Building a Secure Jenkins SSH Agent with Docker

Jasai HansdaJasai Hansda
3 min read

Table of contents

In the world of DevOps and continuous integration, Jenkins remains a cornerstone for automating builds, tests, and deployments. One of the most scalable ways to run Jenkins agents is inside Docker containers, allowing for isolated, reproducible, and easily managed build environments. But security and consistency are critical—especially when agents need SSH access.

This project provides a ready-to-use Docker image based on Amazon Linux 2023, pre-installed with Java 17, Git, Python3, and a hardened SSH server. The image is designed specifically for Jenkins agent use cases, focusing on security and ease of integration.

Docker Image: GitHub link for Dockerfile

Why Use This Image?

  • Security First: Only SSH key-based authentication is allowed. Password login and root SSH access are disabled by default, reducing attack surface.

  • Cloud-Native: Amazon Linux 2023 ensures compatibility with AWS and modern cloud environments.

  • Ready for Jenkins: Java 17 and essential tools are pre-installed, so you can connect your Jenkins master to the agent immediately.

  • Reproducibility: Every agent container starts from the same clean, predictable environment.

How to Get Started

  1. Pull the Prebuilt Image

    The image is already available on Docker Hub. Simply pull it with:

     docker pull jasai/jenkins-agent:latest

  2. Generate an SSH Key Pair

    On your Jenkins master or local machine, generate a key pair:

     ssh-keygen -t rsa -b 2048 -f id_jenkins_agent

    Use the private key (id_jenkins_agent) in Jenkins, and the public key (id_jenkins_agent.pub) is used during the image build if you want a custom agent.

  3. Build Your Own Image (Optional)

    If you want to inject your own public key, build the image like this:

     docker build --build-arg JENKINS_PUB_KEY="$(cat id_jenkins_agent.pub)" -t my-jenkins-agent .

    The build process automatically places your public key in the correct location for the jenkins user.

  4. Run the Container

    Start the agent container and map the SSH port:

     docker run -d --name my-jenkins-agent  jasai/jenkins-agent:latest

    This exposes SSH on port 22 of your host.

  5. Add SSH Credentials in Jenkins Using the Jenkins UI

    • Go to Jenkins Dashboard > Manage Jenkins > Manage Credentials.

    • Select the appropriate domain (or "(global)") and click Add Credentials.

    • Choose Kind: SSH Username with private key.

      • Username: jenkins

      • Private Key: Paste the contents of id_jenkins_agent

        Go to the directory where you ran the ssh-keygen command and execute:

          cat id_jenkins_agent

      • ID/Description: (Optional, for your reference)

  1. Add a New Node (Agent) in Jenkins

    • Go to Manage Jenkins > Manage Nodes and Clouds > New Node.

    • Enter a name (e.g., docker-agent), select Permanent Agent, and click OK.

    • Configure:

      • Remote root directory: /home/jenkins

      • Launch method: "Launch agents via SSH"

      • Host: IP address or hostname of your Docker host (use localhost if local)

        • To find out the host IP, run:

            docker inspect my-jenkins-agent

      • Credentials: Select the SSH credentials you added earlier

      • Host Key Verification Strategy: "Non verifying" (for automation)

  1. Save and Connect

    • Click Save.

    • Jenkins will attempt to connect to the agent via SSH.

    • If successful, the node status will turn green and be ready for jobs.

Similar to this:

You can now use this node to run pipeline jobs.

Security Notes

  • No passwords are set or accepted—only SSH keys.

  • Root login is disabled.

  • Only the jenkins user can connect via SSH.

  • The public key is injected at build time for automation and security.

Conclusion

This Docker image makes it easy to deploy secure, consistent Jenkins agents in any environment. Whether you’re running CI/CD pipelines on-premises or in the cloud, you get the flexibility of Docker with the security and reliability of Amazon Linux and SSH key authentication.

Try it by pulling the image from Docker Hub:

 docker pull jasai/jenkins-agent:latest

Happy building!

0
Subscribe to my newsletter

Read articles from Jasai Hansda directly inside your inbox. Subscribe to the newsletter, and don't miss out.

JenkinsDockerContinuous Integrationci-cdDevopsDevOps Journeyamazon-linux

Written by

Jasai Hansda
Jasai Hansda

Software Engineer (2 years) | In-transition to DevOps. Passionate about building and deploying software efficiently. Eager to leverage my development background in the DevOps and cloud computing world. Open to new opportunities!