[JENKINS-66851] Publish over SSH plugin not using Jenkins credentials for providing username, key and passphrase

[jira-importer]

As the summary says, the Publish over SSH plugin still uses custom fields for providing the username, private key and passphrase instead of a credentials selector. This also makes it necessary to put variables into JCasC files instead of a credentials ID which undermines security (because that variable has to be set somewhere).

Please fix.

---

Originally reported by dhs, imported from: Publish over SSH plugin not using Jenkins credentials for providing username, key and passphrase

• status: Open
• priority: Major
• resolution: Unresolved
• imported: 2022/01/10

[jira-importer]

JIRAUSER140920:

Can anyone tell, has this issue been fixed?

[markuschen]

No changes here with latest version 1.24

[ttodua]

Hi @markuschen can this be considered as an important security matter? Should we refrain from installing this plugin until update is applied?

[markuschen]

This is a feature enhancement, not an explicit security problem. All known security related issues where solved in the last two releases.

[proski]

It's a duplicate of #177.
I tried wrapping sshPublisher in sshagent as a workaround, but I'm getting "Auth Fail".
I don't think sshagent is a good workaround anyway, it's better to have precise control which credential is used.
@ttodua: The answer depends on your tolerance to having credentials configured in multiple places.

[dhs-rec]

@proski, could you please elaborate why you don't have precise control which credential is used with ssh-agent? As far as I can see you add exactly the credential(s) you want to the agent. How can this not be precise?

[proski]

I believe that using sshagent doesn't prevent ssh from using other private keys.

[dhs-rec]

Of course not. but that's not a problem of ssh-agent. However, which keys are effective can be precisely controlled by adding them to the user's authorized_keys file on the remote side. So you have precise control.

[Isegrimm]

Any update on this? Just for my understanding, somewhere between versions 1.21 and 1.25 the Jenkins credential provider is not used anymore, requiring credentials to be entered directly in the 'Publis over SSH' configuration, right?

This issue is the only information I have found that's related to my problem. We have an exisiting Jenkins instance running 1.21 which runs this plugin with a stored Global credential just fine, and a new Jenkins instance running 1.25 with the same setup, on which the plugin fails to connect, unless I enter the key in the Publish over SSH config.

Is this a feature or a bug?

[dhs-rec]

This is of course a bug.

[Isegrimm]

Thanks for your reply @dhs-rec.
Seeing that the bug was reported more than 2 years ago, this will probably mean it will not be fixed soon, so I'll better configure the key on each node individually.

[gmcdonald]

Hi All, I aim to take a look and some issues soon and look towards a new release, but it would be great if anyone would PR some of these issues to make it easier