Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65224

SSH key gets incorrect permissions to be used with "native" ssh on Windows

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Labels:
      None
    • Environment:
    • Similar Issues:

      Description

      When trying to use the bundled port of OpenSSH that now ships with Windows together with a private SSH key provided by the SSH Credentials plugin, you get this error:

      C:\workspace\test>ssh -o StrictHostKeyChecking=no -i **** ****@host.domain.com pwd
      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      Permissions for 'C:\\workspace\\test@tmp\\secretFiles\\1756ff19-9738-4c58-89c0-84ca8b0d81dc\\ssh-key-A_KEY' are too open.
      It is required that your private key files are NOT accessible by others.
      This private key will be ignored.
      Load key "C:\\workspace\\test@tmp\\secretFiles\\1756ff19-9738-4c58-89c0-84ca8b0d81dc\\ssh-key-A_KEY": bad permissions
      ****@host.domain.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

       

      If file permissions are adjusted like this:

      C:\workspace\test>Icacls **** /c /t /Inheritance:d 
      processed file: ****
      Successfully processed 1 files; Failed processing 0 files
      C:\workspace\test>Icacls **** /c /t /Grant ****:F 
      processed file: ****
      Successfully processed 1 files; Failed processing 0 files
      C:\workspace\test>Icacls **** /c /t /Remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users 
      processed file: ****
      Successfully processed 1 files; Failed processing 0 files
      C:\workspace\test>ssh -o StrictHostKeyChecking=no -i **** ****@host.domain.com "ls -la /var/ci/ws/" 
      total 1488
      drwx------. 5 **** **** 73 Mar 11 06:38 .
      drwxr-xr-x. 3 **** **** 16 Aug 26 2019 ..
      drwxrwxr-x. 3 **** **** 26 Oct 23 2019 caches
      drwxrwxr-x. 4 **** **** 34 Aug 26 2019 remoting
      -rw-rw-r--. 1 **** **** 1506923 Mar 11 06:38 remoting.jar
      drwxrwxr-x. 164 **** **** 12288 Mar 22 15:15 workspace
      C:\workspace\test>exit 0 
      Finished: SUCCESS
      

      it works just fine, including clean-up of the secret key file when the build is done.

      (Solution/workaround from https://superuser.com/questions/1309447/how-to-secure-ssh-private-key-on-windows-10)

       

        Attachments

          Activity

          Hide
          jvz Matt Sicker added a comment -

          Hopefully this can be done via the Java NIO API here (probably the AclFileAttributeView); if not, there's some code that can be reused to execute iacls if needed.

          Show
          jvz Matt Sicker added a comment - Hopefully this can be done via the Java NIO API here (probably the AclFileAttributeView); if not, there's some code that can be reused to execute iacls if needed.
          Hide
          jvz Matt Sicker added a comment -

          What other plugins are you using here? The SSH Credentials plugin only integrates with JSch and Trilead, neither of which use the native SSH.

          Show
          jvz Matt Sicker added a comment - What other plugins are you using here? The SSH Credentials plugin only integrates with JSch and Trilead, neither of which use the native SSH.
          Hide
          njesper Jesper Andersson added a comment -

          Not sure what other plugins might be involved here. The log excerpts above are from a "Execute Windows batch command" step in a simple freestyle job, where the SSH credentials are provided by the "Credentials Binding Plugin"

          I'm not sure which plugin is responsible for transferring/creating the key-file on a node; perhaps this bug should be on the credentials-binding instead?

          Show
          njesper Jesper Andersson added a comment - Not sure what other plugins might be involved here. The log excerpts above are from a "Execute Windows batch command" step in a simple freestyle job, where the SSH credentials are provided by the "Credentials Binding Plugin" I'm not sure which plugin is responsible for transferring/creating the key-file on a node; perhaps this bug should be on the credentials-binding  instead?
          Hide
          markewaite Mark Waite added a comment - - edited

          Jesper Andersson yes, that's a topic for credentials binding plugin rather than for the ssh-credentials plugin.

          In case it helps, refer to https://github.com/jenkinsci/git-client-plugin/blob/8238ee8a350553ef974fe9207cf814b0d36c2232/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java#L2236 for code that configures git client plugin ssh key file permissions on Windows. I can't promise it is 100% correct, but it works for me.

          Show
          markewaite Mark Waite added a comment - - edited Jesper Andersson yes, that's a topic for credentials binding plugin rather than for the ssh-credentials plugin. In case it helps, refer to https://github.com/jenkinsci/git-client-plugin/blob/8238ee8a350553ef974fe9207cf814b0d36c2232/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java#L2236 for code that configures git client plugin ssh key file permissions on Windows. I can't promise it is 100% correct, but it works for me.
          Hide
          njesper Jesper Andersson added a comment -

          Thanks Mark Waite!

          I've updated the component field now.

          Show
          njesper Jesper Andersson added a comment - Thanks Mark Waite ! I've updated the component field now.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            njesper Jesper Andersson
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: