Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22909

git plugin does not support username/password over ssh

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Won't Do
    • Icon: Major Major
    • git-client-plugin
    • None

      We are trying to connect to a Git repository via SSH (not Github) using username/password (we're not using keys) and we're getting the following error:

      Failed to connect to repository : Command "git ls-remote -h ssh://account@repository/path/toApplication HEAD" returned status code 128:
      stdout:
      stderr: Permission denied, please try again.
      Permission denied, please try again.
      Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
      fatal: Could not read from remote repository.

      Please make sure you have the correct access rights
      and the repository exists.
      ------------------

      If we use the anonymous access or change the access type from SSH to HTTPS, it works fine, but we should be able to use the SSH with user/password without having to add the public/private keys.

      Jenkins ver. 1.532.1
      Git Client Plugin 1.6.4
      Git Plugin 2.0.4
      •How are you running Jenkins?
      We are running Jenkins as a service in RHEL
      •Have you specified additional parameters for the Java VM (Heapspace etc.)?
      No
      •Did you just install the deb or rpm?
      We used the RPM jenkins-1.532.1-1.1.noarch.rpm
      •With which Java VM (Oracle, IBM etc.)?
      java version "1.7.0_45"
      Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
      Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)
      •On which operating system? 32- or 64-bit?
      Linux version 2.6.32-358.23.2.el6.x86_64 (mockbuild@ca-build44.us.oracle.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC) )

        1. Jenkins System Properties.docx
          23 kB

          [JENKINS-22909] git plugin does not support username/password over ssh

          Aleyda Galaviz created issue -

          Mark Waite added a comment -

          Embedding the user name and password in the URL directly will expose your user name and password in the job definition and may expose it in the job log. If you'll enter a credential with that same user name and password, you can then reference that credential without having the user name or the password visible in the job definition or in the console log from the build.

          I agree that the plugin should also accept the user name and password embedded in the URL, but it does not currently. The work around of entering the user name and password as a credential is workable, and is more secure.

          Mark Waite added a comment - Embedding the user name and password in the URL directly will expose your user name and password in the job definition and may expose it in the job log. If you'll enter a credential with that same user name and password, you can then reference that credential without having the user name or the password visible in the job definition or in the console log from the build. I agree that the plugin should also accept the user name and password embedded in the URL, but it does not currently. The work around of entering the user name and password as a credential is workable, and is more secure.
          Mark Waite made changes -
          Component/s New: git-client [ 17423 ]
          Component/s Original: git [ 15543 ]
          Mark Waite made changes -
          Link New: This issue is related to JENKINS-22855 [ JENKINS-22855 ]

          Mark Waite added a comment - - edited

          The more I look at this report, the less confident I am that I understand what is requested.

          I'm able to clone with a username / password credential without using public / private keys with the following steps:

          1. Configure a global username / password credential (through "Manage Credentials") with appropriate user name and password (no public key, no private key)
          2. Create a new freestyle job - JENKINS-22909-username-password-credentials
          3. Use git as the SCM for the job
          4. Use an ssh URL for the repository. I used ssh://mwaite@mark-pc1.markwaite.net/var/lib/git/mwaite/bin.git
          5. Use the previously defined username / password credential as the credential for that ssh URL
          6. Run the job, confirm it succeeds

          I suspect that my clone succeeds through an accident in that case. The accident is that my jenkins user is likely allowed to access that repository as user mwaite through ssh by default. When I run in a "clean" environment, username/password authentication fails for an ssh protocol URL unless I also use a private key.

          Are there more steps you're taking to show the problem?

          Have you used a more recent git client plugin and a more recent git plugin?

          Mark Waite added a comment - - edited The more I look at this report, the less confident I am that I understand what is requested. I'm able to clone with a username / password credential without using public / private keys with the following steps: Configure a global username / password credential (through "Manage Credentials") with appropriate user name and password (no public key, no private key) Create a new freestyle job - JENKINS-22909 -username-password-credentials Use git as the SCM for the job Use an ssh URL for the repository. I used ssh://mwaite@mark-pc1.markwaite.net/var/lib/git/mwaite/bin.git Use the previously defined username / password credential as the credential for that ssh URL Run the job, confirm it succeeds I suspect that my clone succeeds through an accident in that case. The accident is that my jenkins user is likely allowed to access that repository as user mwaite through ssh by default. When I run in a "clean" environment, username/password authentication fails for an ssh protocol URL unless I also use a private key. Are there more steps you're taking to show the problem? Have you used a more recent git client plugin and a more recent git plugin?
          Mark Waite made changes -
          Resolution New: Cannot Reproduce [ 5 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          Mark Waite made changes -
          Status Original: Resolved [ 5 ] New: Closed [ 6 ]

          Sabareesh SS added a comment -

          I am also following the same steps. I tried all my best. My build failed and ended up with

          "Failed to connect to repository : Command "C:\Program Files\Git\bin\git.exe -c core.askpass=true ls-remote -h ssh://git@localhost:7999/jen/jensh_empty.git HEAD" returned status code 128:
          stdout:
          stderr: Permission denied (publickey).
          fatal: Could not read from remote repository.

          Please make sure you have the correct access rights
          and the repository exists."

          Please help.

          How can I fix this issue?

          Sabareesh SS added a comment - I am also following the same steps. I tried all my best. My build failed and ended up with "Failed to connect to repository : Command "C:\Program Files\Git\bin\git.exe -c core.askpass=true ls-remote -h ssh://git@localhost:7999/jen/jensh_empty.git HEAD" returned status code 128: stdout: stderr: Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists." Please help. How can I fix this issue?

          Sabareesh SS added a comment -

          The issue is reproduced n number of times.

          Sabareesh SS added a comment - The issue is reproduced n number of times.
          Sabareesh SS made changes -
          Assignee Original: Nicolas De Loof [ ndeloof ]
          Resolution Original: Cannot Reproduce [ 5 ]
          Status Original: Closed [ 6 ] New: Reopened [ 4 ]

            agalaviz Aleyda Galaviz
            agalaviz Aleyda Galaviz
            Votes:
            4 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved: