Also as I am working through code could I might have missed judged the dependence of the git credential binding on git-client/git plugin as in some cases the git credential binding could use the functionality provided by git-client plugin. So it's to soon to make any assumption.
Hi,
@rishabhBudhouliya, @justinharringa, @MarkEWaite, from our pervious meeting I have been working on the ssh binding impl, although am I close to the solution but some work is required. Meet you all soon.
Also the Bouncycastel API provides support for PEM format and the OPENSSH now generates key in its proprietary format so, the user should convert the key to PEM format first only then the auth process could start else it will return invalid format.
@rishabhBudhouliya, @justinharringa, @MarkEWaite, from our pervious meeting I have been working on the ssh binding impl, although am I close to the solution but some work is required. Meet you all soon.
Also the Bouncycastel API provides support for PEM format and the OPENSSH now generates key in its proprietary format so, the user should convert the key to PEM format first only then the auth process could start else it will return invalid format.
Hi,
@MarkEWaite, @rishabhBudhouliya, @justinharringa, I have configured my dev-env so now I have Centos 7.9.2009(core), Ubuntu 20.04(lts), Windows 10 Pro(version 1909 and updating) and the git versions are 1.8.3.1, 2.25.1, and 2.26.0 respectively, will update Ubuntu git to test for
Now coming to the SSH binding, as @MarkEWaite we discussed in the previous meeting about the new format used by openssh by default to generate private encryption key and using the bouncycastle api to convert the key first into PEM format and then decrypting the key if protected by passphrase. Well till now what I have learnt is that, to create a PEMEncodable object to be used by bouncy-castle api we require an object of type Key or Keypair for our case but the since the ssh-credential plugin providing the
I was also wondering if their is any mailing list or chat focused on bouncycastle plugin or encryption/cryptography for Jenkins plugin would be really helpful.
@MarkEWaite, @rishabhBudhouliya, @justinharringa, I have configured my dev-env so now I have Centos 7.9.2009(core), Ubuntu 20.04(lts), Windows 10 Pro(version 1909 and updating) and the git versions are 1.8.3.1, 2.25.1, and 2.26.0 respectively, will update Ubuntu git to test for
GIT_SSH_COMMAND variable. I guess this will be all for the dev setup required for the project.Now coming to the SSH binding, as @MarkEWaite we discussed in the previous meeting about the new format used by openssh by default to generate private encryption key and using the bouncycastle api to convert the key first into PEM format and then decrypting the key if protected by passphrase. Well till now what I have learnt is that, to create a PEMEncodable object to be used by bouncy-castle api we require an object of type Key or Keypair for our case but the since the ssh-credential plugin providing the
SSHUserPrivateKey interface, used for ssh binding only gives key in string format and it seem right as well because we not have any knowledge about which format and encryption algorithm was used when the key was provided. So keeping it short, we need to have bare minimum knowledge about the algorithm and format used, gone through the JCA api as well.I was also wondering if their is any mailing list or chat focused on bouncycastle plugin or encryption/cryptography for Jenkins plugin would be really helpful.
1 reply
Meeting for git credentials binding GSoC project at https://zoom.us/j/94585783361?pwd=UnJZbTNPVlhvUUxCck9FNG5xK29QUT09
I just wanted to share this and was hoping this could help @rishabhBudhouliya in his investigation as well , https://en.wikipedia.org/wiki/ASN.1 here if we look under the protocols using ASN.1 we could find both X.509 and PKCS but noting related to SSH, also if I am correct OpenSSH used the standard ASN.1 formats for private keys. Now, however, OpenSSH has its own private key format. So if we were to work on the conversion of the private key into PEM format following ASN.1 standard then I guess we needed to figure out how it's begin done by ssh-keygen but it just my assumption.
Hi, I'm trying to update the "Branches to build" configuration for an existing job programatically via the Jenkins CLI, I can see the config changes on disk, and the job appears to have updated when I click "Configure", but the "Git Polling Log" always shows the old branch name. From the CLI I have also tried "reload-job" & "reload-configuration" and have tried the "Reload Configuration from Disk" in the Jenkins UI without success. When I click "Build Now" it does update the branch correctly, that seems to be my only workaround. Is this expected behaviour?
3 replies
this bouncycastle version:
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.68</version>
</dependency>
That is great news! I'm in the Zoom meeting now at https://zoom.us/j/94585783361?pwd=UnJZbTNPVlhvUUxCck9FNG5xK29QUT09
@MarkEWaite , @rishabhBudhouliya , @justinharringa, I am currently making all the necessary changes for the first
Also I think I have got a workaround for ssh credential binding but not sure about it yet, will update when explored further.
Also for the coding phase do I have to the push code on daily or weekly basis.
GitUsernamePasswrod binding PR. I have created two default environment variable binding i.e Git_Username and Git_Password, these won't be visible in pipeline snippet or modifiable by the user, just in case.Also I think I have got a workaround for ssh credential binding but not sure about it yet, will update when explored further.
Also for the coding phase do I have to the push code on daily or weekly basis.
