Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45651

X-SSH-Endpoint is not provided on top page when 401/403 are returned

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Not A Defect
    • core, ldap-plugin, ssh-plugin
    • None
    • Jenkins 2.60.1 on RedHat Enterprise Linux 5

    Description

      Quite contrary to what is written on https://wiki.jenkins.io/display/JENKINS/Jenkins+SSH, X-SSH-Endpoint header is not provided on the top page when the response is 403.

      $ curl -I http://localhost:8440/jenkins/
      HTTP/1.1 403 Forbidden
      Date: Wed, 19 Jul 2017 13:43:33 GMT
      X-Content-Type-Options: nosniff
      Set-Cookie: JSESSIONID.32f49371=15lrqwbgqu5jvm4xkf7ulfomu;Path=/jenkins;HttpOnly
      Expires: Thu, 01 Jan 1970 00:00:00 GMT
      Content-Type: text/html;charset=UTF-8
      X-Hudson: 1.395
      X-Jenkins: 2.60.1
      X-Jenkins-Session: 567160ff
      X-Hudson-CLI-Port: 37318
      X-Jenkins-CLI-Port: 37318
      X-Jenkins-CLI2-Port: 37318
      X-You-Are-Authenticated-As: anonymous
      X-You-Are-In-Group-Disabled: JENKINS-39402: use -Dhudson.security.AccessDeniedException2.REPORT_GROUP_HEADERS=true or use /whoAmI to diagnose
      X-Required-Permission: hudson.model.Hudson.Read
      X-Permission-Implied-By: hudson.security.Permission.GenericRead
      X-Permission-Implied-By: hudson.model.Hudson.Administer
      Content-Length: 829
      Server: Jetty(9.2.z-SNAPSHOT)
      

      One needs to get response 200 (i.e. access login URL) to get the endpoint. Note that CLI ports ARE returned always, only SSH endpoint is missing.

      $ curl -I http://localhost:8440/jenkins/login
      HTTP/1.1 200 OK
      Date: Wed, 19 Jul 2017 13:43:41 GMT
      X-Content-Type-Options: nosniff
      Set-Cookie: JSESSIONID.32f49371=6balu16gxdidrwpc4t258io;Path=/jenkins;HttpOnly
      Expires: 0
      Cache-Control: no-cache,no-store,must-revalidate
      X-Hudson-Theme: default
      Content-Type: text/html;charset=UTF-8
      X-Hudson: 1.395
      X-Jenkins: 2.60.1
      X-Jenkins-Session: 567160ff
      X-Hudson-CLI-Port: 37318
      X-Jenkins-CLI-Port: 37318
      X-Jenkins-CLI2-Port: 37318
      X-Frame-Options: sameorigin
      X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlwNEtMd78Uf5V2p+hCgcHOazeDpoo9lKZL7YlqgzpuQeJvHfhMZ+fRCTCoIns/swiE5tG0WttqRL4z7tgA+xF8+KzKFuUtONhar+4kGDIhrJks+MuyePpEpzXplHtcB9OFUymfwTXrOBXExswjdGodqupyG9IBG1Xlx51oRHRXHEci3QgF1f/7+KfsZM3oCTOpyQxNasE5dki4nA33PvvAeZGHwxvdJ0nmLcbAVk8aSCzjuDbJZ+GnjJC+CsLR34AYWHNbxOo8rn9PCiIJid43UX/36HmYweWlUdRsnBfXtHL02/NV6OngWvWAowmFmVz9YzLj5+C4Q9QshZmvhbFwIDAQAB
      X-SSH-Endpoint: server:55999
      Content-Length: 7304
      Server: Jetty(9.2.z-SNAPSHOT)
      

      Attachments

        Issue Links

          Activity

            rst Ruben Stein added a comment -

            Hey Jayesh,

            in one of the older comments (Sorin Sbarnea - 2017-08-24 15:27 comment-311573) it is mentioned that the header was manually added via an nginx in front of jenkins. He mentions that after this the cli was able to connect properly.

            rst Ruben Stein added a comment - Hey Jayesh, in one of the older comments (Sorin Sbarnea - 2017-08-24 15:27 comment-311573 ) it is mentioned that the header was manually added via an nginx in front of jenkins. He mentions that after this the cli was able to connect properly.
            jj2007 Jayesh Jadhav added a comment -

            rst Can you please give me the link to the workaround you have mentioned , I am facing a similar issue .

            jj2007 Jayesh Jadhav added a comment - rst Can you please give me the link to the workaround you have mentioned , I am facing a similar issue .
            rst Ruben Stein added a comment - - edited

            When I updated one of our machines to 2.60.2 or 2.60.3 my puppet client's CLI authentication through SSH key does not work anymore.

            root@testmaster:/var/lib/jenkins# java -jar /usr/share/jenkins/jenkins-cli.jar -s https://testmaster:8443/login -i /etc/puppet/ssl_cli/testmaster-nonuser -ssh -user testmaster-nonuser help

            returns code 255 and:

            Sep 07, 2017 5:01:13 PM hudson.cli.SSHCLI sshConnection
            WARNING: No header 'X-SSH-Endpoint' returned by Jenkins

            Regarding  a workaround I read adding that header via reverse proxy config. What to do about this if there is no reverse proxy in place? Is this really fixed like this?

            Edit: I am using the matrix-auth plugin together with active-directory to authenticate against an AD server.

            rst Ruben Stein added a comment - - edited When I updated one of our machines to 2.60.2 or 2.60.3 my puppet client's CLI authentication through SSH key does not work anymore. root@testmaster:/var/lib/jenkins# java -jar /usr/share/jenkins/jenkins-cli.jar -s https://testmaster:8443/login -i /etc/puppet/ssl_cli/testmaster-nonuser -ssh -user testmaster-nonuser help returns code 255 and: Sep 07, 2017 5:01:13 PM hudson.cli.SSHCLI sshConnection WARNING: No header 'X-SSH-Endpoint' returned by Jenkins Regarding  a workaround I read adding that header via reverse proxy config. What to do about this if there is no reverse proxy in place? Is this really fixed like this? Edit: I am using the matrix-auth plugin together with active-directory to authenticate against an AD server.
            danielbeck Daniel Beck added a comment - - edited

            Weird, ci.jenkins.io also uses LDAP and returns 200 for /login (which could in theory be due to Overall/Read being granted, but local tests with internal user DB and without anon Overall/Read also return 200). Are you sure the reverse proxy isn't messing with that?

            danielbeck Daniel Beck added a comment - - edited Weird, ci.jenkins.io also uses LDAP and returns 200 for /login (which could in theory be due to Overall/Read being granted, but local tests with internal user DB and without anon Overall/Read also return 200). Are you sure the reverse proxy isn't messing with that?
            ssbarnea Sorin Sbarnea added a comment -

            We are talking here about the ldap-plugin not some esoteric one and TBH I am not even sure that getting a 401 response from `/login` page is wrong. In fact that even more HTTP compliant than returning a 200 answer. 

            Somehow I have the impression that's another bug that feels between the jenkins core and its plugin. Everyone agrees thats a bug but nobody agrees which code is to blame/fix: core, ldap-plugin or sshd-plugin? ... based on the status of the ticket one could even assume that is "Not A Defect".

            ssbarnea Sorin Sbarnea added a comment - We are talking here about the ldap-plugin not some esoteric one and TBH I am not even sure that getting a 401 response from `/login` page is wrong. In fact that even more HTTP compliant than returning a 200 answer.  Somehow I have the impression that's another bug that feels between the jenkins core and its plugin. Everyone agrees thats a bug but nobody agrees which code is to blame/fix: core, ldap-plugin or sshd-plugin? ... based on the status of the ticket one could even assume that is "Not A Defect".

            People

              Unassigned Unassigned
              raspy Krzysztof Malinowski
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: