ansible-plugin icon indicating copy to clipboard operation
ansible-plugin copied to clipboard
verified publisher icon jenkinsci

SSH passphrase not escaped properly

Open fzakfeld opened this issue 2 years ago • 3 comments

Jenkins and plugins versions report

Environment 
Jenkins: 2.401.3
OS: Linux - 5.15.0-79-generic
Java: 11.0.19 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
ansible:253.v4fe719ffdd8a_
ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5
bootstrap5-api:5.3.0-1
bouncycastle-api:2.29
branch-api:2.1122.v09cb_8ea_8a_724
build-timeout:1.31
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.0.0
cloudbees-folder:6.848.ve3b_fd7839a_81
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.10.0-68.v0d0b_c439292b_
credentials:1271.v54b_1c2c6388a_
credentials-binding:631.v861c06d062b_4
display-url-api:2.3.9
durable-task:523.va_a_22cf15d5e0
echarts-api:5.4.0-5
email-ext:2.100
font-awesome-api:6.4.0-2
git:5.2.0
git-client:4.4.0
github:1.37.3
github-api:1.314-431.v78d72a_3fe4c3
github-branch-source:1732.v3f1889a_c475b_
gradle:2.8.2
instance-identity:173.va_37c494ec4e5
ionicons-api:56.v1b_1c8c49374e
jackson2-api:2.15.2-350.v0c2f3f8fc595
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.8-1
jjwt-api:0.11.5-77.v646c772fddb_0
jquery3-api:3.7.0-1
junit:1217.v4297208a_a_b_ce
ldap:694.vc02a_69c9787f
mailer:463.vedf8358e006b_
matrix-auth:3.1.10
matrix-project:808.v5a_b_5f56d6966
mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_
mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_
okhttp-api:4.11.0-157.v6852a_a_fa_ec11
pam-auth:1.10
pipeline-build-step:505.v5f0844d8d126
pipeline-github-lib:42.v0739460cda_c4
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:671.v07c339c842e8
pipeline-input-step:477.v339683a_8d55e
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2144.v077a_d1928a_40
pipeline-model-definition:2.2144.v077a_d1928a_40
pipeline-model-extensions:2.2144.v077a_d1928a_40
pipeline-rest-api:2.33
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2144.v077a_d1928a_40
pipeline-stage-view:2.33
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.3.0
resource-disposer:0.23
scm-api:676.v886669a_199a_a_
script-security:1271.vdede89739a_81
snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4
ssh-credentials:308.ve4497b_ccd8f4
ssh-slaves:2.916.vd17b_43357ce4
structs:325.vcb_307d2a_2782
timestamper:1.26
token-macro:384.vf35b_f26814ec
trilead-api:2.84.v72119de229b_7
variant:59.vf075fe829ccb
workflow-aggregator:596.v8c21c963d92d
workflow-api:1259.vb_47f14fffc8a_
workflow-basic-steps:1042.ve7b_140c4a_e0c
workflow-cps:3769.v8b_e595e4d40d
workflow-durable-task-step:1284.v4fcd365b_75b_e
workflow-job:1326.ve643e00e9220
workflow-multibranch:756.v891d88f2cd46
workflow-scm-step:415.v434365564324
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:848.v5a_383b_d14921
ws-cleanup:0.45

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu 22.04

Reproduction steps

Have a passphrase for an SSH key that contains special chars, like 7D%TgX`EnfgHkfv$H9qhfg84sZSQwT&LjH~ZEfghjkzn@^sYpR (not actually in use).

Expected Results

Should work as expected

Actual Results

2: Syntax error: EOF in backquote substitution

Anything else?

Jenkins will create a sh script in /tmp, like 'ssh8566695972573467306.sh'. This doesn't escape the user provided SSH passphrase, having it fail like described above. This can be verified when calling it directly:

root@ansible02:~# ./ssh8566695972573467306.sh 
./ssh8566695972573467306.sh: 2: Syntax error: EOF in backquote substitution

fzakfeld avatar Aug 22 '23 09:08 fzakfeld

Can you show me how you are invoking the ansiblePlaybook step ? Is it a SSH key with a passphrase or is it using sshpass ?

If the first solution I would expect this to work (the passphrase should be configured on the SSH credentials).

For the sshpass thing there was some tentative in https://github.com/jenkinsci/ansible-plugin/pull/85/files but introduced regression and was rollback

Without more automated testing I will not try to solve it again.

I'm also looking for more active maintainer to keep the plugin sane and free of bug : https://groups.google.com/u/1/g/jenkinsci-dev/c/xiKhmhCBspw

Regards,

jonesbusy avatar Sep 05 '23 17:09 jonesbusy

Sorry forgot to mention this. I invoke the ansiblePlaybook with an SSH key and passphrase. The thing that is not escaped is the passphrase

fzakfeld avatar Sep 05 '23 20:09 fzakfeld

Sorry forgot to mention this. I invoke the ansiblePlaybook with an SSH key and passphrase. The thing that is not escaped is the passphrase

Does your passphrase have two consecutive dollar signs? For example:

pa$$word

If so, this is expected behaviour due to a combination of factors:

  1. Groovy's string interpoloation
  2. $$ has special meaning in the Linux, it will be replace $$ with the value of your current shell's PID.

colshine1 avatar Oct 29 '23 20:10 colshine1