@arpoch @MarkEWaite @justinharringa please take a look at an edit I've made on the OpenSSH keys decryption experiment: https://docs.google.com/document/d/1gZneYIDWrT5S-1ACG641wfvxs7vnDC0RCYqy-EuuhwY/edit?usp=sharing
@arpoch @MarkEWaite @justinharringa I think I have found a way to decode the SSH keys with passphrase and without passphrase using the
I have tested three cases:
sshj libraryI have tested three cases:
ssh-keygen -f ssh_keywith and without passphrase (the user does not specific an encryption algorithm)ssh-keygen -t rsa -f ssh_keyssh-keygen -t ED25519 -f ssh_key
I have been able to get the
I was looking at the Git Client Plugin and as per my understanding we provide the file locations of ssh private key and passphrase and then let git cli talk to ssh?
java.security.PrivateKey out of them. How do we want to consume them now?I was looking at the Git Client Plugin and as per my understanding we provide the file locations of ssh private key and passphrase and then let git cli talk to ssh?
The downside is that this is obviously not the BouncyCastle API and I am not sure about our reasons to stick with BouncyCastle.
sshj is the java implementation of ssh and it provides much more than just reading OpenSSH keys.
3 replies
Hello, we're trying to use the Jenkins Git plugin to clone a repo. Our SCM host requires jumping through an SSH proxy, so we've provided a config file to our agent that sets a ProxyCommand for the SCM host; Jenkins doesn't let us configure a ProxyCommand any other way that I can see.
Our proxy is an SSH host itself, so we need the SSH key for the ProxyCommand to work. We were hoping to use the SSH Agent plugin for this, but it doesn't seem to work. I wrote a wrapper script around git to dump the environment and run ssh-add -l, and I can see that the agent is set up in the environment and has our key, but e.g. the git fetch --tags ... command that Jenkins runs to fetch objects immediately fails as if the key is not present. If I set up the same scenario manually in a shell it works fine.
Is this a supported configuration? Should I be able to use the SSH agent plugin to provide the SSH key to Jenkins Git plugin?
3 replies
@justinharringa, @rishabhBudhouliya what are your thoughts on https://github.com/jenkinsci/git-client-plugin/pull/712#discussion_r648520322
2 replies
@rishabhBudhouliya, @justinharringa, I have committed some changes based on @rishabhBudhouliya sugesstions, Now I will be working on the testcases and if everything works as expected, will move to SSH binding by our next meeting.
Awesome news @arpoch ! I'm planning on giving these a better look in the next few days.
@justinharringa:matrix.org , @rishabhBudhouliya , regarding the GitTool impl, I have create this snippet
default String gitToolName(TaskListener listener) {
String requiredTool = "Default";
String actualTool = null;
GitTool gitTool = Jenkins.get().getDescriptorByType(GitTool.DescriptorImpl.class).getInstallation(requiredTool);
if (gitTool == null) {
listener.getLogger().println("Selected Git installation does not exist. Using Default");
gitTool = GitTool.getDefaultInstallation();
actualTool = gitTool.getName();
}
if (actualTool != null) {
if (actualTool.equalsIgnoreCase(requiredTool)) {
return actualTool;
}
}
try {
gitTool = gitTool.forNode(Jenkins.get(), listener);
actualTool = gitTool.getName();
} catch (IOException | InterruptedException e) {
listener.getLogger().println("Failed to get git tool");
}
return actualTool;
}I have some concerns related to this-
- The git tool to be used by default will be the one having the name
Defaultbut their is no assurance that path to Git executable is of cli git. - If their is not git tool with name
Defaultthen the first git tool will be used even if git cli exists - The name returned by this snippet will only be checked for
jgitandjgitapache, as these two implementations will always return same name.
I am assuming that there is way to get the user decided GitTool from the context where the credentials are working, if that is not the case please feel free to correct me.
1 reply
I changed the code, so now its
default String gitToolName(TaskListener listener) {
String requiredToolByName = "Default";
String actualToolByPath = null;
GitTool gitTool = Jenkins.get().getDescriptorByType(GitTool.DescriptorImpl.class).getInstallation(requiredToolByName);
if (gitTool == null) {
listener.getLogger().println("Selected Git installation does not exist. Using Default");
gitTool = GitTool.getDefaultInstallation();
}
if(gitTool!=null) {
try {
gitTool = gitTool.forNode(Jenkins.get(), listener);
actualToolByPath = FilenameUtils.getBaseName(gitTool.getGitExe());
} catch (IOException | InterruptedException e) {
listener.getLogger().println("Failed to get git tool");
}
}
return actualToolByPath;
}
I have created a commit regarding alot of changes today, things got messy in between and as of now some test are not passing I must have missed something, will be more care full next time. And will make the changes.
@rishabhBudhouliya, @justinharringa:matrix.org , @MarkEWaite , I will be mailing regarding my University exam dates.
@rishabhBudhouliya, @justinharringa:matrix.org , @MarkEWaite , I will be mailing regarding my University exam dates.
@arpochare you thinking just for this week or regularly?
1 reply
Do you just have a conflict at the beginning or end? Certainly want to make sure you get the time you need. 😀
Is 30 minutes sufficient for you or would it be better to move? I can take a look at the zoom tomorrow morning my time
Hey @MarkEWaite , @justinharringa:matrix.org , @rishabhBudhouliya, found something interesting while working on test cases code, the script permissions wont be set using
chmod in windows so the the script will have default permission.
There are some requirements for specific permissions on private key files, even on Windows, but those specific permissions are set in the git client plugin code that writes the private key file before using it
Hey folks I may be a few minutes late but you should be able to join if so. Hoping to make it in on time though.
@MarkEWaite , @justinharringa:matrix.org , @rishabhBudhouliya, I have developed the code to solve the gitTool problem, just made a PR, although couldn't test using agents over ssh, but still pretty sure that it would work. I will make the documentation changes by this weeks end.