Jenkins SSH权限被拒绝（连接失败）

Question

当我转到“ Jenkins-配置系统”，然后配置“通过SSH发布”插件，以便它包含相关的主机和用户信息并单击“测试配置”按钮时，我在插件配置下方收到一条消息，指出：

Failed to connect or change directory

jenkins.plugins.publish_over.BapPublisherException: Failed to connect and initialize SSH connection. Message: [Failed to connect session for config [l-02_App]. Message [java.net.SocketException: Permission denied (connect failed)]]

当配置为与密钥验证，用户名/密码验证一起使用时，甚至为用户，密码或主机名指定伪造的值时，也会输出相同的消息。

通过将.war文件拖放到/ usr / share / tomcat / webapps中来安装Jenkins。 我已经配置了私钥身份验证，以便运行jenkins（tomcat）的用户可以使用密钥连接，并以名为jenkins的用户密码向远程服务器发送密码。 例如，我可以使用sudo -s -u tomcat成功连接
ssh jenkins @ remotehost
然后提供我的关键密码。

作为另一个测试，我编译了一些使用jsch的示例代码，并且该测试也成功。 https://www.journaldev.com/246/jsch-example-java-ssh-unix-server 。 我以tomcat用户身份运行编译后的代码，它成功连接到远程主机并执行了ls。

任何帮助是极大的赞赏！

来自Jenkins日志的完整错误消息：

`

Failed to connect session for config [l-02_App]. Message [java.net.SocketException: Permission denied (connect failed)]
java.net.SocketException: Permission denied (connect failed)
    at java.net.PlainSocketImpl.socketConnect(Native Method)
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
    at java.net.Socket.connect(Socket.java:589)
    at java.net.Socket.connect(Socket.java:538)
    at java.net.Socket.<init>(Socket.java:434)
    at java.net.Socket.<init>(Socket.java:211)
    at com.jcraft.jsch.Util$1.run(Util.java:362)
Caused: com.jcraft.jsch.JSchException
    at com.jcraft.jsch.Util.createSocket(Util.java:394)
    at com.jcraft.jsch.Session.connect(Session.java:215)
    at jenkins.plugins.publish_over_ssh.BapSshHostConfiguration.connect(BapSshHostConfiguration.java:380)
    at jenkins.plugins.publish_over_ssh.BapSshHostConfiguration.createClient(BapSshHostConfiguration.java:245)
    at jenkins.plugins.publish_over_ssh.BapSshHostConfiguration.createClient(BapSshHostConfiguration.java:234)
    at jenkins.plugins.publish_over_ssh.descriptor.BapSshPublisherPluginDescriptor.validateConnection(BapSshPublisherPluginDescriptor.java:181)
    at jenkins.plugins.publish_over_ssh.descriptor.BapSshPublisherPluginDescriptor.doTestConnection(BapSshPublisherPluginDescriptor.java:176)
    at jenkins.plugins.publish_over_ssh.descriptor.BapSshHostConfigurationDescriptor.doTestConnection(BapSshHostConfigurationDescriptor.java:90)
    at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
    at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
    at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
    at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
    at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
    at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
    at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)
    at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
    at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
    at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:99)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
    at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
    at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
    at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:615)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)`

Answer 1

SELinux（在RHEL 7.5中默认启用）拒绝tomcat通过ssh连接。 我将selinux设置为允许模式以允许通信。

尝试从Jenkins内部测试SSH连接后，运行tail -f /var/log/audit/audit.log显示以下内容。

类型= AVC消息=审核（1526906414.031：103）：AVC：拒绝{name_connect} for pid = 1052 comm =“ java” dest = 22 scontext = system_u：system_r：tomcat_t：s0 tcontext = system_u：object_r：ssh_port_t：s0 tclass = tcp_socket类型= SYSCALL msg =审核（1526906414.031：103）：arch = c000003e syscall = 42成功=否退出= -13 a0 = 35 a1 = 7f96e6af54a0 a2 = 10 a3 = 220物品= 0 ppid = 1 pid = 1052 auid = 4294967295 uid = 53 gid = 53 euid = 53 suid = 53 fsuid = 53 egid = 53 sgid = 53 fsgid = 53 tty =（none）ses = 4294967295 comm =“ java” exe =“ / usr / lib / jvm / java-1.8 .0-openjdk-1.8.0.171-7.b10.el7.x86_64 / jre / bin / java“ subj = system_u：system_r：tomcat_t：s0 key =（null）type = PROCTITLE msg = audit（1526906414.031：103）：

运行setenforce Permissive我能够成功测试连接。 然后，我修改了selinux配置，使其在重启后将保持许可模式。 nano /etc/selinux/config并设置SELINUX=permissive

Answer 2

另一个选择是安装semodule，使用以下命令拒绝sshd

audit2allow -a
audit2allow -a -M sshd_t
semodule -i sshd_t.pp