Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24273

Presence of ECDSA SSH keys breaks SSH credentials plugin

    Details

    • Similar Issues:

      Description

      Create an ECDSA SSH key pair (ssh-keygen -t ecdsa) for the user that runs jenkins.
      Put the public key (~/.ssh/id_ecdsa.pub) into into the appropriate authorized_keys file on a build slave.
      You are now able to connect to the build slave by using public key authentication with the ECDSA key.

      Now run Jenkins under that account. Make sure that you update the SSH credentials plugin to 1.8. Configure the build slave. Choose "From the Jenkins master ~/.ssh" as your credentials to use the ECDSA key.

      When Jenkins tries to connect to the build slave, it fails with the exception "Caused by: java.io.IOException: Invalid PEM structure, '-----BEGIN...' missing"

      This exception comes from the trilead-ssh2 library https://github.com/jenkinsci/trilead-ssh2/blob/master/src/com/trilead/ssh2/crypto/PEMDecoder.java which has no ECDSA support built in yet.

      Interestingly, version 1.8 of the SSH credentials plugin was released just for the support of ECDSA keys.

      Looking at the changes for 1.8 https://github.com/jenkinsci/ssh-credentials-plugin/commit/93e61a2cb9da782bdfefd8ce1375c1b2fd592cc0 that nothing but the list enumeration with the key types and the version were changed.

      Possible workarounds are downgrading to 1.7.1 or deleting the ECDSA keys.

      Please revert the changes made in version 1.8 until trilead-ssh2 supports ECDSA keys.

        Attachments

          Activity

          hendrikhalkow Hendrik Halkow created issue -
          hendrikhalkow Hendrik Halkow made changes -
          Field Original Value New Value
          Description Create an ECDSA SSH key pair (ssh-keygen -t ecdsa) for the user that runs jenkins.
          Put the public key (~/.ssh/id_ecdsa.pub) into into the appropriate authorized_keys file on a build slave.
          You are now able to connect to the build slave by using public key authentication with the ECDSA key.

          Now run Jenkins under that account. Make sure that you update the SSH credentials plugin to 1.8. Configure the build slave. Choose "From the Jenkins master ~/.ssh" as your credentials to use the ECDSA key.

          When Jenkins tries to connect to the build slave, it fails with the exception "Caused by: java.io.IOException: Invalid PEM structure, '-----BEGIN...' missing"

          This exception comes from the trilead-ssh2 library [https://github.com/jenkinsci/trilead-ssh2/blob/master/src/com/trilead/ssh2/crypto/PEMDecoder.java] which has no ECDSA support built in yet.

          Interestingly, version 1.8 of the SSH credentials plugin was released just for the support of ECDSA keys.

          Looking at the changes for 1.8 [https://github.com/jenkinsci/ssh-credentials-plugin/commit/93e61a2cb9da782bdfefd8ce1375c1b2fd592cc0] that nothing but the list enumeration with the key types and the version were changed.

          Possible workarounds are downgrading to 1.7.1 or deleting the ECDSA keys.

          Please revert the changes made in version 1.8 until trilead-ssh2 supports SSH2.
          Create an ECDSA SSH key pair (ssh-keygen -t ecdsa) for the user that runs jenkins.
          Put the public key (~/.ssh/id_ecdsa.pub) into into the appropriate authorized_keys file on a build slave.
          You are now able to connect to the build slave by using public key authentication with the ECDSA key.

          Now run Jenkins under that account. Make sure that you update the SSH credentials plugin to 1.8. Configure the build slave. Choose "From the Jenkins master ~/.ssh" as your credentials to use the ECDSA key.

          When Jenkins tries to connect to the build slave, it fails with the exception "Caused by: java.io.IOException: Invalid PEM structure, '-----BEGIN...' missing"

          This exception comes from the trilead-ssh2 library [https://github.com/jenkinsci/trilead-ssh2/blob/master/src/com/trilead/ssh2/crypto/PEMDecoder.java] which has no ECDSA support built in yet.

          Interestingly, version 1.8 of the SSH credentials plugin was released just for the support of ECDSA keys.

          Looking at the changes for 1.8 [https://github.com/jenkinsci/ssh-credentials-plugin/commit/93e61a2cb9da782bdfefd8ce1375c1b2fd592cc0] that nothing but the list enumeration with the key types and the version were changed.

          Possible workarounds are downgrading to 1.7.1 or deleting the ECDSA keys.

          Please revert the changes made in version 1.8 until trilead-ssh2 supports ECDSA keys.
          danielbeck Daniel Beck made changes -
          Priority Critical [ 2 ] Minor [ 4 ]
          hendrikhalkow Hendrik Halkow made changes -
          Summary Presence of ECDSA SSH keys break SSH credentials plugin Presence of ECDSA SSH keys breaks SSH credentials plugin
          scm_issue_link SCM/JIRA link daemon made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          hendrikhalkow Hendrik Halkow made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 157154 ] JNJira + In-Review [ 186220 ]
          stephenconnolly Stephen Connolly made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]

            People

            • Assignee:
              stephenconnolly Stephen Connolly
              Reporter:
              hendrikhalkow Hendrik Halkow
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: