Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25194

Private key with passphrase does not seem to work

    Details

    • Similar Issues:

      Description

      I have been unable to get CliGitAPIImpl to work with a private key with passphrase on a Linux slave to connect to a nonpublic Git repository. (Selecting the option to load from the default location, ~/.ssh/id_dsa.) I always get

      Permission denied (publickey).

      I verified that GIT_SSH and SSH_ASKPASS are being set and that the files they point to have the expected contents (by patching the plugin to not delete these files in its finally block). Indeed when I log in to the slave, set these variables to the same files, and run git clone <repo>, it works fine.

      If I set the job to use JGit rather than CLI git, it also works fine, so I do not think I am just using the wrong credentials.

      I also tested with a private key (specific file on master) with no passphrase. This worked fine (with both JGit and CLI).

      I thought one explanation was that ssh thought it was running from a terminal (even though it should not be) and so ignored SSH_ASKPASS. Indeed to interactively verify the GIT_SSH / SSH_ASKPASS combination you have to prefix the git command with setsid if you want the passphrase script to be consulted. But I see the same problem even when I patch the plugin to prefix all git commands with setsid.

      So https://github.com/jenkinsci/git-client-plugin/commit/4b4d59d29894ac6eccab969561d2df5207a88f60 is not working for me, for unknown reasons. Whether or not it is working for others, I would suggest a simplifying change to CliGitAPIImpl: rather than relying on SSH_ASKPASS, decrypt the private key in Java code (I think there is code for this in one of the libraries available to this plugin) and save that to the keyfile.

      Note that GitPluginTest in acceptance-test-harness does not seem to test passphrases. (Nor does it test private keys that are not entered directly but loaded from a file on master, another important use case.)

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            Duplicates JENKINS-20879.

            Show
            danielbeck Daniel Beck added a comment - Duplicates JENKINS-20879 .
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Mark Waite
            Path:
            pom.xml
            src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java
            http://jenkins-ci.org/commit/git-client-plugin/882ecdfb53d627eeeea130720685681ce2553193
            Log:
            Optionally detach ssh authenticated git calls from terminal

            When I run CredentialsTest from my terminal window on Ubuntu 16.04, the
            test fails for ssh keys which need a passphrase. If I run the tests
            from my IDE, or if I prepend "setsid" to the maven command that runs
            the tests, the tests pass.

            The ssh command called by git seems to require the DISPLAY variable, and
            the GIT_SSH variable, and must be detached from the controlling terminal.
            If any one of those is missing (at least on Ubuntu 16), the passphrase
            prompt will not be answered.

            Command line maven builds now include the property:

            org.jenkinsci.plugins.gitclient.CliGitAPIImpl.useSETSID=true

            Default runtime value of the property is false. Users will not run
            with this change unless they specifically set that property to true.
            Most users don't run Jenkins with a controlling terminal attached,
            so they don't need the change.

            Sets useSETSID=true in surefire target so that command line invocations
            of the tests will prefix the "git" command with setsid when it is used
            in an ssh private key context.

            Allows command line run of CredentialsTest with passphrase protected
            private keys.

            Setting BatchMode=yes in the ssh command does not have the same result.
            The setsid call was the only technique I found that reliably allowed
            the ssh call performed by command line git to consistently process the
            script defined in the SSH_ASKPASS variable.

            See JENKINS-20879 and JENKINS-25194 for more details.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Mark Waite Path: pom.xml src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java http://jenkins-ci.org/commit/git-client-plugin/882ecdfb53d627eeeea130720685681ce2553193 Log: Optionally detach ssh authenticated git calls from terminal When I run CredentialsTest from my terminal window on Ubuntu 16.04, the test fails for ssh keys which need a passphrase. If I run the tests from my IDE, or if I prepend "setsid" to the maven command that runs the tests, the tests pass. The ssh command called by git seems to require the DISPLAY variable, and the GIT_SSH variable, and must be detached from the controlling terminal. If any one of those is missing (at least on Ubuntu 16), the passphrase prompt will not be answered. Command line maven builds now include the property: org.jenkinsci.plugins.gitclient.CliGitAPIImpl.useSETSID=true Default runtime value of the property is false. Users will not run with this change unless they specifically set that property to true. Most users don't run Jenkins with a controlling terminal attached, so they don't need the change. Sets useSETSID=true in surefire target so that command line invocations of the tests will prefix the "git" command with setsid when it is used in an ssh private key context. Allows command line run of CredentialsTest with passphrase protected private keys. Setting BatchMode=yes in the ssh command does not have the same result. The setsid call was the only technique I found that reliably allowed the ssh call performed by command line git to consistently process the script defined in the SSH_ASKPASS variable. See JENKINS-20879 and JENKINS-25194 for more details.

              People

              • Assignee:
                ndeloof Nicolas De Loof
                Reporter:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: