-
Bug
-
Resolution: Fixed
-
Major
-
Linux dt-000886 3.0.0-15-generic #26-Ubuntu SMP Fri Jan 20 17:23:00 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Jenkins ver. 1.450
Gerrit Trigger 2.3.1
I can only get Jenkins to talk to Gerrit's SSH connection if the key file has no password.
1. Use ssh-keygen to create a key with a password
2. Configure Gerrit Trigger with that key and its password
3. Test Connection
> Bad SSH keyfile or password
Jenkins.log:
> 09-Feb-2012 12:43:18 com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile parse
> INFO: Parsing private key file
> 09-Feb-2012 12:43:18 com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile parse
> INFO: Private key is not in the default format, attempting parse with other supported formats
4. Clear the password: ssh-keygen -f .ssh/id_rsa -p -N ''
Note that the Proc-Type and DEK-Info headers have gone.
5. Test connection (without clearing the password!)
6. Succeeds. Log still complains about non-default format.
7. Clear the password in Jenkins.
8. Test connection
9. Still succeeds, Log still complains about non-default format.
This took me ages to nail down because supplying a password to a no-password key file doesn't fail.
- links to
[JENKINS-12690] JenkinsTrigger does not understand SSH Key with a password
Stephan Leicht Vogt
added a comment - Same problem here. IMHO this is an issue which should be solved soon as it concern a essential security hole.
Stephan Leicht Vogt
added a comment - Same problem here. IMHO this is an issue which should be solved soon as it concern a essential security hole. 
niiico
added a comment - Same problem here. This is a major security issue! Do you think that passphrase is used for key validation in authentication phase? No. It is used to generate signature. If privatekey requires passphrase, it would be used. But if not, it has never been used.
So, If you set the path to privatekey file generated by step 4, your password would not be used in any authentication process.
I think that current behavior about SSH you see is correct.
Gaurav Negi
added a comment - Can anyone please help me with this?
I am trying to integrate Jenkins with Gerrit Trigger plugin.
When I am testing the connection in Jenkins, I am hitting following message.
Connection error : com.jcraft.jsch.JSchException: Auth fail
Can I also please know why Gerrit Trigger plugin is only accepting private key of Jenkins owner? Even with that it is not working for me.
Any input will be highly appreciated. I can be reached at gaurav.negi@gmail.com
Thanks
-Gaurav
Gaurav Negi
added a comment - Can anyone please help me with this?
I am trying to integrate Jenkins with Gerrit Trigger plugin.
When I am testing the connection in Jenkins, I am hitting following message.
Connection error : com.jcraft.jsch.JSchException: Auth fail
Can I also please know why Gerrit Trigger plugin is only accepting private key of Jenkins owner? Even with that it is not working for me.
Any input will be highly appreciated. I can be reached at gaurav.negi@gmail.com
Thanks
-Gaurav I've investigated this, and it has a fairly simple root cause: unsupported decryption algorithm, in the gerrit-events library.
I wrote a trivial test for gerrit-events to decrypt the attached key:
@Test
public void testPassphraseParsing() throws Exception {
Security.addProvider(new BouncyCastleProvider());
// Get locked keyfile as file
URL url = Thread.currentThread().getContextClassLoader().getResource("com/sonymobile/tools/gerrit/gerritevents/id_rsa_passphrase");
File file = new File(url.getPath());
// Fail if invalid passphrase does not fail
SshUtil.checkPassPhrase(file, "wrongpassphrase");
boolean failure = SshUtil.checkPassPhrase(file, "wrongpassphrase");
assertFalse("Passphrase validation should fail!", failure);
// Will fail with: Unsupported passphrase algorithm: AES-128-CBC
SshPrivateKeyFile keyFile =SshPrivateKeyFile.parse(file);
keyFile.toPrivateKey(PASSPHRASE);
// THIS SHOULD SUCCEED AND INSTEAD IT FAILS!
boolean tested = SshUtil.checkPassPhrase(file, PASSPHRASE);
assertTrue("Passphrase validation failed!", tested);
}
(the encrypted ssh key is in the resources tet
When run (with the encrypted key in id_rsa_passphrase, and PASSPHRASE = "letmein"):
??com.sshtools.j2ssh.transport.publickey.InvalidSshKeyException: Can't read key due to cryptography problems: java.security.NoSuchAlgorithmException: Unsupported passphrase algorithm: AES-128-CBC
at com.sshtools.j2ssh.openssh.OpenSSHPrivateKeyFormat.decryptKeyblob(Unknown Source)
at com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile.toPrivateKey(Unknown Source)??
The issue is that j2ssh ONLY supports DES-EDE3-CBC:
if (!"DES-EDE3-CBC".equals(keyAlgorithm)) { throw new NoSuchAlgorithmException( "Unsupported passphrase algorithm: " + keyAlgorithm); }
j2ssh-maverick is a solution for this (it DOES support AES-128-CBC), but it is not 100% a drop-in replacement for j2ssh (package structure is different, for example). I'm looking at what it takes to add this.
In the meantime, keys can be converted to use DES-EDE3-CBC encryption and should work just fine with that.
Edit: It appears that the use of ssh-tools in gerrit-events are just confined to ssh-util, so with a few changes there, this can be supported.
Sam Van Oort
added a comment - - edited I've investigated this, and it has a fairly simple root cause: unsupported decryption algorithm, in the gerrit-events library.
I wrote a trivial test for gerrit-events to decrypt the attached key:
@Test
public void testPassphraseParsing() throws Exception {
Security.addProvider( new BouncyCastleProvider());
// Get locked keyfile as file
URL url = Thread .currentThread().getContextClassLoader().getResource( "com/sonymobile/tools/gerrit/gerritevents/id_rsa_passphrase" );
File file = new File(url.getPath());
// Fail if invalid passphrase does not fail
SshUtil.checkPassPhrase(file, "wrongpassphrase" );
boolean failure = SshUtil.checkPassPhrase(file, "wrongpassphrase" );
assertFalse( "Passphrase validation should fail!" , failure);
// Will fail with: Unsupported passphrase algorithm: AES-128-CBC
SshPrivateKeyFile keyFile =SshPrivateKeyFile.parse(file);
keyFile.toPrivateKey(PASSPHRASE);
// THIS SHOULD SUCCEED AND INSTEAD IT FAILS!
boolean tested = SshUtil.checkPassPhrase(file, PASSPHRASE);
assertTrue( "Passphrase validation failed!" , tested);
}
(the encrypted ssh key is in the resources tet
When run (with the encrypted key in id_rsa_passphrase, and PASSPHRASE = "letmein"):
??com.sshtools.j2ssh.transport.publickey.InvalidSshKeyException: Can't read key due to cryptography problems: java.security.NoSuchAlgorithmException: Unsupported passphrase algorithm: AES-128-CBC
at com.sshtools.j2ssh.openssh.OpenSSHPrivateKeyFormat.decryptKeyblob(Unknown Source)
at com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile.toPrivateKey(Unknown Source)??
The issue is that j2ssh ONLY supports DES-EDE3-CBC:
if (! "DES-EDE3-CBC" .equals(keyAlgorithm)) {
throw new NoSuchAlgorithmException(
"Unsupported passphrase algorithm: " + keyAlgorithm);
}
j2ssh-maverick is a solution for this (it DOES support AES-128-CBC), but it is not 100% a drop-in replacement for j2ssh (package structure is different, for example). I'm looking at what it takes to add this.
In the meantime, keys can be converted to use DES-EDE3-CBC encryption and should work just fine with that.
Edit: It appears that the use of ssh-tools in gerrit-events are just confined to ssh-util, so with a few changes there, this can be supported. Sam Van Oort
added a comment - I've got a fix, which takes place in the gerrit-events library (see linked PR). This PR will need to be merged and released, and then the dependency bumped in gerrit trigger, and the issue will be eliminated.
Sam Van Oort
added a comment - I've got a fix, which takes place in the gerrit-events library (see linked PR). This PR will need to be merged and released, and then the dependency bumped in gerrit trigger, and the issue will be eliminated. Code changed in jenkins
User: Sam Van Oort
Path:
pom.xml
http://jenkins-ci.org/commit/gerrit-trigger-plugin/15e75b0aed6fb521846466e1faa27d2de732b3e8
Log:
Fix JENKINS-12690 issue by pulling in gerrit-events version with support for AES encryption passphrase
Code changed in jenkins
User: Robert Sandell
Path:
pom.xml
http://jenkins-ci.org/commit/gerrit-trigger-plugin/7cf61197362a7d7a75b74b231480d740203ab823
Log:
Merge pull request #250 from jenkinsci/fix-aes-passphrase-issue-jenkins-12690
Fix JENKINS-12690 issue with AES passphrase encryption of keys
Compare: https://github.com/jenkinsci/gerrit-trigger-plugin/compare/8e425a49da5f...7cf61197362a
Sam Van Oort
added a comment - Released in 2.15.1 
Having same issue, I think. Key only works with no password.