Establishing secure connectivity between a Jenkins controller and remote agents typically relies on SSH key-based authentication. The following workflow outlines the complete procedure for provisioning a dedicated user account, exchanging cryptographic keys, registering the credential within Jenkins, and deploying the agent software.

1. Provision SSH Keys on the Target Machine

Access the remote host intended for the agent role. Switch to the target operating system user (e.g., buildsvc) responsible for executing pipeline tasks. Generate a modern cryptographic key pair without a passphrase to facilitate automated connections:

sudo su - buildsvc
ssh-keygen -t ed25519 -f ~/.ssh/id_buildsvc -N "" -q

This command creates two files: id_buildsvc (private key) and id_buildsvc.pub (public key). Both should reside in the .ssh directory with strict permissions.

2. Authorize the Public Key

Jenkins will authenticate using the public portion of the key pair. Append the generated public key to the user's authorized keys file and enforce restrictive file permissions to prevent SSH rejection:

cd ~/.ssh
cat id_buildsvc.pub >> authorized_keys
chmod 600 authorized_keys
chmod 700 ~/.ssh

Verify that the /home/buildsvc/.ssh/authorized_keys file contains exactly one line corresponding to the newly generated ED25519 key.

3. Register Credentials in Jenkins

Log into the Jenkins web interface and nvaigate to Manage Jenkins > Credentials. Select the system domain and choose Global credentials (unrestricted). Click Add Credentials:

• Kind: SSH Username with private key
• Scope: Global
• Username: buildsvc (matches the OS account created earlier)
• Private Key: Select Enter directly, then paste the raw contents of the ~/.ssh/id_buildsvc file generated in Step 1.
• ID & Description: Assign a identifier like agent-ssh-ed25519 for easy reference later. Save the configuration.

4. Configure the Remote Agent

Proceed to Manage Jenkins > Nodes > New Node. Define the agent properties carefully:

• Name: Unique identifier for the agent node.
• Type: Select either Permanent Agent or Dynamic Agent depending on infrastructure requirements.
• Remote Root Directory: Path where the Jenkins slave.jar will be unpacked and executed (e.g., /home/buildsvc/jenkins).
• Launch Method: Choose Launch agent via SSH.
• Host: Enter the DNS hostname or IPv4 address of the remote machine.
• Credentials: Pick the agent-ssh-ed25519 entry created in Step 3.
• Host Key Verification Strategy: Set to Non-verifying Verifier to skip interactive host fingerprint confirmation during initial bootstrapping. For production environments, pinning to a known host key is recommended.
• Labels, Usage, # of Executors, Retention Time: Adjust according to workload expectations.
• Advanced: Specify Java Path (JAVA_HOME) manually if the JDK installation differs from the system default. Leave transport protocols at their defaults unless network restrictions apply.

Click Save to initialize the connection. Jenkins will attempt to push the slave.jar bootstrap file and establish a TCP session over port 22. If the handshake succeeds, the node status turns green. Monitor the console output for any permission errors, firewall blocks, or Java version mismatches requiring correction.