Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-10647

SSH public key based CLI authentication added in 1.419 is broken in 1.421+

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Component/s: cli, security
    • Labels:
      None
    • Environment:
      Solaris x86 JRE 1.5 and Archlinux x64 JRE 1.7
    • Similar Issues:
      Show 5 results

      Description

      I am using Unix user/group database for Security Realm and the SSH public key security for CLI added in version 1.419. This works great in 1.419 and 1.420, but is broken in 1.421 and 1.425 (and presumably versions in between... I discovered it didn't work in 1.425, which is currently the latest, and then went up from 1.419 until it broke).

      I am guessing it has to do with one of these changes in 1.421

      • PAM authentication wasn't working with Ubuntu 11.04 (issue 9486)
      • PAM authentication now works with CLI login mechanism. (issue 9681)
      • Generalized the mechanism to control scopes of security permissions

      I can insert a typo in my public key config to force an error with the authentication, in which case I will get an error saying the public key didn't work.

      However, when everything is setup correctly, and I receive no errors regarding the ssh keys, I always get the following stack trace about the anonymous user when trying to use the CLI. This occurs for any CLI command that requires Administer permission. Read-only commands like version do work.

      myhost:$ java -jar /opt/auto/jenkins/bin/jenkins-cli.jar -s http://myhost:9080 groovy /opt/auto/jenkins/bin/failedjobs.gsh
      hudson.security.AccessDeniedException2: anonymous is missing the Administer permission
      at hudson.security.ACL.checkPermission(ACL.java:53)
      at hudson.model.Node.checkPermission(Node.java:381)
      at hudson.cli.GroovyCommand.run(GroovyCommand.java:73)
      at hudson.cli.CLICommand.main(CLICommand.java:184)
      at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:82)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:592)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:274)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:255)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:215)
      at hudson.remoting.UserRequest.perform(UserRequest.java:118)
      at hudson.remoting.UserRequest.perform(UserRequest.java:48)
      at hudson.remoting.Request$2.run(Request.java:287)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:417)
      at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:269)
      at java.util.concurrent.FutureTask.run(FutureTask.java:123)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:651)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:676)
      at java.lang.Thread.run(Thread.java:595)

        Attachments

          Activity

          jmechler2 Jason Mechler created issue -
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          http://jenkins-ci.org/commit/jenkins/6b95b9be2df6085c92e38353187ea466d5fafd5f
          Log:
          [FIXED JENKINS-10647] attributing the fix to a filed ticket

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html http://jenkins-ci.org/commit/jenkins/6b95b9be2df6085c92e38353187ea466d5fafd5f Log: [FIXED JENKINS-10647] attributing the fix to a filed ticket
          scm_issue_link SCM/JIRA link daemon made changes -
          Field Original Value New Value
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Hide
          dogfood dogfood added a comment -

          Integrated in jenkins_main_trunk #1036
          [FIXED JENKINS-10647] attributing the fix to a filed ticket

          Kohsuke Kawaguchi : 6b95b9be2df6085c92e38353187ea466d5fafd5f
          Files :

          • changelog.html
          Show
          dogfood dogfood added a comment - Integrated in jenkins_main_trunk #1036 [FIXED JENKINS-10647] attributing the fix to a filed ticket Kohsuke Kawaguchi : 6b95b9be2df6085c92e38353187ea466d5fafd5f Files : changelog.html
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          http://jenkins-ci.org/commit/jenkins/6b95b9be2df6085c92e38353187ea466d5fafd5f
          Log:
          [FIXED JENKINS-10647] attributing the fix to a filed ticket

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html http://jenkins-ci.org/commit/jenkins/6b95b9be2df6085c92e38353187ea466d5fafd5f Log: [FIXED JENKINS-10647] attributing the fix to a filed ticket
          Hide
          zeeshanlakhani Zeeshan Lakhani added a comment -

          I'm having a very similar with ssh public keys, users, and the cli in 1.432.

          I have a user with all permissions (under matrix security) named jenkins. I generated a ssh key pair on the same server that my Jenkins instance is running on, via a user named jenkins. I copied and pasted the public key created into the jenkins user on the gui mgmt. console. When I then attempt to use the cli via the jenkins user on the server, it just times out, finally giving a stream termination error. I even had set the -i parameter, like so: java -jar -Xmx512M /home/jenkins/jenkins-cli.jar -i /home/jenkins/jenkins_rsa -s MY_JENKINS_URL. Additionally, I had jenkins_rsa as id_rsa, and it didn't work. Thanks.

          Show
          zeeshanlakhani Zeeshan Lakhani added a comment - I'm having a very similar with ssh public keys, users, and the cli in 1.432. I have a user with all permissions (under matrix security) named jenkins. I generated a ssh key pair on the same server that my Jenkins instance is running on, via a user named jenkins. I copied and pasted the public key created into the jenkins user on the gui mgmt. console. When I then attempt to use the cli via the jenkins user on the server, it just times out, finally giving a stream termination error. I even had set the -i parameter, like so: java -jar -Xmx512M /home/jenkins/jenkins-cli.jar -i /home/jenkins/jenkins_rsa -s MY_JENKINS_URL. Additionally, I had jenkins_rsa as id_rsa, and it didn't work. Thanks.
          zeeshanlakhani Zeeshan Lakhani made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          Hide
          zeeshanlakhani Zeeshan Lakhani added a comment -

          Not sure if it came through below, but here's my issue (version 1.432, Solaris):

          I'm having a very similar with ssh public keys, users, and the cli in 1.432.
          I have a user with all permissions (under matrix security) named jenkins. I generated a ssh key pair on the same server that my Jenkins instance is running on, via a user named jenkins. I copied and pasted the public key created into the jenkins user on the gui mgmt. console. When I then attempt to use the cli via the jenkins user on the server, it just times out, finally giving a stream termination error. I even had set the -i parameter, like so: java -jar -Xmx512M /home/jenkins/jenkins-cli.jar -i /home/jenkins/jenkins_rsa -s MY_JENKINS_URL. Additionally, I had jenkins_rsa as id_rsa, and it didn't work. Thanks.

          Show
          zeeshanlakhani Zeeshan Lakhani added a comment - Not sure if it came through below, but here's my issue (version 1.432, Solaris): I'm having a very similar with ssh public keys, users, and the cli in 1.432. I have a user with all permissions (under matrix security) named jenkins. I generated a ssh key pair on the same server that my Jenkins instance is running on, via a user named jenkins. I copied and pasted the public key created into the jenkins user on the gui mgmt. console. When I then attempt to use the cli via the jenkins user on the server, it just times out, finally giving a stream termination error. I even had set the -i parameter, like so: java -jar -Xmx512M /home/jenkins/jenkins-cli.jar -i /home/jenkins/jenkins_rsa -s MY_JENKINS_URL. Additionally, I had jenkins_rsa as id_rsa, and it didn't work. Thanks.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          http://jenkins-ci.org/commit/jenkins/6b95b9be2df6085c92e38353187ea466d5fafd5f
          Log:
          [FIXED JENKINS-10647] attributing the fix to a filed ticket

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html http://jenkins-ci.org/commit/jenkins/6b95b9be2df6085c92e38353187ea466d5fafd5f Log: [FIXED JENKINS-10647] attributing the fix to a filed ticket
          scm_issue_link SCM/JIRA link daemon made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          http://jenkins-ci.org/commit/jenkins/4f2ad118da778c052f6c7c7b600f97971b6d28e4
          Log:
          [FIXED JENKINS-10647] attributing the fix to a filed ticket

          Cherry-picked-from: 6b95b9be2df6085c92e38353187ea466d5fafd5f

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: http://jenkins-ci.org/commit/jenkins/4f2ad118da778c052f6c7c7b600f97971b6d28e4 Log: [FIXED JENKINS-10647] attributing the fix to a filed ticket Cherry-picked-from: 6b95b9be2df6085c92e38353187ea466d5fafd5f
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java
          http://jenkins-ci.org/commit/jenkins/719c7595d353b99d196cfc1d3a485281a2d8aa8b
          Log:
          [FIXED JENKINS-10647] Needs to fallback to transport authentication.
          (cherry picked from commit f7108faf6f5f93c8ccab9ce1e8c67cf3c3d39b23)

          Conflicts:

          changelog.html

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java http://jenkins-ci.org/commit/jenkins/719c7595d353b99d196cfc1d3a485281a2d8aa8b Log: [FIXED JENKINS-10647] Needs to fallback to transport authentication. (cherry picked from commit f7108faf6f5f93c8ccab9ce1e8c67cf3c3d39b23) Conflicts: changelog.html

            People

            • Assignee:
              Unassigned
              Reporter:
              jmechler2 Jason Mechler
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: