Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-10647

SSH public key based CLI authentication added in 1.419 is broken in 1.421+

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Component/s: cli, security
    • Labels:
      None
    • Environment:
      Solaris x86 JRE 1.5 and Archlinux x64 JRE 1.7

      Description

      I am using Unix user/group database for Security Realm and the SSH public key security for CLI added in version 1.419. This works great in 1.419 and 1.420, but is broken in 1.421 and 1.425 (and presumably versions in between... I discovered it didn't work in 1.425, which is currently the latest, and then went up from 1.419 until it broke).

      I am guessing it has to do with one of these changes in 1.421

      • PAM authentication wasn't working with Ubuntu 11.04 (issue 9486)
      • PAM authentication now works with CLI login mechanism. (issue 9681)
      • Generalized the mechanism to control scopes of security permissions

      I can insert a typo in my public key config to force an error with the authentication, in which case I will get an error saying the public key didn't work.

      However, when everything is setup correctly, and I receive no errors regarding the ssh keys, I always get the following stack trace about the anonymous user when trying to use the CLI. This occurs for any CLI command that requires Administer permission. Read-only commands like version do work.

      myhost:$ java -jar /opt/auto/jenkins/bin/jenkins-cli.jar -s http://myhost:9080 groovy /opt/auto/jenkins/bin/failedjobs.gsh
      hudson.security.AccessDeniedException2: anonymous is missing the Administer permission
      at hudson.security.ACL.checkPermission(ACL.java:53)
      at hudson.model.Node.checkPermission(Node.java:381)
      at hudson.cli.GroovyCommand.run(GroovyCommand.java:73)
      at hudson.cli.CLICommand.main(CLICommand.java:184)
      at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:82)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:592)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:274)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:255)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:215)
      at hudson.remoting.UserRequest.perform(UserRequest.java:118)
      at hudson.remoting.UserRequest.perform(UserRequest.java:48)
      at hudson.remoting.Request$2.run(Request.java:287)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:417)
      at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:269)
      at java.util.concurrent.FutureTask.run(FutureTask.java:123)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:651)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:676)
      at java.lang.Thread.run(Thread.java:595)

        Activity

        jmechler2 Jason Mechler created issue -
        Hide
        scm_issue_link SCM/JIRA link daemon added a comment -

        Code changed in jenkins
        User: Kohsuke Kawaguchi
        Path:
        changelog.html
        http://jenkins-ci.org/commit/jenkins/6b95b9be2df6085c92e38353187ea466d5fafd5f
        Log:
        [FIXED JENKINS-10647] attributing the fix to a filed ticket

        Show
        scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html http://jenkins-ci.org/commit/jenkins/6b95b9be2df6085c92e38353187ea466d5fafd5f Log: [FIXED JENKINS-10647] attributing the fix to a filed ticket
        scm_issue_link SCM/JIRA link daemon made changes -
        Field Original Value New Value
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        dogfood dogfood added a comment -

        Integrated in jenkins_main_trunk #1036
        [FIXED JENKINS-10647] attributing the fix to a filed ticket

        Kohsuke Kawaguchi : 6b95b9be2df6085c92e38353187ea466d5fafd5f
        Files :

        • changelog.html
        Show
        dogfood dogfood added a comment - Integrated in jenkins_main_trunk #1036 [FIXED JENKINS-10647] attributing the fix to a filed ticket Kohsuke Kawaguchi : 6b95b9be2df6085c92e38353187ea466d5fafd5f Files : changelog.html
        Hide
        scm_issue_link SCM/JIRA link daemon added a comment -

        Code changed in jenkins
        User: Kohsuke Kawaguchi
        Path:
        changelog.html
        http://jenkins-ci.org/commit/jenkins/6b95b9be2df6085c92e38353187ea466d5fafd5f
        Log:
        [FIXED JENKINS-10647] attributing the fix to a filed ticket

        Show
        scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html http://jenkins-ci.org/commit/jenkins/6b95b9be2df6085c92e38353187ea466d5fafd5f Log: [FIXED JENKINS-10647] attributing the fix to a filed ticket
        Hide
        zeeshanlakhani Zeeshan Lakhani added a comment -

        I'm having a very similar with ssh public keys, users, and the cli in 1.432.

        I have a user with all permissions (under matrix security) named jenkins. I generated a ssh key pair on the same server that my Jenkins instance is running on, via a user named jenkins. I copied and pasted the public key created into the jenkins user on the gui mgmt. console. When I then attempt to use the cli via the jenkins user on the server, it just times out, finally giving a stream termination error. I even had set the -i parameter, like so: java -jar -Xmx512M /home/jenkins/jenkins-cli.jar -i /home/jenkins/jenkins_rsa -s MY_JENKINS_URL. Additionally, I had jenkins_rsa as id_rsa, and it didn't work. Thanks.

