patternMinor
How does jenkins publish over ssh store passphrases?
Viewed 0 times
publishjenkinsstoredoeshowsshoverpassphrases
Problem
When I look in jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml I can see several entries, that have secretPassphrase populated with a string 44 characters long. By using hudson.util.Secret.fromString in the /script tool, I can decrypt them and see that password. Fine so far.
However... I also have an entry there where the secretPassphrase is populated with a string only 24 characters long, which cannot be decrypted. Trying gets me an empty result, which is strange, because decrypting "asdfasdf" returns "asdfasdf". So there must be something special about this string which is preventing the decryption for working, or from returning the default. But deployments to this server work; so the passphrase is correct. But the secretPassphrase is NOT the actual password on the server.
Which means jenkins must be using some other method of decrypting that passphrase, besides the standared hudson.util one. What is it? How can I recover this password?
However... I also have an entry there where the secretPassphrase is populated with a string only 24 characters long, which cannot be decrypted. Trying gets me an empty result, which is strange, because decrypting "asdfasdf" returns "asdfasdf". So there must be something special about this string which is preventing the decryption for working, or from returning the default. But deployments to this server work; so the passphrase is correct. But the secretPassphrase is NOT the actual password on the server.
Which means jenkins must be using some other method of decrypting that passphrase, besides the standared hudson.util one. What is it? How can I recover this password?
Solution
According to the source code for the Publish Over SSH plugin, the passphrase is encrypted and decrypted using
Supposedly there is ongoing work to switch to using Jenkins' built-in credentials store; however, I don't see any active pull requests for such a change.
hudson.util.Secret, and the encrypted value is stored in the plugin's XML configuration file.Supposedly there is ongoing work to switch to using Jenkins' built-in credentials store; however, I don't see any active pull requests for such a change.
Context
StackExchange DevOps Q#4306, answer score: 1
Revisions (0)
No revisions yet.