-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Component/s: gerrit-trigger-plugin
-
Environment:Linux dt-000886 3.0.0-15-generic #26-Ubuntu SMP Fri Jan 20 17:23:00 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Jenkins ver. 1.450
Gerrit Trigger 2.3.1
-
Similar Issues:
I can only get Jenkins to talk to Gerrit's SSH connection if the key file has no password.
1. Use ssh-keygen to create a key with a password
2. Configure Gerrit Trigger with that key and its password
3. Test Connection
> Bad SSH keyfile or password
Jenkins.log:
> 09-Feb-2012 12:43:18 com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile parse
> INFO: Parsing private key file
> 09-Feb-2012 12:43:18 com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile parse
> INFO: Private key is not in the default format, attempting parse with other supported formats
4. Clear the password: ssh-keygen -f .ssh/id_rsa -p -N ''
Note that the Proc-Type and DEK-Info headers have gone.
5. Test connection (without clearing the password!)
6. Succeeds. Log still complains about non-default format.
7. Clear the password in Jenkins.
8. Test connection
9. Still succeeds, Log still complains about non-default format.
This took me ages to nail down because supplying a password to a no-password key file doesn't fail.
- links to
I've investigated this, and it has a fairly simple root cause: unsupported decryption algorithm, in the gerrit-events library.
I wrote a trivial test for gerrit-events to decrypt the attached key:
(the encrypted ssh key is in the resources tet
When run (with the encrypted key in id_rsa_passphrase, and PASSPHRASE = "letmein"):
??com.sshtools.j2ssh.transport.publickey.InvalidSshKeyException: Can't read key due to cryptography problems: java.security.NoSuchAlgorithmException: Unsupported passphrase algorithm: AES-128-CBC
at com.sshtools.j2ssh.openssh.OpenSSHPrivateKeyFormat.decryptKeyblob(Unknown Source)
at com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile.toPrivateKey(Unknown Source)??
The issue is that j2ssh ONLY supports DES-EDE3-CBC:
j2ssh-maverick is a solution for this (it DOES support AES-128-CBC), but it is not 100% a drop-in replacement for j2ssh (package structure is different, for example). I'm looking at what it takes to add this.
In the meantime, keys can be converted to use DES-EDE3-CBC encryption and should work just fine with that.
Edit: It appears that the use of ssh-tools in gerrit-events are just confined to ssh-util, so with a few changes there, this can be supported.