Jesse Glick
created JENKINS-25194
Private key with passphrase does not seem to work
Issue Type:
Bug
Assignee:
Nicolas De Loof
Components:
git-client
Created:
17/Oct/14 1:46 PM
Description:
I have been unable to get CliGitAPIImpl to work with a private key with passphrase on a Linux slave to connect to a nonpublic Git repository. (Selecting the option to load from the default location, ~/.ssh/id_dsa.) I always get
Permission denied (publickey).
I verified that GIT_SSH and SSH_ASKPASS are being set and that the files they point to have the expected contents (by patching the plugin to not delete these files in its finally block). Indeed when I log in to the slave, set these variables to the same files, and run git clone repo, it works fine.
If I set the job to use JGit rather than CLI git, it also works fine, so I do not think I am just using the wrong credentials.
I also tested with a private key (specific file on master) with no passphrase. This worked fine (with both JGit and CLI).
I thought one explanation was that ssh thought it was running from a terminal (even though it should not be) and so ignored SSH_ASKPASS. Indeed to interactively verify the GIT_SSH / SSH_ASKPASS combination you have to prefix the git command with setsid if you want the passphrase script to be consulted. But I see the same problem even when I patch the plugin to prefix all git commands with setsid.
So https://github.com/jenkinsci/git-client-plugin/commit/4b4d59d29894ac6eccab969561d2df5207a88f60 is not working for me, for unknown reasons. Whether or not it is working for others, I would suggest a simplifying change to CliGitAPIImpl: rather than relying on SSH_ASKPASS, decrypt the private key in Java code (I think there is code for this in one of the libraries available to this plugin) and save that to the keyfile.
Note that GitPluginTest in acceptance-test-harness does not seem to test passphrases. (Nor does it test private keys that are not entered directly but loaded from a file on master, another important use case.)
Project:
Jenkins
Labels:
ssh
Priority:
Major
Reporter:
Jesse Glick
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
--
You received this message because you are subscribed to the Google Groups Jenkins Issues group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.