Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52232

Credentials not usable after upgrade to 1.14

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I have upgraded to ssh-credentials version 1.14 which fixes SECURITY-440 / CVE-2018-1000601.

      After upgrading from version 1.13, no job could authenticate to Github, since the credentials was using a "private key file on master".

      According to the announcment:

      > Existing SSH credentials of these kinds are migrated to "directly entered" SSH credentials.

      This seems not to work for me. I do not see `SECURITY-440: Migrating FileOnMasterPrivateKeySource to DirectEntryPrivateKeySource` message in the logs and the "private key" input box of the credentials is just empty.

        Attachments

          Issue Links

            Activity

            Hide
            mrozekma Michael Mrozek added a comment -

            This no longer happens for me, so I assumed it was found and fixed; I didn't do anything to try to fix it. You keep mentioning SYSTEM, so I guess I should point out that I was only seeing this on Linux nodes; the SSH private key used to login to them wasn't getting migrated correctly, so none of them would come up

            Show
            mrozekma Michael Mrozek added a comment - This no longer happens for me, so I assumed it was found and fixed; I didn't do anything to try to fix it. You keep mentioning SYSTEM, so I guess I should point out that I was only seeing this on Linux nodes; the SSH private key used to login to them wasn't getting migrated correctly, so none of them would come up
            Hide
            aarondmarasco_vsi Aaron D. Marasco added a comment - - edited

            Wadeck Follonier sorry I don't have much to contribute, as noted in the other ticket, I got it working and went on my merry way. As Nathan Neulinger noted above - my setup was pretty much the same. The Jenkins user on the Linux server had the ssh keys outside of Jenkins itself (in a standard Unix manner) and I had to manually copy them into the GUI.

             

            Edit: For some reason it stripped the link from "other ticket" to https://issues.jenkins-ci.org/browse/JENKINS-54746?focusedCommentId=357252

            Show
            aarondmarasco_vsi Aaron D. Marasco added a comment - - edited Wadeck Follonier sorry I don't have much to contribute, as noted in the other ticket, I got it working and went on my merry way. As Nathan Neulinger noted above - my setup was pretty much the same. The Jenkins user on the Linux server had the ssh keys outside of Jenkins itself (in a standard Unix manner) and I had to manually copy them into the GUI.   Edit: For some reason it stripped the link from "other ticket" to https://issues.jenkins-ci.org/browse/JENKINS-54746?focusedCommentId=357252
            Hide
            jnz_topdanmark Jon Brohauge added a comment -

            We usually don't do upgrades.
            By leveraging Docker, and JCasC, we rebuild from scratch, every time we need a new version Jenkins or a plugin. Having no state inside Jenkins, we can treat the containers as cattle. If it gets sick, here comes the bolt-pistol. As mentioned in my previous comment comment-343088, we fixed our issue by entering the SSH key "directly" and setting the proper scope.

            Show
            jnz_topdanmark Jon Brohauge added a comment - We usually don't do upgrades. By leveraging Docker, and JCasC, we rebuild from scratch, every time we need a new version Jenkins or a plugin. Having no state inside Jenkins, we can treat the containers as cattle. If it gets sick, here comes the bolt-pistol. As mentioned in my previous comment comment-343088 , we fixed our issue by entering the SSH key "directly" and setting the proper scope.
            Hide
            nneul Nathan Neulinger added a comment -

            Had a chance to try this again, and cannot reproduce now - upgrade processed smoothly with no issues. Sorry I can't provide anything further. 

            Show
            nneul Nathan Neulinger added a comment - Had a chance to try this again, and cannot reproduce now - upgrade processed smoothly with no issues. Sorry I can't provide anything further. 
            Hide
            vazhnov Alexey Vazhnov added a comment - - edited

            I've just installed fresh Jenkins and found I can't use SSH private key from Jenkins home directory, ~/.ssh/id_rsa. As workaround, I put SSH key into Jenkins Credentials, it works.

            • SSH Slaves v1.29.4,
            • SSH Credentials Plugin v1.16,
            • Jenkins v2.164.3,
            • host and slave OS: Ubuntu 18.04.2 with all updates,
            • OpenSSH v7.6p1.

            Update: found this:

            SSH Credentials Plugin no longer supports SSH credentials from files on the Jenkins master file system, neither user-specified file paths nor ~/.ssh. Existing SSH credentials of these kinds are migrated to "directly entered" SSH credentials.

            Show
            vazhnov Alexey Vazhnov added a comment - - edited I've just installed fresh Jenkins and found I can't use SSH private key from Jenkins home directory, ~/.ssh/id_rsa . As workaround, I put SSH key into Jenkins Credentials, it works. SSH Slaves v1.29.4, SSH Credentials Plugin v1.16, Jenkins v2.164.3, host and slave OS: Ubuntu 18.04.2 with all updates, OpenSSH v7.6p1. Update : found this : SSH Credentials Plugin no longer supports SSH credentials from files on the Jenkins master file system, neither user-specified file paths nor ~/.ssh. Existing SSH credentials of these kinds are migrated to "directly entered" SSH credentials.

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              jenkey Claudio B
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated: