[JENKINS-22346] CLI commands with private key for nonexistent user fail with EOFException from DataInputStream.readBoolean - Jenkins Jira

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Major
Resolution: Fixed
Component/s: cli
Labels:
- cli
- regression
- user

Similar Issues:

Show

Description

This started with 1.556.

root@recipe-test-centos-64-x86-64 ~]# java -jar /tmp/kitchen/cache/jenkins-cli.jar -s http://recipe-test-centos-64-x86-64.vagrantup.com:8080 -i /tmp/kitchen/cache/jenkins-key help
Exception in thread "main" java.io.EOFException
	at java.io.DataInputStream.readBoolean(DataInputStream.java:244)
	at hudson.cli.Connection.readBoolean(Connection.java:94)
	at hudson.cli.CLI.authenticate(CLI.java:553)
	at hudson.cli.CLI._main(CLI.java:464)
	at hudson.cli.CLI.main(CLI.java:382)

Attachments

Issue Links

is blocking

JENKINS-20064 Cannot use CLI or URL with API token with Active Directory as the access control security realm

Resolved

is related to

JENKINS-44020 non-github accounts can't be used via jenkins-cli or REST APIs

Resolved

relates to

JENKINS-41745 Remoting-free CLI

Resolved

Activity

Ascending order - Click to sort in descending order

View 25 older comments

Simon KP added a comment - 2015-06-16 02:49

1.617 here as well and I still have the issue that causes authentication to fail when a key is used but authentication is disabled.

Simon KP added a comment - 2015-06-16 02:49 1.617 here as well and I still have the issue that causes authentication to fail when a key is used but authentication is disabled.

Daniel Beck added a comment - 2015-06-16 12:29

Is anyone experiencing this issue despite setting the hudson.model.User.allowNonExistentUserToLogin system property?

Daniel Beck added a comment - 2015-06-16 12:29 Is anyone experiencing this issue despite setting the hudson.model.User.allowNonExistentUserToLogin system property?

Jonathon Golden added a comment - 2015-06-16 16:35

danielbeck,

Starting Jenkins with that property I can pass the private key successfully if security is turned off but the user with the corresponding public key still exists at /var/lib/jenkins/users. With security is turned off, if I pass the key and that user does not exist I just get an auth failure. I'm assuming this is the expected behavior but it would be helpful if there was a way to pass the key every time and just proceed anonymously if there is no need for the key yet. The use case I'm interested in this for is when managing the Jenkins instances with Puppet. This behavior creates a major chicken and egg dilemma. There is a workaround described here: https://forge.puppetlabs.com/rtyler/jenkins but is is not very desirable. Given that I can at least seed the user with a config file managed with puppet and using the java arg you suggested I have a better workaround now. It would be nice, however, if instead it behaved the way I described above.

Jonathon Golden added a comment - 2015-06-16 16:35 danielbeck , Starting Jenkins with that property I can pass the private key successfully if security is turned off but the user with the corresponding public key still exists at /var/lib/jenkins/users. With security is turned off, if I pass the key and that user does not exist I just get an auth failure. I'm assuming this is the expected behavior but it would be helpful if there was a way to pass the key every time and just proceed anonymously if there is no need for the key yet. The use case I'm interested in this for is when managing the Jenkins instances with Puppet. This behavior creates a major chicken and egg dilemma. There is a workaround described here: https://forge.puppetlabs.com/rtyler/jenkins but is is not very desirable. Given that I can at least seed the user with a config file managed with puppet and using the java arg you suggested I have a better workaround now. It would be nice, however, if instead it behaved the way I described above.

Antek Baranski added a comment - 2015-07-09 20:18

Actually what I've found is that as long as the non-AD user has an email address associated with a user on the AD everything will work... very weird.

Antek Baranski added a comment - 2015-07-09 20:18 Actually what I've found is that as long as the non-AD user has an email address associated with a user on the AD everything will work... very weird.

Jesse Glick added a comment - 2017-03-10 22:13

Whatever was “fixed”, this exception is still thrown under some conditions.

As best I can make out, SshCliAuthenticator will write a boolean zero or more times. Typically once, I guess, but it is in a loop of some kind (cannot understand what it is looping over), and maybe zero if a CLI authentication failure is thrown. Then CliManagerImpl.authenticate runs every CliTransportAuthenticator in parallel (?!). Finally CLI.authenticate expects to read a boolean for every private key, and sometimes there is nothing to read so it throws this EOFException instead of explaining what is going on.

I think I can reproduce this when you have multiple private keys (say, both DSA and RSA) are not using -i, and none of them match.

Jesse Glick added a comment - 2017-03-10 22:13 Whatever was “fixed”, this exception is still thrown under some conditions. As best I can make out, SshCliAuthenticator will write a boolean zero or more times. Typically once, I guess, but it is in a loop of some kind (cannot understand what it is looping over), and maybe zero if a CLI authentication failure is thrown. Then CliManagerImpl.authenticate runs every CliTransportAuthenticator in parallel (?!). Finally CLI.authenticate expects to read a boolean for every private key, and sometimes there is nothing to read so it throws this EOFException instead of explaining what is going on. I think I can reproduce this when you have multiple private keys (say, both DSA and RSA) are not using -i , and none of them match.

Jenkins

CLI commands with private key for nonexistent user fail with EOFException from DataInputStream.readBoolean

Details

Description

Attachments

Issue Links

Activity

People

Dates