git-plugin
git-plugin copied to clipboard
jenkinsci
Git ssh private key binding(GSoC-21)
JENKINS-28335 - Add Git Credentials binding for SSH Private Key
The gitSshPrivateKey implementation provides git authentication support over SSH protocol
using private key and passphrase credentials of a user. The binding uses two git specific environment
variables depending upon the minimum CLI-git version
-
GIT_SSH_COMMAND- If version is greater than 2.3, then the GIT_SSH_COMMAND environment variable provides ssh command including the necessary options which are: path to the private key and host key checking to authenticate and connect git server without using an executable script. -
SSH_ASKPASS- If version is less than 2.3, an executable script is attached to the variable which provides ssh command including the necessary options which are: path to the private key and host key checking to authenticate and connect git serve
Please refer to the Project page for more details- https://www.jenkins.io/projects/gsoc/2021/projects/git-credentials-binding/
Checklist
- [x] I have read the CONTRIBUTING doc
- [x] I have referenced the Jira issue related to my changes in one or more commit messages
- [x] Unit tests pass locally with my changes
- [x] No Javadoc warnings were introduced with my changes
- [x] No spotbugs warnings were introduced with my changes
- [x] Documentation in README has been updated as necessary
- [x] Online help has been added and reviewed for any new or modified fields
- [x] I have interactively tested my changes
- [x] Any dependent changes have been merged and published in upstream modules (like git-client-plugin)
Types of changes
- [x] New feature (non-breaking change which adds functionality)
Following https://issues.jenkins.io/browse/JENKINS-25389?focusedCommentId=411946&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-411946 , I tried to use this patch to pull/push ([email protected]:Cosium/sand-box.git) via a shell build step:
touch "$BUILD_ID.txt"
git add "$BUILD_ID.txt"
git commit -am "Add $BUILD_ID.txt"
git tag "$BUILD_ID"
git pull origin master
git push origin master --tags
It fails with:
+ git pull origin master
fatal: remote error:
Cosium/sand-box.git' [email protected] git-upload-pack 'Cosium/sand-box is not a valid repository name
Visit https://support.github.com/ for help
This error is certainly caused by Git SSH Private Key because without it, I have a crystal clear authentication failure.
This error is certainly caused by
Git SSH Private Keybecause without it, I have a crystal clear authentication failure.
Thanks for testing the binding and getting involved. Mentors and I are using the git plugin's git chat actively for discussion over the git credential's binding so feel free to join us.
Coming to the SSH binding, the issue you reported seems reasonable to me because the patch used by you depends on the sshj library to perform decryption of OpenSSH formatted private keys and during my testing it failed for encrypted keys using OpenSSH formatted RSA. Since I am not aware of the encryption algorithm, system env used to perform the git auth operation making me unable to talk much on why the git auth operation failed.
I have pushed some commits and those are passing the interactive testing on my system for the following formats and encryption algorithms
- OpenSSH Format * RSA(encrypted) * ECDSA(encrypted) * ED25519(encrypted)
- PKCS#8 Format * RSA(encrypted) * ECDSA(encrypted)
To carry out the decryption operation I am now using Apache sshd-core library which is a transitive dependency coming from Jenkins sshd-plugin, to support this Jenkins version in git-plugin had to be bumped to 2.289.1.
The failure of GitSCMTest.testBasicRemotePoll is unrelated to the credentials binding changes and seems to be unrelated to any change in this pull request except the upgrade of jenkins.version from 2.263.1 to 2.289.1.
When I checkout the master branch, modify jenkins.version in pom.xml to 2.289.1 and run the test, it fails with the same message. It appears there is a change in 2.289.1 that causes the token macro plugin to be unable to load due to an illegal state exception from ASM.
Ensure you update token macro to the latest version / update the bom and that will fix it
@MarkEWaite, Tim is right, I explicitly defined the version of token macro plugin to 2.15 and changed the dependency from sshd-core to sshd-server(to removed the dependence over cli copy of sshd), the failing test testBasicRemotePoll passed and SSH binding worked as well but got log message while running the plugin WARNING hudson.ExtensionFinder$Sezpoz#scout: Failed to scout org.jenkinsci.plugins.gitserver.ssh.SshCommandFactoryImpl .
Not to nag the obvious, but It's Summer 2022, are any "Summer of Code 2022" students going to be assigned to complete this? We could really use this functionality in our Jenkins pipelines managing repos using ssh-keys in .gitmodules.
Not to nag the obvious, but It's Summer 2022, are any "Summer of Code 2022" students going to be assigned to complete this? We could really use this functionality in our Jenkins pipelines managing repos using ssh-keys in .gitmodules.
No summer of code plan was received that proposed to complete it. You're welcome to test the implementation in your environment based on the build results from the build job on https://ci.jenkins.io/job/Plugins/job/git-plugin/job/PR-1111/
You can also achieve almost the same result for ssh private keys by using the ssh-agent plugin to wrap the shell, bat, and powershell steps with an ssh agent that provides the private key as a credential
FYI, the I found the ssh-agent plugin by itself doesn't configure github host public-ssh-key in the known_hosts and will cause the git commands to hang until configured in there. For reference for others, I got it working with:
withCredentials([sshUserPrivateKey(credentialsId: 'sample_ssh_privatekey', keyFileVariable: 'KEYFILE')]) {
sh 'mkdir -p ~/.ssh'
sh 'echo "Host github.ibm.com" >> ~/.ssh/config'
sh 'echo " Hostname github.ibm.com" >> ~/.ssh/config'
sh 'echo " User git" >> ~/.ssh/config'
sh 'echo " IdentityFile $KEYFILE" >> ~/.ssh/config'
sh 'touch ~/.ssh/known_hosts'
sh 'ssh-keygen -R github.ibm.com'
sh 'ssh-keyscan -H github.ibm.com >> ~/.ssh/known_hosts'
sh 'git submodule update --init --recursive'
}
(note this was IBM's internal github, but same concept with whatever the github url is).