Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32120

With ssh-agent 1.9, local builds fail with "Unable to create OpenSSL PBDKF"

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • Jenkins 1.640 running on docker from onesysadmin/jenkins-docker-executors
      All plugins up to date

      When running a local build (on the master), the build fails to load the ssh-agent:

      Started by an SCM change
      Building in workspace /var/jenkins_home/workspace/production - client (prod3)
      [ssh-agent] Looking for ssh-agent implementation...
      [ssh-agent]   Java/JNR ssh-agent
      [ssh-agent] Started.
      [ssh-agent] Using credentials git (Bitbucket checkout)
      [ssh-agent] Unable to read key: Unable to create OpenSSL PBDKF: PBKDF-OpenSSL SecretKeyFactory not available
      org.bouncycastle.openssl.PEMException: Unable to create OpenSSL PBDKF: PBKDF-OpenSSL SecretKeyFactory not available
      	at org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source)
      	at org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source)
      	at org.bouncycastle.openssl.jcajce.PEMUtilities.crypt(Unknown Source)
      	at org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder$1$1.decrypt(Unknown Source)
      	at org.bouncycastle.openssl.PEMEncryptedKeyPair.decryptKeyPair(Unknown Source)
      	at com.cloudbees.jenkins.plugins.sshagent.jna.JNRRemoteAgent.addIdentity(JNRRemoteAgent.java:98)
      	at com.cloudbees.jenkins.plugins.sshagent.SSHAgentBuildWrapper$SSHAgentEnvironment.add(SSHAgentBuildWrapper.java:388)
      	at com.cloudbees.jenkins.plugins.sshagent.SSHAgentBuildWrapper.preCheckout(SSHAgentBuildWrapper.java:227)
      	at jenkins.scm.SCMCheckoutStrategy.preCheckout(SCMCheckoutStrategy.java:76)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:528)
      	at hudson.model.Run.execute(Run.java:1738)
      	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      	at hudson.model.ResourceController.execute(ResourceController.java:98)
      	at hudson.model.Executor.run(Executor.java:410)
      Caused by: java.security.NoSuchAlgorithmException: PBKDF-OpenSSL SecretKeyFactory not available
      	at javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:121)
      	at javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:159)
      	at org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createSecretKeyFactory(Unknown Source)
      	... 14 more
      [ssh-agent] Using credentials deploy (Deployment key to work with Minion Master)
      

      Then the build looks like its continuing normally, but the ssh key was not actually loaded and as a result the build fails:

      + ssh -o StrictHostKeyChecking=no deploy@xxx.xxx.xxx some command
      Permission denied (publickey).
      + ...
      + exit 5
      + exit 5
      Build step 'Execute shell' marked build as failure
      [ssh-agent] Stopped.
      

      Running the same job on a slave works fine:

      Started by user Oded Arbel
      Building remotely on trusty (i-5827fe82) (trusty docker) in workspace /srv/build/workspace/production - client (prod3)
      [ssh-agent] Looking for ssh-agent implementation...
      [ssh-agent]   Java/JNR ssh-agent
      [ssh-agent] Started.
      [ssh-agent] Using credentials git (Bitbucket checkout)
      [ssh-agent] Using credentials deploy (Deployment key to work with Minion Master)
      

      Downgrading the ssh-agent plugin to version 1.8 worked around the problem. After downgrade:

      Started by user Oded Arbel
      Building in workspace /var/jenkins_home/workspace/production - client (prodhk)
      [ssh-agent] Using credentials git (Bitbucket checkout)
      [ssh-agent] Using credentials deploy (Deployment key to work with Minion Master)
      [ssh-agent] Looking for ssh-agent implementation...
      [ssh-agent]   Java/JNR ssh-agent
      [ssh-agent] Started.
      

      Also see here: https://www.botbot.me/freenode/jenkins/2015-12-16/?msg=56268453&page=4

          [JENKINS-32120] With ssh-agent 1.9, local builds fail with "Unable to create OpenSSL PBDKF"

          aik099 take care that the upgrade of Jenkins core >= 1.648 upgrades the library Bouncycastle which fixes this issue BUT as mentioned by stephenconnolly in JENKINS-30110 it may/will create incompatibilities with all plugins that may use directly bouncycastle and the recent APIs they broke (again).
          Various jenkins developers are trying to identify all impacted plugins and to propose a fix which may be better in long term.

          Arnaud Héritier added a comment - aik099 take care that the upgrade of Jenkins core >= 1.648 upgrades the library Bouncycastle which fixes this issue BUT as mentioned by stephenconnolly in JENKINS-30110 it may/will create incompatibilities with all plugins that may use directly bouncycastle and the recent APIs they broke (again). Various jenkins developers are trying to identify all impacted plugins and to propose a fix which may be better in long term.

          bfhzog6i added a comment -

          I've asked DevOps team to do the upgrade and what they did is downloaded RPM package by hand and installed it. Now I can confirm, that issue (with ssh-agent) is indeed solved for me as well.

          Thanks.

          bfhzog6i added a comment - I've asked DevOps team to do the upgrade and what they did is downloaded RPM package by hand and installed it. Now I can confirm, that issue (with ssh-agent) is indeed solved for me as well. Thanks.

          So, can this be closed?

          Antonio Muñiz added a comment - So, can this be closed?

          bfhzog6i added a comment -

          Not happening for me. Not sure if it was fixed for other people participating in discussion.

          bfhzog6i added a comment - Not happening for me. Not sure if it was fixed for other people participating in discussion.

          I get this issue with Java 8 but not with Java 7 with 1.651.2 LTS

          John-Paul Drawneek added a comment - I get this issue with Java 8 but not with Java 7 with 1.651.2 LTS

          Riccardo Russo added a comment - - edited

          Me too, still having this issue.

          [Pipeline] sshagent
          [ssh-agent] Using credentials prova
          [ssh-agent] Looking for ssh-agent implementation...
          [ssh-agent]   Java/JNR ssh-agent
          [ssh-agent] Unable to read key: Unable to create OpenSSL PBDKF: PBKDF-OpenSSL SecretKeyFactory not available
          org.bouncycastle.openssl.PEMException: Unable to create OpenSSL PBDKF: PBKDF-OpenSSL SecretKeyFactory not available
          	at org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source)
          

          org.jenkins-ci.main:jenkins-war:2.9
          bouncycastle-api 1.648
          SSH Agent Plugin 1.11
          SSH Credentials Plugin 1.12
          Running on slave

          Riccardo Russo added a comment - - edited Me too, still having this issue. [Pipeline] sshagent [ssh-agent] Using credentials prova [ssh-agent] Looking for ssh-agent implementation... [ssh-agent] Java/JNR ssh-agent [ssh-agent] Unable to read key: Unable to create OpenSSL PBDKF: PBKDF-OpenSSL SecretKeyFactory not available org.bouncycastle.openssl.PEMException: Unable to create OpenSSL PBDKF: PBKDF-OpenSSL SecretKeyFactory not available at org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source) org.jenkins-ci.main:jenkins-war:2.9 bouncycastle-api 1.648 SSH Agent Plugin 1.11 SSH Credentials Plugin 1.12 Running on slave

          Alvaro Lobato added a comment -

          The problems are related with the Bouncy Castle version conflicts, the solution is to use Bouncy Castle API plugin to do all the Bouncy Castle related stuff. See Bouncy Castle API Plugin.

          Some of the problems are related with BC not being correctly registered on build agents, I've submitted a PR hopefully fixing those cases: PR-14

          Alvaro Lobato added a comment - The problems are related with the Bouncy Castle version conflicts, the solution is to use Bouncy Castle API plugin to do all the Bouncy Castle related stuff. See Bouncy Castle API Plugin . Some of the problems are related with BC not being correctly registered on build agents, I've submitted a PR hopefully fixing those cases: PR-14

          Thanks!

          Because I'm really a newbie, this means that from Update Center in Jenkins it will be possible to download a new release?

          Riccardo Russo added a comment - Thanks! Because I'm really a newbie, this means that from Update Center in Jenkins it will be possible to download a new release?

          Alvaro Lobato added a comment -

          This means that the code for the fix has been submitted. It has to be reviewed and after that a released can be cut so you have it available on the Update Center.

          Alvaro Lobato added a comment - This means that the code for the fix has been submitted. It has to be reviewed and after that a released can be cut so you have it available on the Update Center.

          Alvaro Lobato added a comment -

          Released ssh-agent-1.12

          Alvaro Lobato added a comment - Released ssh-agent-1.12

            alobato Alvaro Lobato
            guss77 Oded Arbel
            Votes:
            16 Vote for this issue
            Watchers:
            27 Start watching this issue

              Created:
              Updated:
              Resolved: