Well it turns out this wasn't the fix. The SA accidentally left security relaxed. Still need to figure this out. Is there a way to call JSCH from the command line to reproduce the issue? Thanks - Eric
On Fri, Dec 30, 2022 at 8:51 AM Eric Fetzer <eric.fet...@gmail.com> wrote: > One of our SA's figured out a good work around. I had to regen our > keypair using pem. Then it worked. > > ssh-keygen -m pem > > Thanks for all the help guys! > > On Wed, Dec 28, 2022 at 2:53 PM ilya Basin <basini...@gmail.com> wrote: > >> Have you tried running the Ant task from an interactive shell or was it >> always being launched by Jenkins? >> >> On 29.12.2022 0:14, Eric Fetzer wrote: >> > OK, here's what we've put together: >> > >> > On the server that this is trying to ssh to and run a command, it gets >> an error: PAM: pam_open_session(): Cannot make/remove an entry for the >> specified session >> > >> > The quick fix (which the SA's aren't willing to make long term is to >> comment out the line: “session required pam_loginuid.so” in >> /etc/pam.d/sshd. >> > >> > RedHat customer support thinks it's a bug but are not willing to call >> it so unless we can reproduce it with a native command line. Here's the >> output from the command being run in Ant: >> > >> > parsing buildfile >> jar:file:/var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/ANT-1.9.4/lib/ant.jar!/org/apache/tools/ant/antlib.xml >> with URI = >> jar:file:/var/lib/jenkins/tools/hudson.tasks.Ant_AntInstallation/ANT-1.9.4/lib/ant.jar!/org/apache/tools/ant/antlib.xml >> from a zip file >> > [echo] Creating a file in /my/path on myServer.myDomain to be sure >> there's something to delete >> > [sshexec] Connecting to myServer.myDomain:22 >> > [sshexec] Connecting to myServer.myDomain port 22 >> > [sshexec] Connection established >> > [sshexec] Remote version string: SSH-2.0-OpenSSH_8.0 >> > [sshexec] Local version string: SSH-2.0-JSCH-0.1.54 >> > [sshexec] CheckCiphers: >> aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256 >> > [sshexec] CheckKexes: >> diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 >> > [sshexec] CheckSignatures: >> ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 >> > [sshexec] SSH_MSG_KEXINIT sent >> > [sshexec] SSH_MSG_KEXINIT received >> > [sshexec] kex: server: curve25519-sha256,curve25519-sha...@libssh.org >> <mailto:curve25519-sha...@libssh.org >> >,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 >> > [sshexec] kex: server: >> rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 >> > [sshexec] kex: server: aes256-...@openssh.com <mailto: >> aes256-...@openssh.com>,chacha20-poly1...@openssh.com <mailto: >> chacha20-poly1...@openssh.com>,aes256-ctr >> > [sshexec] kex: server: aes256-...@openssh.com <mailto: >> aes256-...@openssh.com>,chacha20-poly1...@openssh.com <mailto: >> chacha20-poly1...@openssh.com>,aes256-ctr >> > [sshexec] kex: server: hmac-sha2-256-...@openssh.com <mailto: >> hmac-sha2-256-...@openssh.com>,umac-128-...@openssh.com <mailto: >> umac-128-...@openssh.com>,hmac-sha2-512-...@openssh.com <mailto: >> hmac-sha2-512-...@openssh.com>,hmac-sha2-256,umac-...@openssh.com >> <mailto:umac-...@openssh.com>,hmac-sha2-512 >> > [sshexec] kex: server: hmac-sha2-256-...@openssh.com <mailto: >> hmac-sha2-256-...@openssh.com>,umac-128-...@openssh.com <mailto: >> umac-128-...@openssh.com>,hmac-sha2-512-...@openssh.com <mailto: >> hmac-sha2-512-...@openssh.com>,hmac-sha2-256,umac-...@openssh.com >> <mailto:umac-...@openssh.com>,hmac-sha2-512 >> > [sshexec] kex: server: none >> > [sshexec] kex: server: none >> > [sshexec] kex: server: >> > [sshexec] kex: server: >> > [sshexec] kex: client: >> ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 >> > [sshexec] kex: client: >> ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 >> > [sshexec] kex: client: >> aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc >> > [sshexec] kex: client: >> aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc >> > [sshexec] kex: client: >> hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96 >> > [sshexec] kex: client: >> hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96 >> > [sshexec] kex: client: none >> > [sshexec] kex: client: none >> > [sshexec] kex: client: >> > [sshexec] kex: client: >> > [sshexec] kex: server->client aes256-ctr hmac-sha2-256 none >> > [sshexec] kex: client->server aes256-ctr hmac-sha2-256 none >> > [sshexec] SSH_MSG_KEX_ECDH_INIT sent >> > [sshexec] expecting SSH_MSG_KEX_ECDH_REPLY >> > [sshexec] Permanently added 'myServer.myDomain' (ECDSA) to the list >> of known hosts. >> > [sshexec] SSH_MSG_NEWKEYS sent >> > [sshexec] SSH_MSG_NEWKEYS received >> > [sshexec] SSH_MSG_SERVICE_REQUEST sent >> > [sshexec] SSH_MSG_SERVICE_ACCEPT received >> > [sshexec] Authentications that can continue: >> publickey,keyboard-interactive,password >> > [sshexec] Next authentication method: publickey >> > [sshexec] Authentications that can continue: password >> > [sshexec] Next authentication method: password >> > [sshexec] Disconnecting from myServer.myDomain port 22 >> > >> > BUILD FAILED >> > /opt/jenkins/workspace/NAP-OIS-FileStager/build/testTouchNew.xml:14: >> com.jcraft.jsch.JSchException: Auth cancel >> > at com.jcraft.jsch.Session.connect(Session.java:518) >> > at com.jcraft.jsch.Session.connect(Session.java:183) >> > at >> org.apache.tools.ant.taskdefs.optional.ssh.SSHBase.openSession(SSHBase.java:225) >> > at >> org.apache.tools.ant.taskdefs.optional.ssh.SSHExec.execute(SSHExec.java:312) >> > at >> org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292) >> > at >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native >> Method) >> > at >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> > at >> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> > at java.base/java.lang.reflect.Method.invoke(Method.java:566) >> > at >> org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106) >> > at org.apache.tools.ant.Task.perform(Task.java:348) >> > at org.apache.tools.ant.Target.execute(Target.java:435) >> > at org.apache.tools.ant.Target.performTasks(Target.java:456) >> > at >> org.apache.tools.ant.Project.executeSortedTargets(Project.java:1393) >> > at org.apache.tools.ant.Project.executeTarget(Project.java:1364) >> > at >> org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41) >> > at >> org.apache.tools.ant.Project.executeTargets(Project.java:1248) >> > at org.apache.tools.ant.Main.runBuild(Main.java:851) >> > at org.apache.tools.ant.Main.startAnt(Main.java:235) >> > at org.apache.tools.ant.launch.Launcher.run(Launcher.java:280) >> > at org.apache.tools.ant.launch.Launcher.main(Launcher.java:109) >> > >> > The task goes smoothly when run from RHEL7 to RHEL7 or RHEL8 to RHEL7. >> Just not running it TO RHEL 8. Thus if I could reproduce it in a way that >> the RedHat folks could reproduce it on their end, then I may get a fix for >> it other than commenting out the PAM module. >> > >> > Thanks, >> > Eric >> > >> > On Wed, Dec 28, 2022 at 1:42 PM Ilya Basin <basini...@gmail.com >> <mailto:basini...@gmail.com>> wrote: >> > >> > I don't think we'll help more without seeing the problem details. >> > >> > On 28.12.2022 23:16, Eric Fetzer wrote: >> > > Hmmm, that command works at the command line. >> > > >> > > On Wed, Dec 28, 2022 at 10:54 AM Ilya Basin <basini...@gmail.com >> <mailto:basini...@gmail.com> <mailto:basini...@gmail.com <mailto: >> basini...@gmail.com>>> wrote: >> > > >> > > Hi Eric. >> > > >> > > I hope you're using the modern OpenSSH client program. >> Something like this: >> > > >> > > ssh -F none \ >> > > -oBatchMode=yes \ >> > > -oUser=myUser \ >> > > -oIdentityAgent=none \ >> > > -oIdentityFile=/var/lib/jenkins/.ssh/id_rsa \ >> > > -oPort=1401 \ >> > > -oUpdateHostKeys=no \ >> > > -oStrictHostKeyChecking=no \ >> > > myHost.myDomain \ >> > > "touch /myPath/toMyFiles/test.txt" >> > > >> > > >> > > Note that the java SSH library may use obsolete encryption >> algorithms which you'll also have to force. See >> https://linux.die.net/man/5/ssh_config < >> https://linux.die.net/man/5/ssh_config> < >> https://linux.die.net/man/5/ssh_config < >> https://linux.die.net/man/5/ssh_config>> >> > > >> > > >> > > On 28.12.2022 21:39, Eric Fetzer wrote: >> > > > Hi! Can anyone tell me what the command line equivalent to >> the following >> > > > directive in ant is? >> > > > >> > > > <sshexec host="myHost.myDomain" >> > > > username="myUser" >> > > > keyfile="/var/lib/jenkins/.ssh/id_rsa" >> > > > passphrase="" >> > > > command="touch /myPath/toMyFiles/test.txt" >> > > > trust="true" >> > > > timeout="3000000" >> > > > verbose="true" >> > > > port="22" >> > > > /> >> > > > >> > > > We've found a bug with this command in RHEL 8 and the >> RedHat folks won't >> > > > consider the sshexec command as a repro. I've tried the >> best I can figure >> > > > and the command works from the command line however I've >> tried. Thanks! >> > > > Eric >> > > > >> > > >> > >> >