One of our SA's figured out a good work around.  I had to regen our keypair
using pem.  Then it worked.

ssh-keygen -m pem

Thanks for all the help guys!

On Wed, Dec 28, 2022 at 2:53 PM ilya Basin <basini...@gmail.com> wrote:

> Have you tried running the Ant task from an interactive shell or was it
> always being launched by Jenkins?
>
> On 29.12.2022 0:14, Eric Fetzer wrote:
> > OK, here's what we've put together:
> >
> > On the server that this is trying to ssh to and run a command, it gets
> an error:  PAM: pam_open_session(): Cannot make/remove an entry for the
> specified session
> >
> > The quick fix (which the SA's aren't willing to make long term is to
> comment out the line: “session    required     pam_loginuid.so” in
> /etc/pam.d/sshd.
> >
> > RedHat customer support thinks it's a bug but are not willing to call it
> so unless we can reproduce it with a native command line.  Here's the
> output from the command being run in Ant:
> >
> > parsing buildfile
> jar:file:/var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/ANT-1.9.4/lib/ant.jar!/org/apache/tools/ant/antlib.xml
> with URI =
> jar:file:/var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/ANT-1.9.4/lib/ant.jar!/org/apache/tools/ant/antlib.xml
> from a zip file
> >      [echo] Creating a file in /my/path on myServer.myDomain to be sure
> there's something to delete
> >   [sshexec] Connecting to myServer.myDomain:22
> >   [sshexec] Connecting to myServer.myDomain port 22
> >   [sshexec] Connection established
> >   [sshexec] Remote version string: SSH-2.0-OpenSSH_8.0
> >   [sshexec] Local version string: SSH-2.0-JSCH-0.1.54
> >   [sshexec] CheckCiphers:
> aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
> >   [sshexec] CheckKexes:
> diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
> >   [sshexec] CheckSignatures:
> ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
> >   [sshexec] SSH_MSG_KEXINIT sent
> >   [sshexec] SSH_MSG_KEXINIT received
> >   [sshexec] kex: server: curve25519-sha256,curve25519-sha...@libssh.org
> <mailto:curve25519-sha...@libssh.org
> >,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
> >   [sshexec] kex: server:
> rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
> >   [sshexec] kex: server: aes256-...@openssh.com <mailto:
> aes256-...@openssh.com>,chacha20-poly1...@openssh.com <mailto:
> chacha20-poly1...@openssh.com>,aes256-ctr
> >   [sshexec] kex: server: aes256-...@openssh.com <mailto:
> aes256-...@openssh.com>,chacha20-poly1...@openssh.com <mailto:
> chacha20-poly1...@openssh.com>,aes256-ctr
> >   [sshexec] kex: server: hmac-sha2-256-...@openssh.com <mailto:
> hmac-sha2-256-...@openssh.com>,umac-128-...@openssh.com <mailto:
> umac-128-...@openssh.com>,hmac-sha2-512-...@openssh.com <mailto:
> hmac-sha2-512-...@openssh.com>,hmac-sha2-256,umac-...@openssh.com <mailto:
> umac-...@openssh.com>,hmac-sha2-512
> >   [sshexec] kex: server: hmac-sha2-256-...@openssh.com <mailto:
> hmac-sha2-256-...@openssh.com>,umac-128-...@openssh.com <mailto:
> umac-128-...@openssh.com>,hmac-sha2-512-...@openssh.com <mailto:
> hmac-sha2-512-...@openssh.com>,hmac-sha2-256,umac-...@openssh.com <mailto:
> umac-...@openssh.com>,hmac-sha2-512
> >   [sshexec] kex: server: none
> >   [sshexec] kex: server: none
> >   [sshexec] kex: server:
> >   [sshexec] kex: server:
> >   [sshexec] kex: client:
> ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> >   [sshexec] kex: client:
> ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
> >   [sshexec] kex: client:
> aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
> >   [sshexec] kex: client:
> aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
> >   [sshexec] kex: client:
> hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
> >   [sshexec] kex: client:
> hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
> >   [sshexec] kex: client: none
> >   [sshexec] kex: client: none
> >   [sshexec] kex: client:
> >   [sshexec] kex: client:
> >   [sshexec] kex: server->client aes256-ctr hmac-sha2-256 none
> >   [sshexec] kex: client->server aes256-ctr hmac-sha2-256 none
> >   [sshexec] SSH_MSG_KEX_ECDH_INIT sent
> >   [sshexec] expecting SSH_MSG_KEX_ECDH_REPLY
> >   [sshexec] Permanently added 'myServer.myDomain' (ECDSA) to the list of
> known hosts.
> >   [sshexec] SSH_MSG_NEWKEYS sent
> >   [sshexec] SSH_MSG_NEWKEYS received
> >   [sshexec] SSH_MSG_SERVICE_REQUEST sent
> >   [sshexec] SSH_MSG_SERVICE_ACCEPT received
> >   [sshexec] Authentications that can continue:
> publickey,keyboard-interactive,password
> >   [sshexec] Next authentication method: publickey
> >   [sshexec] Authentications that can continue: password
> >   [sshexec] Next authentication method: password
> >   [sshexec] Disconnecting from myServer.myDomain port 22
> >
> > BUILD FAILED
> > /opt/jenkins/workspace/NAP-OIS-FileStager/build/testTouchNew.xml:14:
> com.jcraft.jsch.JSchException: Auth cancel
> >         at com.jcraft.jsch.Session.connect(Session.java:518)
> >         at com.jcraft.jsch.Session.connect(Session.java:183)
> >         at
> org.apache.tools.ant.taskdefs.optional.ssh.SSHBase.openSession(SSHBase.java:225)
> >         at
> org.apache.tools.ant.taskdefs.optional.ssh.SSHExec.execute(SSHExec.java:312)
> >         at
> org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
> >         at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> >         at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> >         at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >         at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> >         at
> org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
> >         at org.apache.tools.ant.Task.perform(Task.java:348)
> >         at org.apache.tools.ant.Target.execute(Target.java:435)
> >         at org.apache.tools.ant.Target.performTasks(Target.java:456)
> >         at
> org.apache.tools.ant.Project.executeSortedTargets(Project.java:1393)
> >         at org.apache.tools.ant.Project.executeTarget(Project.java:1364)
> >         at
> org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
> >         at org.apache.tools.ant.Project.executeTargets(Project.java:1248)
> >         at org.apache.tools.ant.Main.runBuild(Main.java:851)
> >         at org.apache.tools.ant.Main.startAnt(Main.java:235)
> >         at org.apache.tools.ant.launch.Launcher.run(Launcher.java:280)
> >         at org.apache.tools.ant.launch.Launcher.main(Launcher.java:109)
> >
> > The task goes smoothly when run from RHEL7 to RHEL7 or RHEL8 to RHEL7.
> Just not running it TO RHEL 8.  Thus if I could reproduce it in a way that
> the RedHat folks could reproduce it on their end, then I may get a fix for
> it other than commenting out the PAM module.
> >
> > Thanks,
> > Eric
> >
> > On Wed, Dec 28, 2022 at 1:42 PM Ilya Basin <basini...@gmail.com <mailto:
> basini...@gmail.com>> wrote:
> >
> >     I don't think we'll help more without seeing the problem details.
> >
> >     On 28.12.2022 23:16, Eric Fetzer wrote:
> >     > Hmmm, that command works at the command line.
> >     >
> >     > On Wed, Dec 28, 2022 at 10:54 AM Ilya Basin <basini...@gmail.com
> <mailto:basini...@gmail.com> <mailto:basini...@gmail.com <mailto:
> basini...@gmail.com>>> wrote:
> >     >
> >     >     Hi Eric.
> >     >
> >     >     I hope you're using the modern OpenSSH client program.
> Something like this:
> >     >
> >     >     ssh -F none \
> >     >       -oBatchMode=yes \
> >     >       -oUser=myUser \
> >     >       -oIdentityAgent=none \
> >     >       -oIdentityFile=/var/lib/jenkins/.ssh/id_rsa \
> >     >       -oPort=1401 \
> >     >       -oUpdateHostKeys=no \
> >     >       -oStrictHostKeyChecking=no \
> >     >       myHost.myDomain \
> >     >       "touch /myPath/toMyFiles/test.txt"
> >     >
> >     >
> >     >     Note that the java SSH library may use obsolete encryption
> algorithms which you'll also have to force. See
> https://linux.die.net/man/5/ssh_config <
> https://linux.die.net/man/5/ssh_config> <
> https://linux.die.net/man/5/ssh_config <
> https://linux.die.net/man/5/ssh_config>>
> >     >
> >     >
> >     >     On 28.12.2022 21:39, Eric Fetzer wrote:
> >     >     > Hi!  Can anyone tell me what the command line equivalent to
> the following
> >     >     > directive in ant is?
> >     >     >
> >     >     >         <sshexec host="myHost.myDomain"
> >     >     >              username="myUser"
> >     >     >              keyfile="/var/lib/jenkins/.ssh/id_rsa"
> >     >     >              passphrase=""
> >     >     >              command="touch /myPath/toMyFiles/test.txt"
> >     >     >              trust="true"
> >     >     >              timeout="3000000"
> >     >     >              verbose="true"
> >     >     >              port="22"
> >     >     >         />
> >     >     >
> >     >     > We've found a bug with this command in RHEL 8 and the RedHat
> folks won't
> >     >     > consider the sshexec command as a repro.  I've tried the
> best I can figure
> >     >     > and the command works from the command line however I've
> tried.  Thanks!
> >     >     > Eric
> >     >     >
> >     >
> >
>

Reply via email to