        Show
        zeeshanlakhani Zeeshan Lakhani added a comment - I'm having a very similar with ssh public keys, users, and the cli in 1.432. I have a user with all permissions (under matrix security) named jenkins. I generated a ssh key pair on the same server that my Jenkins instance is running on, via a user named jenkins. I copied and pasted the public key created into the jenkins user on the gui mgmt. console. When I then attempt to use the cli via the jenkins user on the server, it just times out, finally giving a stream termination error. I even had set the -i parameter, like so: java -jar -Xmx512M /home/jenkins/jenkins-cli.jar -i /home/jenkins/jenkins_rsa -s MY_JENKINS_URL. Additionally, I had jenkins_rsa as id_rsa, and it didn't work. Thanks.
        zeeshanlakhani Zeeshan Lakhani made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Hide
        zeeshanlakhani Zeeshan Lakhani added a comment -

        Not sure if it came through below, but here's my issue (version 1.432, Solaris):

        I'm having a very similar with ssh public keys, users, and the cli in 1.432.
        I have a user with all permissions (under matrix security) named jenkins. I generated a ssh key pair on the same server that my Jenkins instance is running on, via a user named jenkins. I copied and pasted the public key created into the jenkins user on the gui mgmt. console. When I then attempt to use the cli via the jenkins user on the server, it just times out, finally giving a stream termination error. I even had set the -i parameter, like so: java -jar -Xmx512M /home/jenkins/jenkins-cli.jar -i /home/jenkins/jenkins_rsa -s MY_JENKINS_URL. Additionally, I had jenkins_rsa as id_rsa, and it didn't work. Thanks.

        Show
        zeeshanlakhani Zeeshan Lakhani added a comment - Not sure if it came through below, but here's my issue (version 1.432, Solaris): I'm having a very similar with ssh public keys, users, and the cli in 1.432. I have a user with all permissions (under matrix security) named jenkins. I generated a ssh key pair on the same server that my Jenkins instance is running on, via a user named jenkins. I copied and pasted the public key created into the jenkins user on the gui mgmt. console. When I then attempt to use the cli via the jenkins user on the server, it just times out, finally giving a stream termination error. I even had set the -i parameter, like so: java -jar -Xmx512M /home/jenkins/jenkins-cli.jar -i /home/jenkins/jenkins_rsa -s MY_JENKINS_URL. Additionally, I had jenkins_rsa as id_rsa, and it didn't work. Thanks.
        Hide
        scm_issue_link SCM/JIRA link daemon added a comment -

        Code changed in jenkins
        User: Kohsuke Kawaguchi
        Path:
        changelog.html
        http://jenkins-ci.org/commit/jenkins/6b95b9be2df6085c92e38353187ea466d5fafd5f
        Log:
        [FIXED JENKINS-10647] attributing the fix to a filed ticket

        Show
        scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html http://jenkins-ci.org/commit/jenkins/6b95b9be2df6085c92e38353187ea466d5fafd5f Log: [FIXED JENKINS-10647] attributing the fix to a filed ticket
        scm_issue_link SCM/JIRA link daemon made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        scm_issue_link SCM/JIRA link daemon added a comment -

        Code changed in jenkins
        User: Kohsuke Kawaguchi
        Path:
        http://jenkins-ci.org/commit/jenkins/4f2ad118da778c052f6c7c7b600f97971b6d28e4
        Log:
        [FIXED JENKINS-10647] attributing the fix to a filed ticket

        Cherry-picked-from: 6b95b9be2df6085c92e38353187ea466d5fafd5f

        Show
        scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: http://jenkins-ci.org/commit/jenkins/4f2ad118da778c052f6c7c7b600f97971b6d28e4 Log: [FIXED JENKINS-10647] attributing the fix to a filed ticket Cherry-picked-from: 6b95b9be2df6085c92e38353187ea466d5fafd5f
        Hide
        scm_issue_link SCM/JIRA link daemon added a comment -

        Code changed in jenkins
        User: Kohsuke Kawaguchi
        Path:
        core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java
        http://jenkins-ci.org/commit/jenkins/719c7595d353b99d196cfc1d3a485281a2d8aa8b
        Log:
        [FIXED JENKINS-10647] Needs to fallback to transport authentication.
        (cherry picked from commit f7108faf6f5f93c8ccab9ce1e8c67cf3c3d39b23)

        Conflicts:

        changelog.html

        Show
        scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java http://jenkins-ci.org/commit/jenkins/719c7595d353b99d196cfc1d3a485281a2d8aa8b Log: [FIXED JENKINS-10647] Needs to fallback to transport authentication. (cherry picked from commit f7108faf6f5f93c8ccab9ce1e8c67cf3c3d39b23) Conflicts: changelog.html

          People

          • Assignee:
            Unassigned
            Reporter:
            jmechler2 Jason Mechler
          • Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: