Jenkins is a widely used automation tool, that helps developers streamline CI/CD workflows.
One common use case is deploying applications or running commands on remote servers via SSH using the Publish Over SSH plugin.
However, many users face authentication errors that prevent successful connections.
One such error is:
ardjenkins.plugins.publish_over.BapPublisherException: Failed to connect and initialize SSH connection. Message: [Failed to connect session for config [.....]. Message [Auth fail]]
This blog will help you understand why this happens and how to resolve it with a simple SSH configuration update.
Understanding the Issue
Why Does the SSH Authentication Error Occur?
This issue occurs due to recent security changes in OpenSSH , where ssh-rsa has been deprecated as a default authentication method. If your remote server runs a newer version of OpenSSH (such as on Ubuntu 20.04 or 22.04 ), it may reject authentication attempts using older RSA keys.
This is why Jenkins’ Publish Over SSH plugin may fail to connect, even if your SSH key is correctly stored in Jenkins credentials.
How to Identify the Issue?
If you try to connect manually using SSH, you may see this error in the remote machine’s logs (/var/log/auth.log):
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
error: Received disconnect from XX.XX.XX.XX port 54588:3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Disconnected from authenticating user ubuntu XX.XX.XX.XX port 54588 [preauth]
This log confirms that ssh-rsa is not an accepted key type on the remote server.
The Solution: Updating SSH Configuration
To resolve this, you need to allow ssh-rsa keys on the remote server explicitly.
📌 Step-by-Step Fix
Follow these steps on the remote machine:
1️⃣ Access the Remote Machine
Log in to your remote server where Jenkins is trying to connect:
ssh user@remote-server
2️⃣ Edit the SSH Configuration File
Use a text editor like vi or nano to modify the SSH daemon configuration:
sudo vi /etc/ssh/sshd_config
3️⃣ Enable Public Key Authentication
Look for the following line and uncomment it (remove the # if present):
PubKeyAuthentication yes
Then, add this line at the bottom of the file :
PubKeyAcceptedKeyTypes=+ssh-rsa
This tells OpenSSH to accept SSH-RSA keys , restoring compatibility with Jenkins’ Publish Over SSH plugin.
4️⃣ Save and Exit the File
- If using vi, press ESC, type :wq, and hit Enter.
- If using nano, press CTRL + X, then Y, and Enter to save changes.
5️⃣ Restart SSH Service
After making the changes, restart SSH for them to take effect:
udo systemctl restart sshd
6️⃣ (Optional) Reboot the Machine
If the fix does not take effect immediately, try rebooting:
sudo reboot
Verifying the Fix
Once your remote server has restarted the SSH service (or rebooted), go back to Jenkins and try running your Publish Over SSH job again.
It should now successfully connect to the remote server without the authentication error. 🎉
Why Did This Fix Work?
By default, OpenSSH in newer Linux distributions disables ssh-rsa for security reasons. The fix works because:
✅ PubKeyAuthentication yes → Ensures SSH key authentication is enabled.
✅ PubKeyAcceptedKeyTypes=+ssh-rsa → Allows ssh-rsa keys that were previously blocked.
These changes restore compatibility between Jenkins and your remote machine, allowing SSH connections to succeed.
Additional Troubleshooting
If you’re still facing issues, try these steps:
1️⃣ Ensure Jenkins Uses the Correct SSH Key
If Jenkins still fails to connect, check if the correct SSH private key is configured in Jenkins credentials.
- Go to Manage Jenkins → Manage Credentials
- Find the SSH key stored for your server
- Ensure it matches the public key on the remote server (in ~/.ssh/authorized_keys).
You can also manually test if your key works:
ssh -i /path/to/your/key user@remote-server
2️⃣ Test SSH Connectivity from the Jenkins Machine
Try connecting manually from the Jenkins server to see if the SSH authentication succeeds:
ssh user@remote-server -v
If you see “Auth fail” , it means the server is still rejecting your key.
3️⃣ Try Regenerating SSH Keys
If your SSH key is old, try generating a new RSA key pair on your Jenkins machine:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa
Then, add the new public key (id_rsa.pub) to the remote server’s ~/.ssh/authorized_keys file.
Alternative Approach: Upgrade Your Key Type
Instead of re-enabling ssh-rsa, consider upgrading to a more secure key type like ED25519 or ECDSA.
To generate a new ED25519 key :
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
Then, add the new public key to the remote machine:
cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys
Update Jenkins to use this new key in Manage Credentials.
This method is more secure and recommended for modern OpenSSH setups.
Conclusion
If you are facing SSH authentication errors in Jenkins’ Publish Over SSH plugin, the root cause is often new OpenSSH security policies that disable ssh-rsa.
The best solution is to modify the SSH daemon config on the remote machine to explicitly allow ssh-rsa keys:
- Uncomment PubKeyAuthentication yes
- Add PubKeyAcceptedKeyTypes=+ssh-rsa
- Restart the SSH service
If possible, consider upgrading to stronger key types like ED25519 for improved security.
By following these steps, you can successfully restore Jenkins SSH connectivity , ensuring your automation pipelines run smoothly! 🚀
💬 Have You Faced This Issue?
Have you encountered SSH authentication failures with Jenkins? What worked for you? Let us know in the comments! 👇
🔗 For more details, refer to the original GitHub issue .
Top comments (0)