viewing the public key for a ssh pki credential?

36 views
Skip to first unread message

Jason Pyeron

unread,
May 26, 2020, 1:35:48 PM5/26/20
to jenkins...@googlegroups.com

For a given existing credential, how can an authorized keys entry be extracted from Jenkins? (It is easy to do (in java, openssl, ssh-keygen, etc..) if you know the private key)

 

TL;DR

 

Take the following ssh-key being added to Jenkins:

 

$ ssh-keygen.exe -f /tmp/jenkins-issue -t rsa -N '' -C jenkins-issue@hostname

Generating public/private rsa key pair.

Your identification has been saved in /tmp/jenkins-issue

Your public key has been saved in /tmp/jenkins-issue.pub

The key fingerprint is:

SHA256:NDX21mT0Fp47rDryohouLU88iMAtS6K5enLLHO0PuUE jenkins-issue@hostname

The key's randomart image is:

+---[RSA 3072]----+

|          +  .+. |

|         o o +..o|

|        o   o .oo|

|. .    . . .  ...|

|o+ .E   S      + |

|=.+oo.        . .|

|oo..*=       .   |

|.+o=o=o  o ..    |

|+++.*=o.. +o.    |

+----[SHA256]-----+

 

$ cat /tmp/jenkins-issue

-----BEGIN OPENSSH PRIVATE KEY-----

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn

NhAAAAAwEAAQAAAYEAy6NY6POJ4K4+QF4k6oFFbsonb8POvSSYWiIudXtqST8biPsKGFcl

3dYlKaxk86cKf6E/JTnBrlecyyB5QL9B0U9nxNdm+dY61dP02PS1T7MRGEm8q4v4jkQGfQ

m7/7ubSiaJ4xJ/QYCs1gzw0+7A4Sb7dSmruOn7C7nE07rJDlLdmM8TZSdITgVfiw+382bE

ojDEwYh0itAoUVxlkiF4QDmohWkexLjINE6klzVsbGUatc7RrMJ21ifxf5ko6z5o7XhGAf

HOIxkstOL7WHPeRRMTACBBfCs6FcjhRm5tloA8mv5OTyj8MRJfTIKEVRQZWNcFfZhKEbn3

BR0dhvAHrl26gSuqMLb3vVbV/FnqsZ47ME8GL3UjMqdERjqw6KyvcjOOWqoBtMq2wWsFFc

3IyfLl3cVul8gnb3qQiuuW42o7VsVEfyHHh7T9nHWH1qyVEUUjszOT4syMt2DzMsHCwdsa

OPxB/PszpYv9epU9Mit8ZxzKxvNv9BfO3nPaUfULAAAFkJEmPFaRJjxWAAAAB3NzaC1yc2

EAAAGBAMujWOjzieCuPkBeJOqBRW7KJ2/Dzr0kmFoiLnV7akk/G4j7ChhXJd3WJSmsZPOn

Cn+hPyU5wa5XnMsgeUC/QdFPZ8TXZvnWOtXT9Nj0tU+zERhJvKuL+I5EBn0Ju/+7m0omie

MSf0GArNYM8NPuwOEm+3Upq7jp+wu5xNO6yQ5S3ZjPE2UnSE4FX4sPt/NmxKIwxMGIdIrQ

KFFcZZIheEA5qIVpHsS4yDROpJc1bGxlGrXO0azCdtYn8X+ZKOs+aO14RgHxziMZLLTi+1

hz3kUTEwAgQXwrOhXI4UZubZaAPJr+Tk8o/DESX0yChFUUGVjXBX2YShG59wUdHYbwB65d

uoErqjC2971W1fxZ6rGeOzBPBi91IzKnREY6sOisr3IzjlqqAbTKtsFrBRXNyMny5d3Fbp

fIJ296kIrrluNqO1bFRH8hx4e0/Zx1h9aslRFFI7Mzk+LMjLdg8zLBwsHbGjj8Qfz7M6WL

/XqVPTIrfGccysbzb/QXzt5z2lH1CwAAAAMBAAEAAAGBALoEWwFhBn/haygtV5eHwr8zlt

a3jTCmLy2Wr83NkQebyDFW8J/Pa9268nOg8Q7JdgOkbiQ5ID179tRus5R7oUnsOSRMh9qM

4W3WkoFk+AL31hPTt68Uy1ZZuXua2sr+uxn/HlH44ZoaSse1RoCyRirmCym5iQ3/Xr4VUk

D/DQ4ykA44isUKHzh2HBLRpv2G0PQ/jFwlpB/xigLYXkggntI8WT6VCfA1w1xUwnEF8icK

LF4LsOkZMqjqD+a5J/HMLTcF1wqd7SNlUFuNCrWjsfSPejQEE8WDqCFaFkOcho4276ICjP

dlNJV/F2hrOcLMzWenNfQbch1Sp0aFin6OpTSzqt66i8W3QZl4zQ61iLJS+jlVRABwMK0d

2Zc1Xwk9O9px2ResXUf31slMVeXXgGTjQzwLvOytifGhOTVIIIeTxgQfcsyY7OgRwhe64o

W1Pcj1uzkS6Tj/Lc24jdk/fjwQai7RWVP0k2xYgBkbe/A9V/8bZUQHmsjzSmja2ex/0QAA

AMB1l84CrCRmMS7nmFULtSCM0a5bgbobptUoN9f0hCvzt6s2Wu9ImLWyig0R/e5lz2kCqM

hoVXAXjFZnWsyQKsZu4vZ2NBm9yGQOp24LXk7/VX+RaIfgrUKrUP+Qep83s44TRtV6q7T4

KYMLLMY31ibECBxPdNQz5o+GxjoNdyxV4lmPGOgz7l0voPu7v6CLN6aW/NQB3TBBgJLEV7

QTvsrXW94pWVyISpa4wGU/+oKGZOEoQAHc4n4xJ6Swezm9Q1cAAADBAPXqOjQoeYUImOqg

OVmSCCFkeMJVQNOTevF5FOOSu9MoTsXla2ot2uJDqxkyRvhxKsqHX22rSS5ZbMggXN5gSH

gPmDtRpbdqHGSmoPGYcXF45L48E+8gDmySFS0FEx3I5hfcRS0mv6VcVel3P0TG70GP5J/R

GDFxbGlWe+U3dSyXaWJBX43ok+Ly4LocdslV8nkqkAtztgjM+MMA5VQjZumi4AZOqeZZgW

Qc6Gh/Dyq3ZeVRXFEIz/j+GujTFnJMjQAAAMEA0/1FLiAfJoi0sjbB8zBzwngNQ+XxkuXO

ZSNjIfV84VSaUFh1/x3RoV+/00aDyoHVQ7BCNyiLaJ7pC6UTxURkdw1MubbFUB/ZKZadtX

OFT2M/FDr3SjoImRpuoUZItddSKuSxmuRiSwCsScwk6QcHQJ2+EMseggEBwZRjO8JJanLw

x08wtUWlzBaKsOkhm2mW6SGzPpjDfBum9EnEtFIxaMmGCSHjtBUUcTDnerOo65Nax3cjGV

mL5+q+icjzHr33AAAAFmplbmtpbnMtaXNzdWVAaG9zdG5hbWUBAgME

-----END OPENSSH PRIVATE KEY-----

 

$ cat /tmp/jenkins-issue.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLo1jo84ngrj5AXiTqgUVuyidvw869JJhaIi51e2pJPxuI+woYVyXd1iUprGTzpwp/oT8lOcGuV5zLIHlAv0HRT2fE12b51jrV0/TY9LVPsxEYSbyri/iORAZ9Cbv/u5tKJonjEn9BgKzWDPDT7sDhJvt1Kau46fsLucTTuskOUt2YzxNlJ0hOBV+LD7fzZsSiMMTBiHSK0ChRXGWSIXhAOaiFaR7EuMg0TqSXNWxsZRq1ztGswnbWJ/F/mSjrPmjteEYB8c4jGSy04vtYc95FExMAIEF8KzoVyOFGbm2WgDya/k5PKPwxEl9MgoRVFBlY1wV9mEoRufcFHR2G8AeuXbqBK6owtve9VtX8WeqxnjswTwYvdSMyp0RGOrDorK9yM45aqgG0yrbBawUVzcjJ8uXdxW6XyCdvepCK65bjajtWxUR/IceHtP2cdYfWrJURRSOzM5PizIy3YPMywcLB2xo4/EH8+zOli/16lT0yK3xnHMrG82/0F87ec9pR9Qs= jenkins-issue@hostname

 

It can be added to Jenkins like so:

 

[Images reduced]

 

Which then shows up as:

 

 

This screen does not show the public key for a job author / node administrator to add to the authorized_keys, etc.

 

Drilling in to the detail by clicking on the entry takes to another screen:

 

 

But this screen does not have the public key either.

 

Choosing update, shows us the configuration, less the private key:

 

 

Still no public key. Now this screen may be restricted more than those who need the public key have access too. But if you could get here, and could see the private key, you could regenerate the public key from the private key.

 

The only workaround, known to me, is to put the public key in the description at the time of import.

 

 

This has a quite annoying drawback – it puts a horizontal scroll bar on every screen where the credential is mentioned or used. This makes configuring jobs fragile when controls are pushed outside of the normal UI limits.

 

v/r,

 

JAson

 

--

Jason Pyeron  | Architect

PD Inc        |

10 w 24th St  |

Baltimore, MD |

 

.mil: jason.j.p...@mail.mil

.com: jpy...@pdinc.us

tel : 202-741-9397

 

 

image009.jpg
image010.jpg
image011.jpg
image012.jpg
image013.jpg

Ivan Fernandez Calvo

unread,
May 27, 2020, 12:46:58 PM5/27/20
to Jenkins Users
You can make groovy magic on the Jenkins console, grab the credential, and extract the public key, but sounds odd. but this pipeline make the job for any credential and it is easy :D

pipeline {
   agent any
   parameters {
      credentials credentialType: 'com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey', defaultValue: '', description: '', name: 'credential', required: true
    }
   stages {
      stage('Hello') {
         steps {
            sshagent([params.credential]) {
                sh 'ssh-add -L'

Jason Pyeron

unread,
May 27, 2020, 2:14:33 PM5/27/20
to jenkins...@googlegroups.com

Thanks, I am going to look at JENKINS-60215, and see if I can patch it.

 

Image removed by sender.

 

Which then shows up as:

 

Image removed by sender.

 

This screen does not show the public key for a job author / node administrator to add to the authorized_keys, etc.

 

Drilling in to the detail by clicking on the entry takes to another screen:

 

Image removed by sender.

 

But this screen does not have the public key either.

 

Choosing update, shows us the configuration, less the private key:

 

Image removed by sender.

 

Still no public key. Now this screen may be restricted more than those who need the public key have access too. But if you could get here, and could see the private key, you could regenerate the public key from the private key.

 

The only workaround, known to me, is to put the public key in the description at the time of import.

 

Image removed by sender.

 

This has a quite annoying drawback – it puts a horizontal scroll bar on every screen where the credential is mentioned or used. This makes configuring jobs fragile when controls are pushed outside of the normal UI limits.

 

v/r,

 

JAson

 

--

Jason Pyeron  | Architect

PD Inc        |

10 w 24th St  |

Baltimore, MD |

 

.mil: jason.j...@mail.mil

.com: jpy...@pdinc.us

tel : 202-741-9397

 

 

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/9a0beff4-3079-4e99-873b-ac86d9cb4268%40googlegroups.com.

image001.jpg
image002.jpg
image003.jpg
image004.jpg
image005.jpg
Reply all
Reply to author
Forward
0 new messages