Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-29255

Use of RSA private key yields error: Permissions 0644 for '/…/secretFiles/…/blah.id_rsa' are too open

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I am trying to store an RSA private key in Jenkins, and reference it using the Credentials Binding plugin.
      I was able to upload the RSA private key as a Secret File, bound to a "domain".
      (The "domain" is just some arbitrary text label).
      This is the only way it appeared in the dropdown list in my project when I selected 'Use secret text(s) or file(s), then under Bindings select 'Secret text', and then it shows up in the dropdown list.
      So then I selected it, bound it to an env var, and attempted to use it in my project.
      I got this error:

      + rsync -auvz -e 'ssh -i /var/lib/jenkins/secretFiles/74ec48f8-ead9-4545-99ac-9a8c351cf19d/blah.id_rsa -p 12345' test_file someone@somewhere.net:/home/someuser/test_dir
      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
      @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
      Permissions 0644 for '/var/lib/jenkins/secretFiles/74ec48f8-ead9-4545-99ac-9a8c351cf19d/blah.id_rsa' are too open.
      It is required that your private key files are NOT accessible by others.
      This private key will be ignored.
      bad permissions: ignore key: /var/lib/jenkins/secretFiles/74ec48f8-ead9-4545-99ac-9a8c351cf19d/blah.id_rsa

        Attachments

          Issue Links

            Activity

            Hide
            mcsf M Chon added a comment -

            Related issue,
            If in my project I select 'Use secret text(s) or file(s), then under Bindings select 'Secret text', then click on the 'Add' button, and enter all the info, and click on 'Save', it doesn't save anything.
            Should I file a separate bug for this, and if so, would it go under the Credentials Binding plugin or the Credentials plugin?

            Show
            mcsf M Chon added a comment - Related issue, If in my project I select 'Use secret text(s) or file(s), then under Bindings select 'Secret text', then click on the 'Add' button, and enter all the info, and click on 'Save', it doesn't save anything. Should I file a separate bug for this, and if so, would it go under the Credentials Binding plugin or the Credentials plugin?
            Hide
            mcsf M Chon added a comment -

            Related issue, if I enter the SSH key under the 'Manage Credentials' area of Jenkins, NOT bound to any "domain", I cannot find a way to reference it inside my project. Am I missing something?

            Show
            mcsf M Chon added a comment - Related issue, if I enter the SSH key under the 'Manage Credentials' area of Jenkins, NOT bound to any "domain", I cannot find a way to reference it inside my project. Am I missing something?
            Hide
            jglick Jesse Glick added a comment -

            M Chon your first problem would be a separate issue in this component. Not sure offhand what is going wrong; check if it is reproducible in a clean environment.

            Show
            jglick Jesse Glick added a comment - M Chon your first problem would be a separate issue in this component. Not sure offhand what is going wrong; check if it is reproducible in a clean environment.
            Hide
            jglick Jesse Glick added a comment -

            M Chon your second problem is JENKINS-28399, that currently there is no support for private key credentials, only generic secret files. A fix of that issue would make this issue much less important (though still valid since there may be other programs which require a restrictive mode).

            The workaround for this issue is presumably to chmod go-r $SECRET_FILE in your shell script before trying to use it.

            Show
            jglick Jesse Glick added a comment - M Chon your second problem is JENKINS-28399 , that currently there is no support for private key credentials, only generic secret files. A fix of that issue would make this issue much less important (though still valid since there may be other programs which require a restrictive mode). The workaround for this issue is presumably to chmod go-r $SECRET_FILE in your shell script before trying to use it.
            Hide
            mcsf M Chon added a comment -

            Thanks. Should I file a new bug for the issue in my first comment?

            Show
            mcsf M Chon added a comment - Thanks. Should I file a new bug for the issue in my first comment?
            Hide
            jglick Jesse Glick added a comment -

            M Chon with steps to reproduce from scratch please.

            Show
            jglick Jesse Glick added a comment - M Chon with steps to reproduce from scratch please.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/FileBinding.java
            http://jenkins-ci.org/commit/credentials-binding-plugin/ab732d5eed991cc28fcaf12dace52d22eed58fa9
            Log:
            Merge pull request #1 from Lohandus/master

            [FIXED JENKINS-29255] Restricting secret file visibility to avoid "WARNING: UNPROTECTED PRIVATE KEY FILE!" when using as ssh key

            Compare: https://github.com/jenkinsci/credentials-binding-plugin/compare/9fffdfa088ea...ab732d5eed99

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/FileBinding.java http://jenkins-ci.org/commit/credentials-binding-plugin/ab732d5eed991cc28fcaf12dace52d22eed58fa9 Log: Merge pull request #1 from Lohandus/master [FIXED JENKINS-29255] Restricting secret file visibility to avoid "WARNING: UNPROTECTED PRIVATE KEY FILE!" when using as ssh key Compare: https://github.com/jenkinsci/credentials-binding-plugin/compare/9fffdfa088ea...ab732d5eed99
            Hide
            mcsf M Chon added a comment -

            I went to reproduce the issue today (mentioned in my first comment), and could not reproduce it. Now it is storing the secret text.
            Maybe because I downloaded the most recent plugin versions:

            credential-binding-plugin 1.5
            Workflow: Step API 1.9
            Plain Credentials Plugin 1.1

            So, not able to file a separate bug.

            Show
            mcsf M Chon added a comment - I went to reproduce the issue today (mentioned in my first comment), and could not reproduce it. Now it is storing the secret text. Maybe because I downloaded the most recent plugin versions: credential-binding-plugin 1.5 Workflow: Step API 1.9 Plain Credentials Plugin 1.1 So, not able to file a separate bug.

              People

              • Assignee:
                Unassigned
                Reporter:
                mcsf M Chon
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: