Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50123

ssh-agent plugin is leaking the passphase

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Critical
    • Resolution: Unresolved
    • Component/s: ssh-agent-plugin
    • Labels:
      None
    • Environment:
      jenkins 2.89.4
      ssh agent plugin 1.15
    • Similar Issues:

      Description

      Hi,

      when I'm using ssh-agent in a docker agent, created with the pipeline below:

       

      pipeline {
        agent {
          docker {
            label 'docker'
            image 'myimage'
          }
        }
        stages {
          stage('update') {
            steps {
              sshagent([params.SSH_KEY]) {
                sh 'do stuff'
              }
            }
          }
        }
      }
      
      

      the passphrase is leaked in the logs (–env SSH_PASSPHRASE=<the passphrase>):

      [ssh-agent] Using credentials cjouve (cjouve pkey)
      [ssh-agent] Looking for ssh-agent implementation...
      [ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
      $ docker exec 88c5c9ea7ea37cfdf94eeba5d4a182d0875c98514f771cef92e7eeeb387e6609 ssh-agent
      SSH_AUTH_SOCK=/tmp/ssh-CaYoKcuPb9/agent.9
      SSH_AGENT_PID=13
      $ docker exec --env DISPLAY=:0 --env SSH_AGENT_PID=13 --env SSH_ASKPASS=/opt/jenkins/workspace/Sandbox_docker-pipeline@tmp/askpass_6709419299403318668.sh --env SSH_AUTH_SOCK=/tmp/ssh-CaYoKcuPb9/agent.9 --env SSH_PASSPHRASE=<PASSPHRASE IS LEAKED HERE> 88c5c9ea7ea37cfdf94eeba5d4a182d0875c98514f771cef92e7eeeb387e6609 ssh-add /opt/jenkins/workspace/Sandbox_docker-pipeline@tmp/private_key_4011413557271869125.key
      Identity added: /opt/jenkins/workspace/Sandbox_docker-pipeline@tmp/private_key_4011413557271869125.key (/opt/jenkins/workspace/Sandbox_docker-pipeline@tmp/private_key_4011413557271869125.key)
      [ssh-agent] Started.
      

       

        Attachments

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              Unassigned
              Reporter:
              jouve Cyril Jouve
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: