Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-70992

ED25519 shows the error This doesn't look like a private key at all

      I have been trying to spin up MAC2 EC2 AMI using the Jenkins EC2 plugin which has a hard requirement to have the ssh key type as ED25519.

      We were able to create the machines directly with the ED15519 keytype and and able to create a base AMI out of that.

      But when I configure the ED25519 key in Jenkins and trying to use that as a 
      EC2 Key Pair's Private Key it comes with the below error,
       

      This doesn't look like a private key at all

       

      Apr 05, 2023 9:26:39 AM WARNING hudson.plugins.ec2.EC2Cloud getNewOrExistingAvailableSlave
      SlaveTemplate{description='builder', labels='builder'}. Exception during provisioning
      java.io.IOException: unrecognised object: OPENSSH PRIVATE KEY

       

      The key is with,

      -----BEGIN OPENSSH PRIVATE KEY-----
      -----END OPENSSH PRIVATE KEY----- 
      

      Any idea how to solve this ?

      searched through existing bugs reported but none provide a valid solution for the same.

          [JENKINS-70992] ED25519 shows the error This doesn't look like a private key at all

          Matthew Webber added a comment - - edited

          Does the private key work for other Agents (i.e. is it specific to MACs), or not?

          Our private key (for Linux Agents) starts with -----BEGIN RSA PRIVATE KEY----- if that helps.

          Matthew Webber added a comment - - edited Does the private key work for other Agents (i.e. is it specific to MACs), or not? Our private key (for Linux Agents) starts with -----BEGIN RSA PRIVATE KEY----- if that helps.

          basil boon added a comment - - edited

          mwebber  Thanks for the quick update.

          When we do with RSA key it works well & we are able to spin up linux instances

          This usecase specifically requires key type of ED25519 to be in place.

          We create the key using boto3

          def create_keypair(project, keyname, ec2_client, KeyType):
              logging.info(f"Creating key pair {keyname}")
              key = ec2_client.create_key_pair(KeyName=keyname, KeyType=KeyType)
              print(key)
              put_params(
                  value=key['KeyMaterial'],
                  type='SecureString',
                  description=f'jenkins {project} private key'
              )
          def private_key_management(region, project):
              ec2_client = boto3.client('ec2', region_name=region)
              keyname = f"{project}-builder-key-ed25519"
              KeyType = 'ed25519'
              create_keypair(project, keyname, ec2_client, KeyType)
          

           

          as per this : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateKeyPair.html

          For ED25519 key pairs, the key fingerprint is the base64-encoded SHA-256 digest, which is the default for OpenSSH, starting with OpenSSH 6.8.

           

          https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2/client/create_key_pair.html

          If we create using this the ED25519 key comes with,

          -----BEGIN OPENSSH PRIVATE KEY-----
          -----END OPENSSH PRIVATE KEY-----

           

          basil boon added a comment - - edited mwebber   Thanks for the quick update. When we do with RSA key it works well & we are able to spin up linux instances This usecase specifically requires key type of ED25519 to be in place. We create the key using boto3 def create_keypair(project, keyname, ec2_client, KeyType):     logging.info(f "Creating key pair {keyname}" )     key = ec2_client.create_key_pair(KeyName=keyname, KeyType=KeyType)     print(key)     put_params(         value=key[ 'KeyMaterial' ],         type= 'SecureString' ,         description=f 'jenkins {project} private key'     ) def private_key_management(region, project):     ec2_client = boto3.client( 'ec2' , region_name=region)     keyname = f "{project}-builder-key-ed25519"     KeyType = 'ed25519'     create_keypair(project, keyname, ec2_client, KeyType)   as per this : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateKeyPair.html For ED25519 key pairs, the key fingerprint is the base64-encoded SHA-256 digest, which is the default for OpenSSH, starting with OpenSSH 6.8.   https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2/client/create_key_pair.html If we create using this the ED25519 key comes with, -----BEGIN OPENSSH PRIVATE KEY----- -----END OPENSSH PRIVATE KEY-----  

          I haven't attempted to reproduce this error (mainly because I don't want to have to pay the minimum licensing fee. I did have a look through the source code however and found that support for OPENSSH key formats was added a couple of years ago in c64692f:

           

          while ((line = br.readLine()) != null) {
                          if (line.equals("-----BEGIN RSA PRIVATE KEY-----") ||
                                  line.equals("-----BEGIN OPENSSH PRIVATE KEY-----"))
                              hasStart = true;
                          if (line.equals("-----END RSA PRIVATE KEY-----") ||
                                  line.equals("-----END OPENSSH PRIVATE KEY-----"))
                              hasEnd = true;
                      }
                      if (!hasStart)
                          return FormValidation.error("This doesn't look like a private key at all");
                      if (!hasEnd)
                          return FormValidation
                                  .error("The private key is missing the trailing 'END RSA PRIVATE KEY' marker. Copy&paste error?");
                      return FormValidation.ok();

          This looks like the only place that "This doesn't look like a private key at all" appears within the source code.

           

          It does look like some changes have been made to the constructor of EC2Cloud by vlatombe in 05cc875 2 weeks ago.

          Sorry I can't be any more help than that. vlatombe any chance you have a better idea?

          Geordie Rogers added a comment - I haven't attempted to reproduce this error (mainly because I don't want to have to pay the minimum licensing fee. I did have a look through the source code however and found that support for OPENSSH key formats was added a couple of years ago in c64692f:   while ((line = br.readLine()) != null ) { if (line.equals( "-----BEGIN RSA PRIVATE KEY-----" ) || line.equals( "-----BEGIN OPENSSH PRIVATE KEY-----" )) hasStart = true ; if (line.equals( "-----END RSA PRIVATE KEY-----" ) || line.equals( "-----END OPENSSH PRIVATE KEY-----" )) hasEnd = true ; } if (!hasStart) return FormValidation.error( "This doesn't look like a private key at all" ); if (!hasEnd) return FormValidation .error( "The private key is missing the trailing 'END RSA PRIVATE KEY' marker. Copy&paste error?" ); return FormValidation.ok(); This looks like the only place that "This doesn't look like a private key at all" appears within the source code.   It does look like some changes have been made to the constructor of EC2Cloud by vlatombe in 05cc875 2 weeks ago. Sorry I can't be any more help than that. vlatombe any chance you have a better idea?

          basil boon added a comment -

          Its working well, It was actually the way the key was updated. When I did it manually it worked.

          Thanks for looking into this.

          basil boon added a comment - Its working well, It was actually the way the key was updated. When I did it manually it worked. Thanks for looking into this.

            thoulen FABRIZIO MANFREDI
            bazzi basil boon
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: