JenkinsIcon indicating the project type

Jenkins

Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-12690

JenkinsTrigger does not understand SSH Key with a password

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: gerrit-trigger-plugin
    • Labels:
    • Environment:
      Linux dt-000886 3.0.0-15-generic #26-Ubuntu SMP Fri Jan 20 17:23:00 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
      Jenkins ver. 1.450
      Gerrit Trigger 2.3.1
    • Similar Issues:

      Description

      I can only get Jenkins to talk to Gerrit's SSH connection if the key file has no password.

      1. Use ssh-keygen to create a key with a password

      2. Configure Gerrit Trigger with that key and its password

      3. Test Connection

      > Bad SSH keyfile or password

      Jenkins.log:
      > 09-Feb-2012 12:43:18 com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile parse
      > INFO: Parsing private key file
      > 09-Feb-2012 12:43:18 com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile parse
      > INFO: Private key is not in the default format, attempting parse with other supported formats

      4. Clear the password: ssh-keygen -f .ssh/id_rsa -p -N ''

      Note that the Proc-Type and DEK-Info headers have gone.

      5. Test connection (without clearing the password!)

      6. Succeeds. Log still complains about non-default format.

      7. Clear the password in Jenkins.

      8. Test connection

      9. Still succeeds, Log still complains about non-default format.

      This took me ages to nail down because supplying a password to a no-password key file doesn't fail.

        Attachments

        1. id_rsa
          2 kB
        2. id_rsa
          2 kB
        3. id_rsa.pub
          0.4 kB
        4. id_rsa.pub
          0.4 kB

          Issue Links

          links to

          Web Link Gerrit-events PR to fix this

            Activity

            Ascending order - Click to sort in descending order
            6 older comments
            Hide
            Permalink
            svanoort Sam Van Oort added a comment - - edited

            I've investigated this, and it has a fairly simple root cause: unsupported decryption algorithm, in the gerrit-events library.
            I wrote a trivial test for gerrit-events to decrypt the attached key:

            @Test
    public void testPassphraseParsing() throws Exception {
        Security.addProvider(new BouncyCastleProvider());

        // Get locked keyfile as file
        URL url = Thread.currentThread().getContextClassLoader().getResource("com/sonymobile/tools/gerrit/gerritevents/id_rsa_passphrase");
        File file = new File(url.getPath());

        // Fail if invalid passphrase does not fail
        SshUtil.checkPassPhrase(file, "wrongpassphrase");
        boolean failure = SshUtil.checkPassPhrase(file, "wrongpassphrase");
        assertFalse("Passphrase validation should fail!", failure);

        // Will fail with: Unsupported passphrase algorithm: AES-128-CBC
        SshPrivateKeyFile keyFile =SshPrivateKeyFile.parse(file);
        keyFile.toPrivateKey(PASSPHRASE);

        // THIS SHOULD SUCCEED AND INSTEAD IT FAILS!
        boolean tested = SshUtil.checkPassPhrase(file, PASSPHRASE);
        assertTrue("Passphrase validation failed!", tested);
    }

            (the encrypted ssh key is in the resources tet

            When run (with the encrypted key in id_rsa_passphrase, and PASSPHRASE = "letmein"):

            ??com.sshtools.j2ssh.transport.publickey.InvalidSshKeyException: Can't read key due to cryptography problems: java.security.NoSuchAlgorithmException: Unsupported passphrase algorithm: AES-128-CBC
            at com.sshtools.j2ssh.openssh.OpenSSHPrivateKeyFormat.decryptKeyblob(Unknown Source)
            at com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile.toPrivateKey(Unknown Source)??

            The issue is that j2ssh ONLY supports DES-EDE3-CBC:

            if (!"DES-EDE3-CBC".equals(keyAlgorithm)) {
                throw new NoSuchAlgorithmException(
                    "Unsupported passphrase algorithm: " + keyAlgorithm);
            }

            j2ssh-maverick is a solution for this (it DOES support AES-128-CBC), but it is not 100% a drop-in replacement for j2ssh (package structure is different, for example). I'm looking at what it takes to add this.

            In the meantime, keys can be converted to use DES-EDE3-CBC encryption and should work just fine with that.

            Edit: It appears that the use of ssh-tools in gerrit-events are just confined to ssh-util, so with a few changes there, this can be supported.

            Show
            svanoort Sam Van Oort added a comment - - edited I've investigated this, and it has a fairly simple root cause: unsupported decryption algorithm, in the gerrit-events library. I wrote a trivial test for gerrit-events to decrypt the attached key: @Test public void testPassphraseParsing() throws Exception { Security.addProvider( new BouncyCastleProvider()); // Get locked keyfile as file URL url = Thread .currentThread().getContextClassLoader().getResource( "com/sonymobile/tools/gerrit/gerritevents/id_rsa_passphrase" ); File file = new File(url.getPath()); // Fail if invalid passphrase does not fail SshUtil.checkPassPhrase(file, "wrongpassphrase" ); boolean failure = SshUtil.checkPassPhrase(file, "wrongpassphrase" ); assertFalse( "Passphrase validation should fail!" , failure); // Will fail with: Unsupported passphrase algorithm: AES-128-CBC SshPrivateKeyFile keyFile =SshPrivateKeyFile.parse(file); keyFile.toPrivateKey(PASSPHRASE); // THIS SHOULD SUCCEED AND INSTEAD IT FAILS! boolean tested = SshUtil.checkPassPhrase(file, PASSPHRASE); assertTrue( "Passphrase validation failed!" , tested); } (the encrypted ssh key is in the resources tet When run (with the encrypted key in id_rsa_passphrase, and PASSPHRASE = "letmein"): ??com.sshtools.j2ssh.transport.publickey.InvalidSshKeyException: Can't read key due to cryptography problems: java.security.NoSuchAlgorithmException: Unsupported passphrase algorithm: AES-128-CBC at com.sshtools.j2ssh.openssh.OpenSSHPrivateKeyFormat.decryptKeyblob(Unknown Source) at com.sshtools.j2ssh.transport.publickey.SshPrivateKeyFile.toPrivateKey(Unknown Source)?? The issue is that j2ssh ONLY supports DES-EDE3-CBC: if (! "DES-EDE3-CBC" .equals(keyAlgorithm)) { throw new NoSuchAlgorithmException( "Unsupported passphrase algorithm: " + keyAlgorithm); } j2ssh-maverick is a solution for this (it DOES support AES-128-CBC), but it is not 100% a drop-in replacement for j2ssh (package structure is different, for example). I'm looking at what it takes to add this. In the meantime, keys can be converted to use DES-EDE3-CBC encryption and should work just fine with that. Edit: It appears that the use of ssh-tools in gerrit-events are just confined to ssh-util, so with a few changes there, this can be supported.
            Hide
            Permalink
            svanoort Sam Van Oort added a comment -

            I've got a fix, which takes place in the gerrit-events library (see linked PR). This PR will need to be merged and released, and then the dependency bumped in gerrit trigger, and the issue will be eliminated.

            Show
            svanoort Sam Van Oort added a comment - I've got a fix, which takes place in the gerrit-events library (see linked PR). This PR will need to be merged and released, and then the dependency bumped in gerrit trigger, and the issue will be eliminated.
            Hide
            Permalink
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Sam Van Oort
            Path:
            pom.xml
            http://jenkins-ci.org/commit/gerrit-trigger-plugin/15e75b0aed6fb521846466e1faa27d2de732b3e8
            Log:
            Fix JENKINS-12690 issue by pulling in gerrit-events version with support for AES encryption passphrase

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Sam Van Oort Path: pom.xml http://jenkins-ci.org/commit/gerrit-trigger-plugin/15e75b0aed6fb521846466e1faa27d2de732b3e8 Log: Fix JENKINS-12690 issue by pulling in gerrit-events version with support for AES encryption passphrase
            Hide
            Permalink
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Robert Sandell
            Path:
            pom.xml
            http://jenkins-ci.org/commit/gerrit-trigger-plugin/7cf61197362a7d7a75b74b231480d740203ab823
            Log:
            Merge pull request #250 from jenkinsci/fix-aes-passphrase-issue-jenkins-12690

            Fix JENKINS-12690 issue with AES passphrase encryption of keys

            Compare: https://github.com/jenkinsci/gerrit-trigger-plugin/compare/8e425a49da5f...7cf61197362a

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Robert Sandell Path: pom.xml http://jenkins-ci.org/commit/gerrit-trigger-plugin/7cf61197362a7d7a75b74b231480d740203ab823 Log: Merge pull request #250 from jenkinsci/fix-aes-passphrase-issue-jenkins-12690 Fix JENKINS-12690 issue with AES passphrase encryption of keys Compare: https://github.com/jenkinsci/gerrit-trigger-plugin/compare/8e425a49da5f...7cf61197362a
            Hide
            Permalink
            svanoort Sam Van Oort added a comment -

            Released in 2.15.1

            Show
            svanoort Sam Van Oort added a comment - Released in 2.15.1

              People

              • Assignee:
                svanoort Sam Van Oort
                Reporter:
                sleekweasel Tim Baverstock
              • Votes:
                3 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: