Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65224

SSH key gets incorrect permissions to be used with "native" ssh on Windows

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None

      When trying to use the bundled port of OpenSSH that now ships with Windows together with a private SSH key provided by the SSH Credentials plugin, you get this error:

      C:\workspace\test>ssh -o StrictHostKeyChecking=no -i **** ****@host.domain.com pwd
      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      Permissions for 'C:\\workspace\\test@tmp\\secretFiles\\1756ff19-9738-4c58-89c0-84ca8b0d81dc\\ssh-key-A_KEY' are too open.
      It is required that your private key files are NOT accessible by others.
      This private key will be ignored.
      Load key "C:\\workspace\\test@tmp\\secretFiles\\1756ff19-9738-4c58-89c0-84ca8b0d81dc\\ssh-key-A_KEY": bad permissions
      ****@host.domain.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

       

      If file permissions are adjusted like this:

      C:\workspace\test>Icacls **** /c /t /Inheritance:d 
      processed file: ****
      Successfully processed 1 files; Failed processing 0 files
      C:\workspace\test>Icacls **** /c /t /Grant ****:F 
      processed file: ****
      Successfully processed 1 files; Failed processing 0 files
      C:\workspace\test>Icacls **** /c /t /Remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users 
      processed file: ****
      Successfully processed 1 files; Failed processing 0 files
      C:\workspace\test>ssh -o StrictHostKeyChecking=no -i **** ****@host.domain.com "ls -la /var/ci/ws/" 
      total 1488
      drwx------. 5 **** **** 73 Mar 11 06:38 .
      drwxr-xr-x. 3 **** **** 16 Aug 26 2019 ..
      drwxrwxr-x. 3 **** **** 26 Oct 23 2019 caches
      drwxrwxr-x. 4 **** **** 34 Aug 26 2019 remoting
      -rw-rw-r--. 1 **** **** 1506923 Mar 11 06:38 remoting.jar
      drwxrwxr-x. 164 **** **** 12288 Mar 22 15:15 workspace
      C:\workspace\test>exit 0 
      Finished: SUCCESS
      

      it works just fine, including clean-up of the secret key file when the build is done.

      (Solution/workaround from https://superuser.com/questions/1309447/how-to-secure-ssh-private-key-on-windows-10)

       

          [JENKINS-65224] SSH key gets incorrect permissions to be used with "native" ssh on Windows

          Matt Sicker added a comment -

          Hopefully this can be done via the Java NIO API here (probably the AclFileAttributeView); if not, there's some code that can be reused to execute iacls if needed.

          Matt Sicker added a comment - Hopefully this can be done via the Java NIO API here (probably the AclFileAttributeView); if not, there's some code that can be reused to execute iacls if needed.

          Matt Sicker added a comment -

          What other plugins are you using here? The SSH Credentials plugin only integrates with JSch and Trilead, neither of which use the native SSH.

          Matt Sicker added a comment - What other plugins are you using here? The SSH Credentials plugin only integrates with JSch and Trilead, neither of which use the native SSH.

          Not sure what other plugins might be involved here. The log excerpts above are from a "Execute Windows batch command" step in a simple freestyle job, where the SSH credentials are provided by the "Credentials Binding Plugin"

          I'm not sure which plugin is responsible for transferring/creating the key-file on a node; perhaps this bug should be on the credentials-binding instead?

          Jesper Andersson added a comment - Not sure what other plugins might be involved here. The log excerpts above are from a "Execute Windows batch command" step in a simple freestyle job, where the SSH credentials are provided by the "Credentials Binding Plugin" I'm not sure which plugin is responsible for transferring/creating the key-file on a node; perhaps this bug should be on the credentials-binding  instead?

          Mark Waite added a comment - - edited

          njesper yes, that's a topic for credentials binding plugin rather than for the ssh-credentials plugin.

          In case it helps, refer to https://github.com/jenkinsci/git-client-plugin/blob/8238ee8a350553ef974fe9207cf814b0d36c2232/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java#L2236 for code that configures git client plugin ssh key file permissions on Windows. I can't promise it is 100% correct, but it works for me.

          Mark Waite added a comment - - edited njesper yes, that's a topic for credentials binding plugin rather than for the ssh-credentials plugin. In case it helps, refer to https://github.com/jenkinsci/git-client-plugin/blob/8238ee8a350553ef974fe9207cf814b0d36c2232/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java#L2236 for code that configures git client plugin ssh key file permissions on Windows. I can't promise it is 100% correct, but it works for me.

          Thanks markewaite!

          I've updated the component field now.

          Jesper Andersson added a comment - Thanks markewaite ! I've updated the component field now.

          Ken Rachynski added a comment -

          Okay, this bug is very idle and I'm running across it today while trying to set up private keys for my job process to use to check out further git repositories on its own (not in the pipeline). While SSH doesn't give an error about bad permissions, it does deny access to the credential file. Under Windows, the requirements for permissions on SSH keys have gotten tighter in the past three years.

          I'd really like to be able to use my permanent windows agents for all potential jobs, not just the ones that don't need to manage their own SSH keys.

          Ken Rachynski added a comment - Okay, this bug is very idle and I'm running across it today while trying to set up private keys for my job process to use to check out further git repositories on its own (not in the pipeline). While SSH doesn't give an error about bad permissions, it does deny access to the credential file. Under Windows, the requirements for permissions on SSH keys have gotten tighter in the past three years. I'd really like to be able to use my permanent windows agents for all potential jobs, not just the ones that don't need to manage their own SSH keys.

          Ken Rachynski added a comment -

          Ah, nm me. My issue was actually slash/backslash on Windows.

          Ken Rachynski added a comment - Ah, nm me. My issue was actually slash/backslash on Windows.

            Unassigned Unassigned
            njesper Jesper Andersson
            Votes:
            6 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated: