Question

当我去Jenkins - 配置系统然后配置Publish Over SSH插件以便它包含相关的主机和用户信息并点击测试配置按钮时，我在插件配置下面收到一条消息，指出：

Failed to connect or change directory

jenkins.plugins.publish_over.BapPublisherException: Failed to connect and initialize SSH connection. Message: [Failed to connect session for config [l-02_App]. Message [java.net.SocketException: Permission denied (connect failed)]]

配置与密钥验证，用户名/密码验证一起使用时，甚至在为用户，密码或主机名指定虚假值时，都会输出相同的消息。

通过将.war文件放入/ usr / share / tomcat / webapps来安装Jenkins。我已经配置了私钥认证，以便运行jenkins（tomcat）的用户可以使用密钥和密码作为名为jenkins的用户连接到远程服务器。例如，我可以成功连接使用 sudo -s -u tomcat
ssh jenkins @ remotehost
然后提供我的密钥密码。

作为另一个测试，我编译了一些使用jsch的示例代码，该测试也是成功的。 https://www.journaldev.com/246/jsch-example-java-ssh-unix-server。我将编译后的代码作为tomcat用户运行，并成功连接到远程主机并执行了ls。

非常感谢任何帮助！

来自Jenkins Log的

完整错误消息：

`

Failed to connect session for config [l-02_App]. Message [java.net.SocketException: Permission denied (connect failed)]
java.net.SocketException: Permission denied (connect failed)
    at java.net.PlainSocketImpl.socketConnect(Native Method)
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
    at java.net.Socket.connect(Socket.java:589)
    at java.net.Socket.connect(Socket.java:538)
    at java.net.Socket.<init>(Socket.java:434)
    at java.net.Socket.<init>(Socket.java:211)
    at com.jcraft.jsch.Util$1.run(Util.java:362)
Caused: com.jcraft.jsch.JSchException
    at com.jcraft.jsch.Util.createSocket(Util.java:394)
    at com.jcraft.jsch.Session.connect(Session.java:215)
    at jenkins.plugins.publish_over_ssh.BapSshHostConfiguration.connect(BapSshHostConfiguration.java:380)
    at jenkins.plugins.publish_over_ssh.BapSshHostConfiguration.createClient(BapSshHostConfiguration.java:245)
    at jenkins.plugins.publish_over_ssh.BapSshHostConfiguration.createClient(BapSshHostConfiguration.java:234)
    at jenkins.plugins.publish_over_ssh.descriptor.BapSshPublisherPluginDescriptor.validateConnection(BapSshPublisherPluginDescriptor.java:181)
    at jenkins.plugins.publish_over_ssh.descriptor.BapSshPublisherPluginDescriptor.doTestConnection(BapSshPublisherPluginDescriptor.java:176)
    at jenkins.plugins.publish_over_ssh.descriptor.BapSshHostConfigurationDescriptor.doTestConnection(BapSshHostConfigurationDescriptor.java:90)
    at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
    at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
    at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
    at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
    at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
    at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
    at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)
    at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
    at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
    at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:99)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
    at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
    at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
    at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:615)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)`

Answer 1

SELinux（在RHEL 7.5中默认启用）拒绝tomcat通过ssh连接。我将selinux设置为允许模式以允许通信。

正在运行tail -f /var/log/audit/audit.log 尝试从Jenkins中测试SSH连接后显示以下内容。

type = AVC msg = audit（1526906414.031：103）：avc：拒绝{name_connect}表示pid = 1052 comm =“java”dest = 22 scontext = system_u：system_r：tomcat_t：s0 tcontext = system_u：object_r：ssh_port_t：s0 tclass = TCP_SOCKET type = SYSCALL msg = audit（1526906414.031：103）：arch = c000003e syscall = 42 success = no exit = -13 a0 = 35 a1 = 7f96e6af54a0 a2 = 10 a3 = 220 items = 0 ppid = 1 pid = 1052 auid = 4294967295 uid = 53 gid = 53 euid = 53 suid = 53 fsuid = 53 egid = 53 sgid = 53 fsgid = 53 tty =（none）ses = 4294967295 comm =“java”exe =“/ usr / lib / jvm / java-1.8。 0-openjdk-1.8.0.171-7.b10.el7.x86_64 / jre / bin / java“subj = system_u：system_r：tomcat_t：s0 key =（null） type = PROCTITLE msg = audit（1526906414.031：103）：

运行setenforce Permissive后，我能够成功测试连接。然后我修改了selinux配置，以便在重启后保持许可模式。 nano /etc/selinux/config并设置SELINUX=permissive

Answer 2

另一个选择是安装semodule，使用以下命令拒绝sshd

audit2allow -a
audit2allow -a -M sshd_t
semodule -i sshd_t.pp

Jenkins SSH权限被拒绝（连接失败）

2 个答案: