
>> >
>> > Thanks,
>> > Eric
>> >
>> > On Wed, Dec 28, 2022 at 1:42 PM Ilya Basin <basinilya@gmail.com
>> <ma...@gmail.com>> wrote:
>> >
>> > I don't think we'll help more without seeing the problem details.
>> >
>> > On 28.12.2022 23:16, Eric Fetzer wrote:
>> > > Hmmm, that command works at the command line.
>> > >
>> > > On Wed, Dec 28, 2022 at 10:54 AM Ilya Basin <basinilya@gmail.com
>> <ma...@gmail.com> <mailto:basinilya@gmail.com <mailto:
>> basinilya@gmail.com>>> wrote:
>> > >
>> > > Hi Eric.
>> > >
>> > > I hope you're using the modern OpenSSH client program.
>> Something like this:
>> > >
>> > > ssh -F none \
>> > > -oBatchMode=yes \
>> > > -oUser=myUser \
>> > > -oIdentityAgent=none \
>> > > -oIdentityFile=/var/lib/jenkins/.ssh/id_rsa \
>> > > -oPort=1401 \
>> > > -oUpdateHostKeys=no \
>> > > -oStrictHostKeyChecking=no \
>> > > myHost.myDomain \
>> > > "touch /myPath/toMyFiles/test.txt"
>> > >
>> > >
>> > > Note that the java SSH library may use obsolete encryption
>> algorithms which you'll also have to force. See
>> https://linux.die.net/man/5/ssh_config <
>> https://linux.die.net/man/5/ssh_config> <
>> https://linux.die.net/man/5/ssh_config <
>> https://linux.die.net/man/5/ssh_config>>
>> > >
>> > >
>> > > On 28.12.2022 21:39, Eric Fetzer wrote:
>> > > > Hi! Can anyone tell me what the command line equivalent to
>> the following
>> > > > directive in ant is?
>> > > >
>> > > > <sshexec host="myHost.myDomain"
>> > > > username="myUser"
>> > > > keyfile="/var/lib/jenkins/.ssh/id_rsa"
>> > > > passphrase=""
>> > > > command="touch /myPath/toMyFiles/test.txt"
>> > > > trust="true"
>> > > > timeout="3000000"
>> > > > verbose="true"
>> > > > port="22"
>> > > > />
>> > > >
>> > > > We've found a bug with this command in RHEL 8 and the
>> RedHat folks won't
>> > > > consider the sshexec command as a repro. I've tried the
>> best I can figure
>> > > > and the command works from the command line however I've
>> tried. Thanks!
>> > > > Eric
>> > > >
>> > >
>> >
>>
>