[JENKINS-24273] Presence of ECDSA SSH keys breaks SSH credentials plugin

Type: Bug
Resolution: Fixed
Priority: Minor
Component/s: ssh-credentials-plugin
Labels:
- exception
- plugin
- ssh

Similar Issues:
Powered by SuggestiMate

Show

Create an ECDSA SSH key pair (ssh-keygen -t ecdsa) for the user that runs jenkins.
Put the public key (~/.ssh/id_ecdsa.pub) into into the appropriate authorized_keys file on a build slave.
You are now able to connect to the build slave by using public key authentication with the ECDSA key.

Now run Jenkins under that account. Make sure that you update the SSH credentials plugin to 1.8. Configure the build slave. Choose "From the Jenkins master ~/.ssh" as your credentials to use the ECDSA key.

When Jenkins tries to connect to the build slave, it fails with the exception "Caused by: java.io.IOException: Invalid PEM structure, '-----BEGIN...' missing"

This exception comes from the trilead-ssh2 library https://github.com/jenkinsci/trilead-ssh2/blob/master/src/com/trilead/ssh2/crypto/PEMDecoder.java which has no ECDSA support built in yet.

Interestingly, version 1.8 of the SSH credentials plugin was released just for the support of ECDSA keys.

Looking at the changes for 1.8 https://github.com/jenkinsci/ssh-credentials-plugin/commit/93e61a2cb9da782bdfefd8ce1375c1b2fd592cc0 that nothing but the list enumeration with the key types and the version were changed.

Possible workarounds are downgrading to 1.7.1 or deleting the ECDSA keys.

Please revert the changes made in version 1.8 until trilead-ssh2 supports ECDSA keys.

Daniel Beck added a comment - 2014-08-14 14:06

Given the presence of an obvious and easy workaround without loss of other functionality, adjusting priority.

Daniel Beck added a comment - 2014-08-14 14:06 Given the presence of an obvious and easy workaround without loss of other functionality, adjusting priority.

Stephen Connolly added a comment - 2014-08-14 17:38

do you have the unrestricted JCA policy in your master's JVM?

Most ECDSA keys are too long to run without unrestricted

Stephen Connolly added a comment - 2014-08-14 17:38 do you have the unrestricted JCA policy in your master's JVM? Most ECDSA keys are too long to run without unrestricted

Stephen Connolly added a comment - 2014-08-14 17:40

The support for ECDSA keys is in MINA's SSH 0.12.0 and works with the ssh-agent plugin IIRC my testing of it.

Stephen Connolly added a comment - 2014-08-14 17:40 The support for ECDSA keys is in MINA's SSH 0.12.0 and works with the ssh-agent plugin IIRC my testing of it.

Hendrik Halkow added a comment - 2014-08-14 19:18 - edited

Yes, I do have the unrestricted JCA policy in the master's JVM.
I am running the latest LTS version 1.565.1 on Java 8 update 11. Same happens with the latest Jenkins version, 1.575.
On the command line, my ECDSA keys work fine.
Below is my slave connection log.

Have a look at the exception and the link I posted above.

—

ERROR: Failed to authenticate as build-tcc with credential=872d37c9-0500-4097-ad35-9fbbdb50edbd
java.io.IOException: Publickey authentication failed.
at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:315)
at com.trilead.ssh2.Connection.authenticateWithPublicKey(Connection.java:467)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.doAuthenticate(TrileadSSHPublicKeyAuthenticator.java:106)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:408)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:428)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1138)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:648)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:642)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Invalid PEM structure, '-----BEGIN...' missing
at com.trilead.ssh2.crypto.PEMDecoder.parsePEM(PEMDecoder.java:138)
at com.trilead.ssh2.crypto.PEMDecoder.decode(PEMDecoder.java:313)
at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:224)
... 11 more
[08/14/14 21:14:16] [SSH] Authentication failed.
hudson.AbortException: Authentication failed.
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1143)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:648)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:642)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
[08/14/14 21:14:16] [SSH] Connection closed.
[08/14/14 21:14:16] Launch failed - cleaning up connection

Hendrik Halkow added a comment - 2014-08-14 19:18 - edited Yes, I do have the unrestricted JCA policy in the master's JVM. I am running the latest LTS version 1.565.1 on Java 8 update 11. Same happens with the latest Jenkins version, 1.575. On the command line, my ECDSA keys work fine. Below is my slave connection log. Have a look at the exception and the link I posted above. — ERROR: Failed to authenticate as build-tcc with credential=872d37c9-0500-4097-ad35-9fbbdb50edbd java.io.IOException: Publickey authentication failed. at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:315) at com.trilead.ssh2.Connection.authenticateWithPublicKey(Connection.java:467) at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.doAuthenticate(TrileadSSHPublicKeyAuthenticator.java:106) at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:408) at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:428) at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1138) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:648) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:642) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.io.IOException: Invalid PEM structure, '-----BEGIN...' missing at com.trilead.ssh2.crypto.PEMDecoder.parsePEM(PEMDecoder.java:138) at com.trilead.ssh2.crypto.PEMDecoder.decode(PEMDecoder.java:313) at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:224) ... 11 more [08/14/14 21:14:16] [SSH] Authentication failed. hudson.AbortException: Authentication failed. at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1143) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:648) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:642) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) [08/14/14 21:14:16] [SSH] Connection closed. [08/14/14 21:14:16] Launch failed - cleaning up connection

SCM/JIRA link daemon added a comment - 2014-08-15 19:46

Code changed in jenkins
User: Stephen Connolly
Path:
src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/TrileadSSHPublicKeyAuthenticator.java
http://jenkins-ci.org/commit/ssh-credentials-plugin/a5fb4045c3e50d651e32593a789310d01a31648a
Log:
[FIXED JENKINS-24273] Thrilead SSH throws IOE when passed an unknown keytype

SCM/JIRA link daemon added a comment - 2014-08-15 19:46 Code changed in jenkins User: Stephen Connolly Path: src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/TrileadSSHPublicKeyAuthenticator.java http://jenkins-ci.org/commit/ssh-credentials-plugin/a5fb4045c3e50d651e32593a789310d01a31648a Log: [FIXED JENKINS-24273] Thrilead SSH throws IOE when passed an unknown keytype

Hendrik Halkow added a comment - 2014-09-11 16:09

This didn't solve the problem and I still can't connect to any SSH slave when ECDSA keys are present. Even with SSH agent plugin installed I don't see any difference.

I suggest that we release version 1.10 by reverting the code to 1.7 and only release ECDSA updates when they are really implemented.

This is the slave connection log:

[09/11/14 18:01:36] [SSH] Opening SSH connection to xxxxxxxxxxxxxx:22.
ERROR: Server rejected the 1 private key(s) for xxxxxx (credentialId:101b6fd0-3bb9-xxxx-xxxx-c5dbb6f7d966/method:publickey)
ERROR: Server rejected the 2 private key(s) for xxxxxx (credentialId:101b6fd0-3bb9-xxxx-xxxx-c5dbb6f7d966/method:publickey)
ERROR: Failed to authenticate as xxxxxx with credential=101b6fd0-xxxx-xxxx-8e7d-c5dbb6f7d966
java.io.IOException: Publickey authentication failed.
at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:315)
at com.trilead.ssh2.Connection.authenticateWithPublicKey(Connection.java:467)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.doAuthenticate(TrileadSSHPublicKeyAuthenticator.java:109)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:408)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:428)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1138)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:648)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:642)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Invalid PEM structure, '-----BEGIN...' missing
at com.trilead.ssh2.crypto.PEMDecoder.parsePEM(PEMDecoder.java:138)
at com.trilead.ssh2.crypto.PEMDecoder.decode(PEMDecoder.java:313)
at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:224)
... 11 more
ERROR: Failed to authenticate as xxxxxx with credential=101b6fd0-xxxx-xxxx-8e7d-c5dbb6f7d966
java.io.IOException: Publickey authentication failed.
at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:315)
at com.trilead.ssh2.Connection.authenticateWithPublicKey(Connection.java:467)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.doAuthenticate(TrileadSSHPublicKeyAuthenticator.java:109)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:408)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:428)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1138)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:648)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:642)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Sorry, this connection is closed.
at com.trilead.ssh2.transport.TransportManager.sendMessage(TransportManager.java:647)
at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:283)
... 11 more
Caused by: java.io.IOException: Invalid PEM structure, '-----BEGIN...' missing
at com.trilead.ssh2.crypto.PEMDecoder.parsePEM(PEMDecoder.java:138)
at com.trilead.ssh2.crypto.PEMDecoder.decode(PEMDecoder.java:313)
at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:224)
... 11 more
[09/11/14 18:01:47] [SSH] Authentication failed.
hudson.AbortException: Authentication failed.
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1143)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:648)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:642)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
[09/11/14 18:01:47] [SSH] Connection closed.
[09/11/14 18:01:47] Launch failed - cleaning up connection

Hendrik Halkow added a comment - 2014-09-11 16:09 This didn't solve the problem and I still can't connect to any SSH slave when ECDSA keys are present. Even with SSH agent plugin installed I don't see any difference. I suggest that we release version 1.10 by reverting the code to 1.7 and only release ECDSA updates when they are really implemented. This is the slave connection log: [09/11/14 18:01:36] [SSH] Opening SSH connection to xxxxxxxxxxxxxx:22. ERROR: Server rejected the 1 private key(s) for xxxxxx (credentialId:101b6fd0-3bb9-xxxx-xxxx-c5dbb6f7d966/method:publickey) ERROR: Server rejected the 2 private key(s) for xxxxxx (credentialId:101b6fd0-3bb9-xxxx-xxxx-c5dbb6f7d966/method:publickey) ERROR: Failed to authenticate as xxxxxx with credential=101b6fd0-xxxx-xxxx-8e7d-c5dbb6f7d966 java.io.IOException: Publickey authentication failed. at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:315) at com.trilead.ssh2.Connection.authenticateWithPublicKey(Connection.java:467) at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.doAuthenticate(TrileadSSHPublicKeyAuthenticator.java:109) at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:408) at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:428) at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1138) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:648) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:642) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.io.IOException: Invalid PEM structure, '-----BEGIN...' missing at com.trilead.ssh2.crypto.PEMDecoder.parsePEM(PEMDecoder.java:138) at com.trilead.ssh2.crypto.PEMDecoder.decode(PEMDecoder.java:313) at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:224) ... 11 more ERROR: Failed to authenticate as xxxxxx with credential=101b6fd0-xxxx-xxxx-8e7d-c5dbb6f7d966 java.io.IOException: Publickey authentication failed. at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:315) at com.trilead.ssh2.Connection.authenticateWithPublicKey(Connection.java:467) at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.doAuthenticate(TrileadSSHPublicKeyAuthenticator.java:109) at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:408) at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:428) at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1138) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:648) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:642) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.io.IOException: Sorry, this connection is closed. at com.trilead.ssh2.transport.TransportManager.sendMessage(TransportManager.java:647) at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:283) ... 11 more Caused by: java.io.IOException: Invalid PEM structure, '-----BEGIN...' missing at com.trilead.ssh2.crypto.PEMDecoder.parsePEM(PEMDecoder.java:138) at com.trilead.ssh2.crypto.PEMDecoder.decode(PEMDecoder.java:313) at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:224) ... 11 more [09/11/14 18:01:47] [SSH] Authentication failed. hudson.AbortException: Authentication failed. at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1143) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:648) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:642) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) [09/11/14 18:01:47] [SSH] Connection closed. [09/11/14 18:01:47] Launch failed - cleaning up connection

Stephen Connolly added a comment - 2017-11-07 12:55

I claim that the latest releases of the ssh-slaves plugin have support for ECDSA keys, e.g. https://github.com/jenkinsci/trilead-ssh2/blob/d4d9e3aa0557b1ff761a6cb372b661065d0a24f2/src/com/trilead/ssh2/signature/ECDSAKeyAlgorithm.java and as such (hopefully) this issue is now resolved.

Please re-open if I am incorrect.

Stephen Connolly added a comment - 2017-11-07 12:55 I claim that the latest releases of the ssh-slaves plugin have support for ECDSA keys, e.g. https://github.com/jenkinsci/trilead-ssh2/blob/d4d9e3aa0557b1ff761a6cb372b661065d0a24f2/src/com/trilead/ssh2/signature/ECDSAKeyAlgorithm.java and as such (hopefully) this issue is now resolved. Please re-open if I am incorrect.

Assignee:: Stephen Connolly

Reporter:: Hendrik Halkow

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2014-08-14 13:07

Updated:: 2017-11-07 12:55

Resolved:: 2017-11-07 12:55

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Daniel Beck added a comment - 2014-08-14 14:06

Expand comment: Daniel Beck added a comment - 2014-08-14 14:06

Collapse comment: Stephen Connolly added a comment - 2014-08-14 17:38

Expand comment: Stephen Connolly added a comment - 2014-08-14 17:38

Collapse comment: Stephen Connolly added a comment - 2014-08-14 17:40

Expand comment: Stephen Connolly added a comment - 2014-08-14 17:40

Collapse comment: Hendrik Halkow added a comment - 2014-08-14 19:18, Edited by Hendrik Halkow - 2014-08-14 19:21

Expand comment: Hendrik Halkow added a comment - 2014-08-14 19:18, Edited by Hendrik Halkow - 2014-08-14 19:21

Collapse comment: SCM/JIRA link daemon added a comment - 2014-08-15 19:46

Expand comment: SCM/JIRA link daemon added a comment - 2014-08-15 19:46

Collapse comment: Hendrik Halkow added a comment - 2014-09-11 16:09

Expand comment: Hendrik Halkow added a comment - 2014-09-11 16:09

Collapse comment: Stephen Connolly added a comment - 2017-11-07 12:55

Expand comment: Stephen Connolly added a comment - 2017-11-07 12:55

People

Dates