[JIRA] (JENKINS-50181) ssh-agent/ssh-credentials-plugin failing because ssh-add expects a newline in the keyfile

24 views
Skip to first unread message

john.jones@unifilabs.com (JIRA)

unread,
Mar 14, 2018, 9:23:02 PM3/14/18
to jenkinsc...@googlegroups.com
John Jones created an issue
 
Jenkins / Bug JENKINS-50181
ssh-agent/ssh-credentials-plugin failing because ssh-add expects a newline in the keyfile
Issue Type: Bug Bug
Assignee: Devin Nusbaum
Components: ssh-agent-plugin, ssh-credentials-plugin
Created: 2018-03-15 01:22
Environment: Ubuntu 16.04
openssh-client 1:7.2p2-4ubuntu2.4
Jenkins 2.111
SSH Agent Plugin 1.15
SSH Credentials Plugin 1.13

java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)
Priority: Minor Minor
Reporter: John Jones

Repro:

  • Add Credentials
      - set Kind to "SSH Username with private key"
      - tick "enter directly"
      - paste a password-less private key without a trailing newline
  • Attempt to use credentials (I used ssg-agent from a Jenkinsfile)
  • Observe that ssh-add will prompt for a passphrase in the logs and the ssh-add has failed.

The relevant part of my logs looked like this:

```
[Pipeline] sshagent
[ssh-agent] Using credentials jenkins (Github SSH key)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-rEGjLSRTHULl/agent.3927
SSH_AGENT_PID=3929
[ssh-agent] started an agent
$ ssh-add /var/lib/jenkins/workspace/job@tmp/private_key_2980200938951827942.key
Enter passphrase for /var/lib/jenkins/workspace/job@tmp/private_key_2980200938951827942.key: [Pipeline] // sshagent
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // withEnv
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
ERROR: Failed to run ssh-add
Finished: FAILURE

```

Adding the trailing newline to input in the web-ui resolves this issue. Adding multiple newlines didn't seem have any adverse effect so Jenkins should probably just add a newline when it writes the keyfile.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo

dnusbaum@cloudbees.com (JIRA)

unread,
Mar 15, 2018, 9:42:02 AM3/15/18
to jenkinsc...@googlegroups.com

Adding multiple newlines didn't seem have any adverse effect so Jenkins should probably just add a newline when it writes the keyfile.

Sounds reasonable to me, although probably a newline should only be added if there isn't one already. Feel free to submit a pull request to the repository (ideally with a regression test); here is the class that I think would need to be modified.

dnusbaum@cloudbees.com (JIRA)

unread,
Mar 15, 2018, 9:49:01 AM3/15/18
to jenkinsc...@googlegroups.com
Devin Nusbaum edited a comment on Bug JENKINS-50181
Thanks for reporting the issue!
{quote}
Adding multiple newlines didn't seem have any adverse effect so Jenkins should probably just add a newline when it writes the keyfile.
{quote}
Sounds reasonable to me, although probably a newline should only be added if there isn't one already so that resaving the credentials doesn't keep adding newlines . Feel free to submit a pull request to the [repository|https://github.com/jenkinsci/ssh-credentials-plugin] (ideally with a regression test); [here|https://github.com/jenkinsci/ssh-credentials-plugin/blob/822ece754b1e4c209b6ce471903088882bf17f1c/src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey.java#L309] is the class that I think would need to be modified.

john.jones@unifilabs.com (JIRA)

unread,
Mar 16, 2018, 5:40:02 PM3/16/18
to jenkinsc...@googlegroups.com

ellen.tushar@hibu.com (JIRA)

unread,
Jun 4, 2019, 11:20:06 AM6/4/19
to jenkinsc...@googlegroups.com

I've tried the adding a new line after the private key to no avail.  I've also tried adding a few lines and a # sign on one line.  I still get the ssh-add error about the passphrase. 

Jenkins 2.164.3, SSH-agent 1.17 SSH-credentials 1.16

After downgrading these plugins, I'm able to use the credentials with the trailing new line.

SSH-agent 1.13  SSH-credentials 1.12

Has anyone been able to use the trailing new line trick with these plugin versions?  SSH-agent 1.17 SSH-credentials 1.16
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

john.jones@unifilabs.com (JIRA)

unread,
Jun 5, 2019, 2:46:02 PM6/5/19
to jenkinsc...@googlegroups.com
John Jones updated an issue
 
Change By: John Jones
Repro:
- Add Credentials

  - set Kind to "SSH Username with private key"
  - tick "enter directly"
  - paste a password-less private key without a trailing newline
- Attempt to use credentials (I used ssg ssh -agent from a Jenkinsfile)
- Observe that ssh-add will prompt for a passphrase in the logs and the ssh-add has failed.


The relevant part of my logs looked like this:

```
[Pipeline] sshagent
[ssh-agent] Using credentials jenkins (Github SSH key)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-rEGjLSRTHULl/agent.3927
SSH_AGENT_PID=3929
[ssh-agent] started an agent
$ ssh-add /var/lib/jenkins/workspace/job@tmp/private_key_2980200938951827942.key
Enter passphrase for /var/lib/jenkins/workspace/job@tmp/private_key_2980200938951827942.key: [Pipeline] // sshagent
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // withEnv
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
ERROR: Failed to run ssh-add
Finished: FAILURE

```

Adding the trailing newline to input in the web-ui resolves this issue. Adding multiple newlines didn't seem have any adverse effect so Jenkins should probably just add a newline when it writes the keyfile.

boards@gmail.com (JIRA)

unread,
Jul 10, 2019, 12:58:04 PM7/10/19
to jenkinsc...@googlegroups.com
Change By: Matt Sicker
Status: Open Fixed but Unreleased
Resolution: Fixed

boards@gmail.com (JIRA)

unread,
Jul 10, 2019, 2:31:02 PM7/10/19
to jenkinsc...@googlegroups.com
 

Released in 1.17.1.
Change By: Matt Sicker
Status: Fixed but Unreleased Resolved
Released As: ssh-credentials-1.17.1

radek.antoniuk@quiddia.com (JIRA)

unread,
Sep 17, 2019, 7:06:02 AM9/17/19
to jenkinsc...@googlegroups.com
Radek Antoniuk commented on Bug JENKINS-50181
 
Re: ssh-agent/ssh-credentials-plugin failing because ssh-add expects a newline in the keyfile

Matt Sicker I am still experiencing this issue with ssh-credentials-plugin 1.17.2 / Jenkins 2.176.2, can this be re-opened?

When I paste an SSH key without a password and without a newline after ----END OPENSSH PRIVATE KEY----, I am getting this:

[EnvInject] - Loading node environment variables.
Building in workspace /opt/jenkins/workspace/tests/testssh
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-LjVbJNMcagCy/agent.130927
SSH_AGENT_PID=130929
[ssh-agent] Started.
Running ssh-add (command line suppressed)
Enter passphrase for /opt/jenkins/workspace/tests/testssh@tmp/private_key_4661922093191141579.key: ERROR: Failed to run ssh-add
Finished: FAILURE

When I update the key and put a newline, it works fine:

Building in workspace /opt/jenkins/workspace/tests/testssh
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-LHBjsdVD6N7X/agent.130956
SSH_AGENT_PID=130958
[ssh-agent] Started.
Running ssh-add (command line suppressed)
Identity added: /opt/jenkins/workspace/tests/testssh@tmp/private_key_1585458568929474760.key (SSH CI key)
[ssh-agent] Using credentials jenkins (SSH key used for Tomcat restarts)
[testssh] $ /bin/sh -xe /tmp/jenkins2172743275862346783.sh
+ hostname
ci
$ ssh-agent -k
unset SSH_AUTH_SOCK;
unset SSH_AGENT_PID;
echo Agent pid 130958 killed;
[ssh-agent] Stopped.
Finished: SUCCESS
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

boards@gmail.com (JIRA)

unread,
Sep 17, 2019, 11:38:04 AM9/17/19
to jenkinsc...@googlegroups.com

Is that a separate issue? And can you reproduce this with a unit test? See the original PR for example.

radek.antoniuk@quiddia.com (JIRA)

unread,
Sep 17, 2019, 11:47:02 AM9/17/19
to jenkinsc...@googlegroups.com

OK, I debugged it a little and I think I know what the problem is:
even though I modified the ssh-credentials plugin to save with a newline, it still didn't work for me.
It turns out that the ssh-agent plugin that writes the private key to the file, strips it out of the newline. Then... ssh-add asks for a password. When I add a newline, it adds it to the agent fine. The question is now, what is stripping this private key...

radek.antoniuk@quiddia.com (JIRA)

unread,
Sep 17, 2019, 11:48:02 AM9/17/19
to jenkinsc...@googlegroups.com
Radek Antoniuk edited a comment on Bug JENKINS-50181
OK, I debugged it a little and I think I know what the problem is:
even though I modified the ssh-credentials plugin to save with a newline, it still didn't work for me.
It turns out that the ssh-agent plugin that writes the private key to the file, strips it out of the newline. Then... ssh-add asks for a password. When I add a newline, it adds it to the agent fine. The question is now, what is stripping this private key newline ... I'll continue to debug but any hints appreciated.

terracotapz@gmail.com (JIRA)

unread,
Dec 16, 2019, 11:28:03 AM12/16/19
to jenkinsc...@googlegroups.com

I'm having the same issue as initially described (it seems ssh-add prompts for passphrase and fails), but workaround of adding newline in credentials' key does not solve it.

Versions:

  • Jenkins 2.190.3
  • "ssh agent" plugin 1.17
  • "ssh credentials" plugin 1.18

Logs:
[ssh-agent] Using credentials testcreds


[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent

SSH_AUTH_SOCK=/tmp/ssh-HmEucFexUrOg/agent.19128
SSH_AGENT_PID=19129
Running ssh-add (command line suppressed)Enter passphrase for /opt/jenkins/workspace/roduct-service-read-build_master@tmp/private_key_1675109103121607963.key: [Pipeline] // sshagent[Pipeline] }[Pipeline] // stage

terracotapz@gmail.com (JIRA)

unread,
Dec 17, 2019, 6:37:04 AM12/17/19
to jenkinsc...@googlegroups.com

UPDATE

I'm not having the issue anymore, it was my fault:
Reply all
Reply to author
Forward
0 new messages