Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH passphrase not escaped properly #115

Open
fzakfeld opened this issue Aug 22, 2023 · 3 comments
Open

SSH passphrase not escaped properly #115

fzakfeld opened this issue Aug 22, 2023 · 3 comments
Labels
bug help wanted

Comments

@fzakfeld
Copy link

fzakfeld commented Aug 22, 2023
edited
Loading

Jenkins and plugins versions report

Environment 
Jenkins: 2.401.3
OS: Linux - 5.15.0-79-generic
Java: 11.0.19 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
ansible:253.v4fe719ffdd8a_
ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5
bootstrap5-api:5.3.0-1
bouncycastle-api:2.29
branch-api:2.1122.v09cb_8ea_8a_724
build-timeout:1.31
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.0.0
cloudbees-folder:6.848.ve3b_fd7839a_81
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.10.0-68.v0d0b_c439292b_
credentials:1271.v54b_1c2c6388a_
credentials-binding:631.v861c06d062b_4
display-url-api:2.3.9
durable-task:523.va_a_22cf15d5e0
echarts-api:5.4.0-5
email-ext:2.100
font-awesome-api:6.4.0-2
git:5.2.0
git-client:4.4.0
github:1.37.3
github-api:1.314-431.v78d72a_3fe4c3
github-branch-source:1732.v3f1889a_c475b_
gradle:2.8.2
instance-identity:173.va_37c494ec4e5
ionicons-api:56.v1b_1c8c49374e
jackson2-api:2.15.2-350.v0c2f3f8fc595
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.8-1
jjwt-api:0.11.5-77.v646c772fddb_0
jquery3-api:3.7.0-1
junit:1217.v4297208a_a_b_ce
ldap:694.vc02a_69c9787f
mailer:463.vedf8358e006b_
matrix-auth:3.1.10
matrix-project:808.v5a_b_5f56d6966
mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_
mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_
okhttp-api:4.11.0-157.v6852a_a_fa_ec11
pam-auth:1.10
pipeline-build-step:505.v5f0844d8d126
pipeline-github-lib:42.v0739460cda_c4
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:671.v07c339c842e8
pipeline-input-step:477.v339683a_8d55e
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2144.v077a_d1928a_40
pipeline-model-definition:2.2144.v077a_d1928a_40
pipeline-model-extensions:2.2144.v077a_d1928a_40
pipeline-rest-api:2.33
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2144.v077a_d1928a_40
pipeline-stage-view:2.33
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.3.0
resource-disposer:0.23
scm-api:676.v886669a_199a_a_
script-security:1271.vdede89739a_81
snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4
ssh-credentials:308.ve4497b_ccd8f4
ssh-slaves:2.916.vd17b_43357ce4
structs:325.vcb_307d2a_2782
timestamper:1.26
token-macro:384.vf35b_f26814ec
trilead-api:2.84.v72119de229b_7
variant:59.vf075fe829ccb
workflow-aggregator:596.v8c21c963d92d
workflow-api:1259.vb_47f14fffc8a_
workflow-basic-steps:1042.ve7b_140c4a_e0c
workflow-cps:3769.v8b_e595e4d40d
workflow-durable-task-step:1284.v4fcd365b_75b_e
workflow-job:1326.ve643e00e9220
workflow-multibranch:756.v891d88f2cd46
workflow-scm-step:415.v434365564324
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:848.v5a_383b_d14921
ws-cleanup:0.45

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu 22.04

Reproduction steps

Have a passphrase for an SSH key that contains special chars, like 7D%TgX`EnfgHkfv$H9qhfg84sZSQwT&LjH~ZEfghjkzn@^sYpR (not actually in use).

Expected Results

Should work as expected

Actual Results

2: Syntax error: EOF in backquote substitution

Anything else?

Jenkins will create a sh script in /tmp, like 'ssh8566695972573467306.sh'. This doesn't escape the user provided SSH passphrase, having it fail like described above. This can be verified when calling it directly:

root@ansible02:~# ./ssh8566695972573467306.sh 
./ssh8566695972573467306.sh: 2: Syntax error: EOF in backquote substitution
@fzakfeld fzakfeld added the bug label Aug 22, 2023
@jonesbusy
Copy link
Contributor

Can you show me how you are invoking the ansiblePlaybook step ? Is it a SSH key with a passphrase or is it using sshpass ?

If the first solution I would expect this to work (the passphrase should be configured on the SSH credentials).

For the sshpass thing there was some tentative in https://github.com/jenkinsci/ansible-plugin/pull/85/files but introduced regression and was rollback

Without more automated testing I will not try to solve it again.

I'm also looking for more active maintainer to keep the plugin sane and free of bug : https://groups.google.com/u/1/g/jenkinsci-dev/c/xiKhmhCBspw

Regards,

@fzakfeld
Copy link
Author

fzakfeld commented Sep 5, 2023

Sorry forgot to mention this. I invoke the ansiblePlaybook with an SSH key and passphrase. The thing that is not escaped is the passphrase

@colshine1
Copy link

colshine1 commented Oct 29, 2023
edited
Loading

Sorry forgot to mention this. I invoke the ansiblePlaybook with an SSH key and passphrase. The thing that is not escaped is the passphrase

Does your passphrase have two consecutive dollar signs? For example:

pa$$word

If so, this is expected behaviour due to a combination of factors:

  1. Groovy's string interpoloation
  2. $$ has special meaning in the Linux, it will be replace $$ with the value of your current shell's PID.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jonesbusy @colshine1 @fzakfeld