-
Bug
-
Resolution: Unresolved
-
Major
-
None
I have upgraded to ssh-credentials version 1.14 which fixes SECURITY-440 / CVE-2018-1000601.
After upgrading from version 1.13, no job could authenticate to Github, since the credentials was using a "private key file on master".
According to the announcment:
> Existing SSH credentials of these kinds are migrated to "directly entered" SSH credentials.
This seems not to work for me. I do not see `SECURITY-440: Migrating FileOnMasterPrivateKeySource to DirectEntryPrivateKeySource` message in the logs and the "private key" input box of the credentials is just empty.
- is duplicated by
-
JENKINS-55971 SSH Host key matches, Authentication failed, Slaves failed to reconnect
-
- In Review
-
-
JENKINS-54746 Can't connect via SSH on 1.29.1
-
- Closed
-
- is related to
-
JENKINS-54746 Can't connect via SSH on 1.29.1
-
- Closed
-
After the new tickets opened, I re-try to reproduce the case with the new information.
The migration of the credentials keys was meant to be done after InitMilestone.JOB_LOADED is triggered, from credentials, in SystemCredentialsProvider.forceLoadDuringStartup(). At this point the running user should be SYSTEM. I discovered that the migration could be triggered before, when the credentials are stored in folder, or when they are used in the configuration of an agent (like ssh-agents). But at this point, both migration were done using SYSTEM in my case and so, passing with success the permission check on RUN_SCRIPTS that was added especially for the security patch.
So now, to go further, I need to have the logs from people that encountered the issues. Especially if they can reproduce the case, perhaps they could provide more information about all the plugins, the log file, the config file of their Jenkins, or anything else that could be useful (be careful to not upload credentials in plain text). What are you using as AuthorizationStrategy ?
My hypothesis is something force the current running user to be anonymous instead of System during the startup/migration, (even temporally) and call the credentials while loading.
"Call for witnesses"
=> People from this: jenkey, jnz_topdanmark, stuartwhelan
=> People from
JENKINS-54746: fbaeuerle, dpogue, pjaytycy, tom_ghyselinck, cdlee, mrozekma, bluehorn, k8wbkxwgtenhgnghfm9t, jrudolph, aarondmarasco_vsi, sintbert=> People from JENKINS-55971: sgjenkins