Keywords: Jenkins | GitHub | SSH Authentication | Status Code 128 | Key Configuration
Abstract: This paper provides a comprehensive analysis of the status code 128 error encountered when Jenkins clones GitHub repositories, focusing on SSH key configuration issues. Through systematic diagnostic steps including identifying Jenkins runtime user, verifying SSH connections, and configuring correct key files, it offers complete solutions. Combining specific error logs and practical cases, the article helps readers deeply understand the authentication mechanism between Jenkins and GitHub integration, along with preventive recommendations.
Problem Phenomenon Analysis
In Jenkins-GitHub integration, users frequently encounter status code 128 errors. From the provided error log, the key information is visible: Permission denied (publickey). fatal: The remote end hung up unexpectedly. This indicates SSH authentication failure, where Jenkins cannot connect to the GitHub repository via public key authentication.
Root Cause Diagnosis
The fundamental cause of status code 128 error lies in incorrect SSH key configuration. Although users can successfully authenticate via command line testing with ssh -T git@github.com, this uses the current user's SSH keys. Jenkins, however, uses its service account's SSH configuration during runtime, which may be completely different.
Specific manifestations include:
- Missing correct private key files in the Jenkins service account's
~/.ssh/directory - Improper private key file permissions, typically requiring 600 permissions
- Corresponding public key not properly added to GitHub account's SSH key settings
- Missing GitHub host key records in the known_hosts file
Systematic Solution Approach
To thoroughly resolve this issue, follow these systematic configuration steps:
Step 1: Identify Jenkins Runtime User
First, determine the user under which the Jenkins service runs. In Ubuntu systems, this can be checked with:
ps aux | grep jenkins
Or examine the runtime user specified in Tomcat configuration files. Common Jenkins runtime users include jenkins, build, or tomcat.
Step 2: Switch to Jenkins User Environment
Use sudo su - jenkins (adjust based on actual username) to switch to the Jenkins user's shell environment. This step is crucial since SSH configurations are completely separate for different users.
Step 3: Verify SSH Connection
Execute SSH connection testing in the Jenkins user environment:
ssh -T git@github.com
If the connection fails, SSH key configuration is required. Use verbose mode for diagnosis:
ssh -vvv git@github.com
Step 4: Configure SSH Keys
If the Jenkins user lacks SSH keys, generate a new key pair:
ssh-keygen -t rsa -b 4096 -C "jenkins@your-domain.com"
Maintain default filenames (id_rsa and id_rsa.pub) during generation and set a secure passphrase.
Step 5: Set File Permissions
Correct file permissions are crucial for SSH authentication:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/known_hosts
Step 6: Add Public Key to GitHub
Add the generated public key content to the GitHub account:
cat ~/.ssh/id_rsa.pub
Copy the output content, log into GitHub, navigate to Settings → SSH and GPG keys → New SSH key, paste the public key content and save.
Step 7: Initialize known_hosts
For the first connection to GitHub, add GitHub's host key to the known_hosts file:
ssh-keyscan github.com >> ~/.ssh/known_hosts
Verification and Testing
After completing the above configuration, retest SSH connection in the Jenkins user environment:
ssh -T git@github.com
You should see the success message: Hi username! You've successfully authenticated, but GitHub does not provide shell access.
Then reconfigure the Git repository address in Jenkins using SSH format: git@github.com:username/repository.git, and retrigger the build job.
Preventive Measures and Best Practices
To prevent similar issues from recurring, implement the following preventive measures:
- Create dedicated SSH key pairs for Jenkins service, avoiding reuse of personal development keys
- Regularly rotate SSH keys to enhance security
- Centrally manage SSH keys in Jenkins Credentials management
- When using Jenkins Pipeline scripts, manage keys via the
sshagentplugin - Monitor Jenkins logs to promptly identify authentication issues
Extended Application Scenarios
Similar SSH authentication issues occur not only in GitHub integration but also with other Git hosting services (such as GitLab, Gitea, etc.). As referenced in the auxiliary article regarding Gitea integration issues, the root causes and solutions are similar to GitHub—both involve SSH key configuration problems.
For different Git hosting services, only adjust the repository URL format and host keys accordingly. For example, for GitLab, the corresponding test command is: ssh -T git@gitlab.com.
Conclusion
The core of Jenkins status code 128 error lies in SSH key configuration. Through systematic diagnosis and configuration processes, this issue can be effectively resolved. The key is understanding the independence of Jenkins runtime users and ensuring correct SSH key configuration, file permissions, and known_hosts records in that user environment. Following the steps provided in this article enables quick identification and resolution of authentication issues in Jenkins-GitHub integration.