Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-29255

Use of RSA private key yields error: Permissions 0644 for '/…/secretFiles/…/blah.id_rsa' are too open

    XMLWordPrintable

Details

    Description

      I am trying to store an RSA private key in Jenkins, and reference it using the Credentials Binding plugin.
      I was able to upload the RSA private key as a Secret File, bound to a "domain".
      (The "domain" is just some arbitrary text label).
      This is the only way it appeared in the dropdown list in my project when I selected 'Use secret text(s) or file(s), then under Bindings select 'Secret text', and then it shows up in the dropdown list.
      So then I selected it, bound it to an env var, and attempted to use it in my project.
      I got this error:

      + rsync -auvz -e 'ssh -i /var/lib/jenkins/secretFiles/74ec48f8-ead9-4545-99ac-9a8c351cf19d/blah.id_rsa -p 12345' test_file someone@somewhere.net:/home/someuser/test_dir
      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      Permissions 0644 for '/var/lib/jenkins/secretFiles/74ec48f8-ead9-4545-99ac-9a8c351cf19d/blah.id_rsa' are too open.
      It is required that your private key files are NOT accessible by others.
      This private key will be ignored.
      bad permissions: ignore key: /var/lib/jenkins/secretFiles/74ec48f8-ead9-4545-99ac-9a8c351cf19d/blah.id_rsa

      Attachments

        Issue Links

          Activity

            mcsf M Chon added a comment -

            Related issue,
            If in my project I select 'Use secret text(s) or file(s), then under Bindings select 'Secret text', then click on the 'Add' button, and enter all the info, and click on 'Save', it doesn't save anything.
            Should I file a separate bug for this, and if so, would it go under the Credentials Binding plugin or the Credentials plugin?

            mcsf M Chon added a comment - Related issue, If in my project I select 'Use secret text(s) or file(s), then under Bindings select 'Secret text', then click on the 'Add' button, and enter all the info, and click on 'Save', it doesn't save anything. Should I file a separate bug for this, and if so, would it go under the Credentials Binding plugin or the Credentials plugin?
            mcsf M Chon added a comment -

            Related issue, if I enter the SSH key under the 'Manage Credentials' area of Jenkins, NOT bound to any "domain", I cannot find a way to reference it inside my project. Am I missing something?

            mcsf M Chon added a comment - Related issue, if I enter the SSH key under the 'Manage Credentials' area of Jenkins, NOT bound to any "domain", I cannot find a way to reference it inside my project. Am I missing something?
            jglick Jesse Glick added a comment -

            mcsf your first problem would be a separate issue in this component. Not sure offhand what is going wrong; check if it is reproducible in a clean environment.

            jglick Jesse Glick added a comment - mcsf your first problem would be a separate issue in this component. Not sure offhand what is going wrong; check if it is reproducible in a clean environment.
            jglick Jesse Glick added a comment -

            mcsf your second problem is JENKINS-28399, that currently there is no support for private key credentials, only generic secret files. A fix of that issue would make this issue much less important (though still valid since there may be other programs which require a restrictive mode).

            The workaround for this issue is presumably to chmod go-r $SECRET_FILE in your shell script before trying to use it.

            jglick Jesse Glick added a comment - mcsf your second problem is JENKINS-28399 , that currently there is no support for private key credentials, only generic secret files. A fix of that issue would make this issue much less important (though still valid since there may be other programs which require a restrictive mode). The workaround for this issue is presumably to chmod go-r $SECRET_FILE in your shell script before trying to use it.
            mcsf M Chon added a comment -

            Thanks. Should I file a new bug for the issue in my first comment?

            mcsf M Chon added a comment - Thanks. Should I file a new bug for the issue in my first comment?
            jglick Jesse Glick added a comment -

            mcsf with steps to reproduce from scratch please.

            jglick Jesse Glick added a comment - mcsf with steps to reproduce from scratch please.

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/FileBinding.java
            http://jenkins-ci.org/commit/credentials-binding-plugin/ab732d5eed991cc28fcaf12dace52d22eed58fa9
            Log:
            Merge pull request #1 from Lohandus/master

            [FIXED JENKINS-29255] Restricting secret file visibility to avoid "WARNING: UNPROTECTED PRIVATE KEY FILE!" when using as ssh key

            Compare: https://github.com/jenkinsci/credentials-binding-plugin/compare/9fffdfa088ea...ab732d5eed99

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/FileBinding.java http://jenkins-ci.org/commit/credentials-binding-plugin/ab732d5eed991cc28fcaf12dace52d22eed58fa9 Log: Merge pull request #1 from Lohandus/master [FIXED JENKINS-29255] Restricting secret file visibility to avoid "WARNING: UNPROTECTED PRIVATE KEY FILE!" when using as ssh key Compare: https://github.com/jenkinsci/credentials-binding-plugin/compare/9fffdfa088ea...ab732d5eed99
            mcsf M Chon added a comment -

            I went to reproduce the issue today (mentioned in my first comment), and could not reproduce it. Now it is storing the secret text.
            Maybe because I downloaded the most recent plugin versions:

            credential-binding-plugin 1.5
            Workflow: Step API 1.9
            Plain Credentials Plugin 1.1

            So, not able to file a separate bug.

            mcsf M Chon added a comment - I went to reproduce the issue today (mentioned in my first comment), and could not reproduce it. Now it is storing the secret text. Maybe because I downloaded the most recent plugin versions: credential-binding-plugin 1.5 Workflow: Step API 1.9 Plain Credentials Plugin 1.1 So, not able to file a separate bug.

            People

              Unassigned Unassigned
              mcsf M Chon
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: