Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45651

X-SSH-Endpoint is not provided on top page when 401/403 are returned

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Not A Defect
    • Component/s: core, ldap-plugin, ssh-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.60.1 on RedHat Enterprise Linux 5
    • Similar Issues:

      Description

      Quite contrary to what is written on https://wiki.jenkins.io/display/JENKINS/Jenkins+SSH, X-SSH-Endpoint header is not provided on the top page when the response is 403.

      $ curl -I http://localhost:8440/jenkins/
      HTTP/1.1 403 Forbidden
      Date: Wed, 19 Jul 2017 13:43:33 GMT
      X-Content-Type-Options: nosniff
      Set-Cookie: JSESSIONID.32f49371=15lrqwbgqu5jvm4xkf7ulfomu;Path=/jenkins;HttpOnly
      Expires: Thu, 01 Jan 1970 00:00:00 GMT
      Content-Type: text/html;charset=UTF-8
      X-Hudson: 1.395
      X-Jenkins: 2.60.1
      X-Jenkins-Session: 567160ff
      X-Hudson-CLI-Port: 37318
      X-Jenkins-CLI-Port: 37318
      X-Jenkins-CLI2-Port: 37318
      X-You-Are-Authenticated-As: anonymous
      X-You-Are-In-Group-Disabled: JENKINS-39402: use -Dhudson.security.AccessDeniedException2.REPORT_GROUP_HEADERS=true or use /whoAmI to diagnose
      X-Required-Permission: hudson.model.Hudson.Read
      X-Permission-Implied-By: hudson.security.Permission.GenericRead
      X-Permission-Implied-By: hudson.model.Hudson.Administer
      Content-Length: 829
      Server: Jetty(9.2.z-SNAPSHOT)
      

      One needs to get response 200 (i.e. access login URL) to get the endpoint. Note that CLI ports ARE returned always, only SSH endpoint is missing.

      $ curl -I http://localhost:8440/jenkins/login
      HTTP/1.1 200 OK
      Date: Wed, 19 Jul 2017 13:43:41 GMT
      X-Content-Type-Options: nosniff
      Set-Cookie: JSESSIONID.32f49371=6balu16gxdidrwpc4t258io;Path=/jenkins;HttpOnly
      Expires: 0
      Cache-Control: no-cache,no-store,must-revalidate
      X-Hudson-Theme: default
      Content-Type: text/html;charset=UTF-8
      X-Hudson: 1.395
      X-Jenkins: 2.60.1
      X-Jenkins-Session: 567160ff
      X-Hudson-CLI-Port: 37318
      X-Jenkins-CLI-Port: 37318
      X-Jenkins-CLI2-Port: 37318
      X-Frame-Options: sameorigin
      X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlwNEtMd78Uf5V2p+hCgcHOazeDpoo9lKZL7YlqgzpuQeJvHfhMZ+fRCTCoIns/swiE5tG0WttqRL4z7tgA+xF8+KzKFuUtONhar+4kGDIhrJks+MuyePpEpzXplHtcB9OFUymfwTXrOBXExswjdGodqupyG9IBG1Xlx51oRHRXHEci3QgF1f/7+KfsZM3oCTOpyQxNasE5dki4nA33PvvAeZGHwxvdJ0nmLcbAVk8aSCzjuDbJZ+GnjJC+CsLR34AYWHNbxOo8rn9PCiIJid43UX/36HmYweWlUdRsnBfXtHL02/NV6OngWvWAowmFmVz9YzLj5+C4Q9QshZmvhbFwIDAQAB
      X-SSH-Endpoint: server:55999
      Content-Length: 7304
      Server: Jetty(9.2.z-SNAPSHOT)
      

        Attachments

          Issue Links

            Activity

            Hide
            ssbarnea Sorin Sbarnea added a comment -

            We are talking here about the ldap-plugin not some esoteric one and TBH I am not even sure that getting a 401 response from `/login` page is wrong. In fact that even more HTTP compliant than returning a 200 answer. 

            Somehow I have the impression that's another bug that feels between the jenkins core and its plugin. Everyone agrees thats a bug but nobody agrees which code is to blame/fix: core, ldap-plugin or sshd-plugin? ... based on the status of the ticket one could even assume that is "Not A Defect".

            Show
            ssbarnea Sorin Sbarnea added a comment - We are talking here about the ldap-plugin not some esoteric one and TBH I am not even sure that getting a 401 response from `/login` page is wrong. In fact that even more HTTP compliant than returning a 200 answer.  Somehow I have the impression that's another bug that feels between the jenkins core and its plugin. Everyone agrees thats a bug but nobody agrees which code is to blame/fix: core, ldap-plugin or sshd-plugin? ... based on the status of the ticket one could even assume that is "Not A Defect".
            Hide
            danielbeck Daniel Beck added a comment - - edited

            Weird, ci.jenkins.io also uses LDAP and returns 200 for /login (which could in theory be due to Overall/Read being granted, but local tests with internal user DB and without anon Overall/Read also return 200). Are you sure the reverse proxy isn't messing with that?

            Show
            danielbeck Daniel Beck added a comment - - edited Weird, ci.jenkins.io also uses LDAP and returns 200 for /login (which could in theory be due to Overall/Read being granted, but local tests with internal user DB and without anon Overall/Read also return 200). Are you sure the reverse proxy isn't messing with that?
            Hide
            rst Ruben Stein added a comment - - edited

            When I updated one of our machines to 2.60.2 or 2.60.3 my puppet client's CLI authentication through SSH key does not work anymore.

            root@testmaster:/var/lib/jenkins# java -jar /usr/share/jenkins/jenkins-cli.jar -s https://testmaster:8443/login -i /etc/puppet/ssl_cli/testmaster-nonuser -ssh -user testmaster-nonuser help

            returns code 255 and:

            Sep 07, 2017 5:01:13 PM hudson.cli.SSHCLI sshConnection
            WARNING: No header 'X-SSH-Endpoint' returned by Jenkins

            Regarding  a workaround I read adding that header via reverse proxy config. What to do about this if there is no reverse proxy in place? Is this really fixed like this?

            Edit: I am using the matrix-auth plugin together with active-directory to authenticate against an AD server.

            Show
            rst Ruben Stein added a comment - - edited When I updated one of our machines to 2.60.2 or 2.60.3 my puppet client's CLI authentication through SSH key does not work anymore. root@testmaster:/var/lib/jenkins# java -jar /usr/share/jenkins/jenkins-cli.jar -s https://testmaster:8443/login -i /etc/puppet/ssl_cli/testmaster-nonuser -ssh -user testmaster-nonuser help returns code 255 and: Sep 07, 2017 5:01:13 PM hudson.cli.SSHCLI sshConnection WARNING: No header 'X-SSH-Endpoint' returned by Jenkins Regarding  a workaround I read adding that header via reverse proxy config. What to do about this if there is no reverse proxy in place? Is this really fixed like this? Edit: I am using the matrix-auth plugin together with active-directory to authenticate against an AD server.
            Hide
            jj2007 Jayesh Jadhav added a comment -

            Ruben Stein Can you please give me the link to the workaround you have mentioned , I am facing a similar issue .

            Show
            jj2007 Jayesh Jadhav added a comment - Ruben Stein Can you please give me the link to the workaround you have mentioned , I am facing a similar issue .
            Hide
            rst Ruben Stein added a comment -

            Hey Jayesh,

            in one of the older comments (Sorin Sbarnea - 2017-08-24 15:27 comment-311573) it is mentioned that the header was manually added via an nginx in front of jenkins. He mentions that after this the cli was able to connect properly.

            Show
            rst Ruben Stein added a comment - Hey Jayesh, in one of the older comments (Sorin Sbarnea - 2017-08-24 15:27 comment-311573 ) it is mentioned that the header was manually added via an nginx in front of jenkins. He mentions that after this the cli was able to connect properly.

              People

              • Assignee:
                Unassigned
                Reporter:
                raspy Krzysztof Malinowski
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: