[JENKINS-45320] Add support for SSH agents

Type: New Feature
Resolution: Unresolved
Priority: Major
Component/s: cli, core
Labels:
- security
- ssh-agent

Similar Issues:
Powered by SuggestiMate

Show

It seems that jenkins cli is not able to use SSH agents, which limits the use of the tool considerable, being a serious security risk.

Sorin Sbarnea created issue - 2017-07-05 16:52

Daniel Beck added a comment - 2017-07-06 09:29

Desirable, but if you have an ssh-agent, you can always use the SSH-based CLI with regular SSH clients.

Daniel Beck added a comment - 2017-07-06 09:29 Desirable, but if you have an ssh-agent, you can always use the SSH-based CLI with regular SSH clients.

Daniel Beck made changes - 2017-07-06 09:29

Issue Type	Original: Bug [ 1 ]	New: New Feature [ 2 ]
Labels		New: security ssh-agent
Summary	Original: jenkins cli is not able to use ssh agents	New: Add support for SSH agents

Sorin Sbarnea added a comment - 2017-08-22 20:27

danielbeck, that's what I was aiming to do as I find ssh client approach zillions times nicer than downloading and running a jar on the client.... which reminds me of websites asking me to download Flash (or another plugin) .

Now the problem is that even with SSH I was not able to get it working yet. Somehow the connection starts but I get no reply from Jenkins. After some time the connection is dropped serverside:

Aug 22, 2017 8:13:51 PM hudson.init.impl.InstallUncaughtExceptionHandler$1 reportException
WARNING: null
java.io.IOException: HTTP full-duplex channel timeout: c66ea617-6e99-4411-9535-534435ac15ee
at jenkins.util.FullDuplexHttpService.download(FullDuplexHttpService.java:104)
at jenkins.util.FullDuplexHttpService$Response.generateResponse(FullDuplexHttpService.java:171)

No other feedback at all, making quite hard to guess what is causing this behavior.

Sorin Sbarnea added a comment - 2017-08-22 20:27 danielbeck , that's what I was aiming to do as I find ssh client approach zillions times nicer than downloading and running a jar on the client.... which reminds me of websites asking me to download Flash (or another plugin) . Now the problem is that even with SSH I was not able to get it working yet. Somehow the connection starts but I get no reply from Jenkins. After some time the connection is dropped serverside: Aug 22, 2017 8:13:51 PM hudson.init.impl.InstallUncaughtExceptionHandler$1 reportException WARNING: null java.io.IOException: HTTP full-duplex channel timeout: c66ea617-6e99-4411-9535-534435ac15ee at jenkins.util.FullDuplexHttpService.download(FullDuplexHttpService.java:104) at jenkins.util.FullDuplexHttpService$Response.generateResponse(FullDuplexHttpService.java:171) No other feedback at all, making quite hard to guess what is causing this behavior.

Daniel Beck made changes - 2017-08-22 22:28

Comment

[ I think the UUID indicates there should be messages corresponding to the ID c66ea617-6e99-4411-9535-534435ac15ee in the Jenkins log on the master. ]

Jesse Glick added a comment - 2017-09-13 07:11

ssbarnea that exception is like ~~JENKINS-43666~~ but this makes no sense since that code is only used from the HTTP-based client. Irrelevant if you are using native SSH to connect.

Jesse Glick added a comment - 2017-09-13 07:11 ssbarnea that exception is like JENKINS-43666 but this makes no sense since that code is only used from the HTTP-based client. Irrelevant if you are using native SSH to connect.

Oleg Nenashev made changes - 2018-03-11 16:51

Component/s

New: core [ 15593 ]

Manuel Jordan added a comment - 2021-08-02 16:14

Hello

Even when " SSH-based CLI with regular SSH clients" is possible, according with the current documentation of Jenkins, the "jar" approach has more features available over the other. So would be very nice if the "phrase" can be wrote just once through the `ssh-agent add` and execute "java -jar" many times without re-write each time again the phrase

Manuel Jordan added a comment - 2021-08-02 16:14 Hello Even when " SSH-based CLI with regular SSH clients" is possible, according with the current documentation of Jenkins, the "jar" approach has more features available over the other. So would be very nice if the "phrase" can be wrote just once through the `ssh-agent add` and execute "java -jar" many times without re-write each time again the phrase

Jesse Glick added a comment - 2021-08-02 20:01

This should probably be closed as not something we care to fix. WebSocket transport is preferred going forward.

Jesse Glick added a comment - 2021-08-02 20:01 This should probably be closed as not something we care to fix. WebSocket transport is preferred going forward.

Manuel Jordan added a comment - 2021-08-02 21:35

Is there an official link indicating that WebSocket is better than SSH (about security) and including some instructions to learn that approach?

Manuel Jordan added a comment - 2021-08-02 21:35 Is there an official link indicating that WebSocket is better than SSH (about security) and including some instructions to learn that approach?

Assignee:: Unassigned

Reporter:: Sorin Sbarnea

Votes:: 4 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2017-07-05 16:52

Updated:: 2021-08-05 13:30

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Daniel Beck added a comment - 2017-07-06 09:29

Expand comment: Daniel Beck added a comment - 2017-07-06 09:29

Collapse comment: Sorin Sbarnea added a comment - 2017-08-22 20:27

Expand comment: Sorin Sbarnea added a comment - 2017-08-22 20:27

Collapse comment: Jesse Glick added a comment - 2017-09-13 07:11

Expand comment: Jesse Glick added a comment - 2017-09-13 07:11

Collapse comment: Manuel Jordan added a comment - 2021-08-02 16:14

Expand comment: Manuel Jordan added a comment - 2021-08-02 16:14

Collapse comment: Jesse Glick added a comment - 2021-08-02 20:01

Expand comment: Jesse Glick added a comment - 2021-08-02 20:01

Collapse comment: Manuel Jordan added a comment - 2021-08-02 21:35

Expand comment: Manuel Jordan added a comment - 2021-08-02 21:35

People

Dates