Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58845

Jenkins Docker Desktop git ssh temporary credentials file bad permissions

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • Windows 10 + Docker Desktop
      jenkins/jenkins docker image

      Hi,

      i have the following error message when trying to access my gitlab server via ssh from my jenkins:

       

      stdout: 
      stderr: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      Permissions 0555 for '/var/jenkins_home/caches/git-0aa16db65c903d3ced737f801b217112@tmp/jenkins-gitclient-ssh2425211278542515051.key' are too open.
      It is required that your private key files are NOT accessible by others.
      This private key will be ignored.
      Load key "/var/jenkins_home/caches/git-0aa16db65c903d3ced737f801b217112@tmp/jenkins-gitclient-ssh2425211278542515051.key": bad permissions
      Permission denied (publickey).
      fatal: Could not read from remote repository.
      
      

      My environment is the following:

      Host System: Windows 10

      Docker Desktop 2.1.0 with Linux based containers

      Jenkins Docker Container: jenkins/jenkins and jenkins/jenkins:lts

       

      I've a similar setup running with a linux for Docker and there isn't the same problem.

      For testing purposes i've installed the latest beta version (3.0.0-beta10) of the "git client plugin" as suggestet in the comment of https://issues.jenkins-ci.org/browse/JENKINS-53933. But this didn't solve the problem.

      I'm not sure if the credentials-binding-plugin is the right component for this.

      It seems that other people have the same problem. e.g. The comment at the bottom of https://wiki.jenkins.io/display/JENKINS/SSH+Credentials+Plugin .

          [JENKINS-58845] Jenkins Docker Desktop git ssh temporary credentials file bad permissions

          Jerry King added a comment -

          For anyone who runs into this same issue, there is an okay workaround.

          The problem seems to be that, when the Github SSH Jenkins plugin creates the SSH key file on the Jenkins container, it does not properly set the permissions to the file.

          What you can do instead is just set global SSH key settings for the Jenkins container.  Obviously take careful considerations over whether or not you want to do this - but if it's something that works for your Jenkins instance, it's as simple as three steps:

          1. SSH into your jenkins container (`docker exec -it <CONTAINER_ID> /bin/bash`)
          2. Create and/or copy a valid SSH key file to the container
          3. Modify the ~/etc/ssh/ssh_config file and uncomment or add a line `IdentifyFile  ~./<PATH>/<TO>/<SSH_KEY_FILE>` (e.g. IdentityFile ~/.ssh/id_rsa)

          If you do this, then you don't actually need credentials configured in individual Jenkins jobs at all as it will be configured at the global level.

          Do note though, changes to the ssh_config file will not persist across volumes, so the better way to do this would be to do it during the container startup.

          Jerry King added a comment - For anyone who runs into this same issue, there is an okay workaround. The problem seems to be that, when the Github SSH Jenkins plugin creates the SSH key file on the Jenkins container, it does not properly set the permissions to the file. What you can do instead is just set global SSH key settings for the Jenkins container.  Obviously take careful considerations over whether or not you want to do this - but if it's something that works for your Jenkins instance, it's as simple as three steps: SSH into your jenkins container (`docker exec -it <CONTAINER_ID> /bin/bash`) Create and/or copy a valid SSH key file to the container Modify the ~/etc/ssh/ssh_config file and uncomment or add a line `IdentifyFile  ~./<PATH>/<TO>/<SSH_KEY_FILE>` (e.g. IdentityFile ~/.ssh/id_rsa) If you do this, then you don't actually need credentials configured in individual Jenkins jobs at all as it will be configured at the global level. Do note though, changes to the ssh_config file will not persist across volumes, so the better way to do this would be to do it during the container startup.

            Unassigned Unassigned
            cobba Fabian Kopatschek
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: