Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67534

"invalid format" error when pasting SSH private key without armor

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • ssh-credentials-plugin
    • None
    • Jenkins 2.289.2 with SSH Credentials 1.19 and Git plugin 4.10.1.

      Pasting a private SSH key in the Jenkins credentials page, and omitting the delimitting comment lines such as: ----- BEGIN OPENSSH PRIVATE KEY ----- causes the key to not work, with an error message such as:

      Failed to connect to repository : Command "git ls-remote -h -- ssh://user:@host:port/project HEAD" returned status code 128:[...]
      Load key "/tmp/jenkins-gitclient-ssh14352756356499154328.key": invalid format user@host: Permission denied (publickey). fatal: Could not read from remote repository.
      Please make sure you have the correct access rightsand the repository exists.
      

      Repasting the private key with both the top and bottom delimitting lines ----- BEGIN OPENSSH PRIVATE KEY -----, the error vanishes.

      I'd expect it to work without these lines which are comments, AFAIK.  If they are somehow necessary, then the tool should fail early, at the time the user input the key text.

          [JENKINS-67534] "invalid format" error when pasting SSH private key without armor

          Mark Waite added a comment -

          As far as I understand RFC-4716, the first line of a conforming key file must have the begin and end markers. I don't see the same mandatory requirement for other private key types, but I believe that is due to my weak search skills.

          Mark Waite added a comment - As far as I understand RFC-4716 , the first line of a conforming key file must have the begin and end markers. I don't see the same mandatory requirement for other private key types, but I believe that is due to my weak search skills.

          M C added a comment -

          Interesting; I wasn't aware that valid keys were described that way. They do not seem to explicitly mention this holds for private keys, but I don't see why it wouldn't. If we are to stick to RFC-4716 to determine if a key is valid, then the validation should run at input time to provide early feedback to a user.

          M C added a comment - Interesting; I wasn't aware that valid keys were described that way. They do not seem to explicitly mention this holds for private keys, but I don't see why it wouldn't. If we are to stick to RFC-4716 to determine if a key is valid, then the validation should run at input time to provide early feedback to a user.

          Mark Waite added a comment -

          apteryx3 I agree that it would be better to validate input for early feedback to the user. It would also be preferred if the git plugin would detect the "invalid format" error message and recommend specific corrections from the user.

          Mark Waite added a comment - apteryx3 I agree that it would be better to validate input for early feedback to the user. It would also be preferred if the git plugin would detect the "invalid format" error message and recommend specific corrections from the user.

            jvz Matt Sicker
            apteryx3 M C
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: