Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65224

SSH key gets incorrect permissions to be used with "native" ssh on Windows

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Minor
    • Resolution: Unresolved
    • None

    Description

      When trying to use the bundled port of OpenSSH that now ships with Windows together with a private SSH key provided by the SSH Credentials plugin, you get this error:

      C:\workspace\test>ssh -o StrictHostKeyChecking=no -i **** ****@host.domain.com pwd
      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      Permissions for 'C:\\workspace\\test@tmp\\secretFiles\\1756ff19-9738-4c58-89c0-84ca8b0d81dc\\ssh-key-A_KEY' are too open.
      It is required that your private key files are NOT accessible by others.
      This private key will be ignored.
      Load key "C:\\workspace\\test@tmp\\secretFiles\\1756ff19-9738-4c58-89c0-84ca8b0d81dc\\ssh-key-A_KEY": bad permissions
      ****@host.domain.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

       

      If file permissions are adjusted like this:

      C:\workspace\test>Icacls **** /c /t /Inheritance:d 
      processed file: ****
      Successfully processed 1 files; Failed processing 0 files
      C:\workspace\test>Icacls **** /c /t /Grant ****:F 
      processed file: ****
      Successfully processed 1 files; Failed processing 0 files
      C:\workspace\test>Icacls **** /c /t /Remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users 
      processed file: ****
      Successfully processed 1 files; Failed processing 0 files
      C:\workspace\test>ssh -o StrictHostKeyChecking=no -i **** ****@host.domain.com "ls -la /var/ci/ws/" 
      total 1488
      drwx------. 5 **** **** 73 Mar 11 06:38 .
      drwxr-xr-x. 3 **** **** 16 Aug 26 2019 ..
      drwxrwxr-x. 3 **** **** 26 Oct 23 2019 caches
      drwxrwxr-x. 4 **** **** 34 Aug 26 2019 remoting
      -rw-rw-r--. 1 **** **** 1506923 Mar 11 06:38 remoting.jar
      drwxrwxr-x. 164 **** **** 12288 Mar 22 15:15 workspace
      C:\workspace\test>exit 0 
      Finished: SUCCESS
      

      it works just fine, including clean-up of the secret key file when the build is done.

      (Solution/workaround from https://superuser.com/questions/1309447/how-to-secure-ssh-private-key-on-windows-10)

       

      Attachments

        Activity

          jvz Matt Sicker added a comment -

          Hopefully this can be done via the Java NIO API here (probably the AclFileAttributeView); if not, there's some code that can be reused to execute iacls if needed.

          jvz Matt Sicker added a comment - Hopefully this can be done via the Java NIO API here (probably the AclFileAttributeView); if not, there's some code that can be reused to execute iacls if needed.
          jvz Matt Sicker added a comment -

          What other plugins are you using here? The SSH Credentials plugin only integrates with JSch and Trilead, neither of which use the native SSH.

          jvz Matt Sicker added a comment - What other plugins are you using here? The SSH Credentials plugin only integrates with JSch and Trilead, neither of which use the native SSH.

          Not sure what other plugins might be involved here. The log excerpts above are from a "Execute Windows batch command" step in a simple freestyle job, where the SSH credentials are provided by the "Credentials Binding Plugin"

          I'm not sure which plugin is responsible for transferring/creating the key-file on a node; perhaps this bug should be on the credentials-binding instead?

          njesper Jesper Andersson added a comment - Not sure what other plugins might be involved here. The log excerpts above are from a "Execute Windows batch command" step in a simple freestyle job, where the SSH credentials are provided by the "Credentials Binding Plugin" I'm not sure which plugin is responsible for transferring/creating the key-file on a node; perhaps this bug should be on the credentials-binding  instead?
          markewaite Mark Waite added a comment - - edited

          njesper yes, that's a topic for credentials binding plugin rather than for the ssh-credentials plugin.

          In case it helps, refer to https://github.com/jenkinsci/git-client-plugin/blob/8238ee8a350553ef974fe9207cf814b0d36c2232/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java#L2236 for code that configures git client plugin ssh key file permissions on Windows. I can't promise it is 100% correct, but it works for me.

          markewaite Mark Waite added a comment - - edited njesper yes, that's a topic for credentials binding plugin rather than for the ssh-credentials plugin. In case it helps, refer to https://github.com/jenkinsci/git-client-plugin/blob/8238ee8a350553ef974fe9207cf814b0d36c2232/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java#L2236 for code that configures git client plugin ssh key file permissions on Windows. I can't promise it is 100% correct, but it works for me.

          Thanks markewaite!

          I've updated the component field now.

          njesper Jesper Andersson added a comment - Thanks markewaite ! I've updated the component field now.

          People

            Unassigned Unassigned
            njesper Jesper Andersson
            Votes:
            5 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated: