git 詹金斯:凭证中私钥的正确格式是什么
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/53636532/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Jenkins: what is the correct format for private key in Credentials
提问by Bart C
I'm creating a job in Jenkins 2.152 running on Windows Server 2016 which needs to pull from a git repo hosted on bitbucket.org. I tested the ssh key through git-bash so I know it works and there is no passphrase. When I try to use the very same private key with Jenkins I get an error message.
我正在 Windows Server 2016 上运行的 Jenkins 2.152 中创建一个作业,该作业需要从托管在 bitbucket.org 上的 git 存储库中提取。我通过 git-bash 测试了 ssh 密钥,所以我知道它可以工作并且没有密码。当我尝试对 Jenkins 使用完全相同的私钥时,我收到一条错误消息。
Failed to connect to repository : Command "git.exe ls-remote -h
[email protected]:mygroup/myrepo HEAD" returned status code 128:
stdout:
stderr: Load key
"C:\Users\JE~1\AppData\Local\Temp\ssh2142299850576289882.key": invalid format
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
The Credentials are set up as
凭据设置为
scope: Global
user: git
Private Key -> Enter Directly -> copy and past - generated by ssh-keygen -t rsa in gitbash
Passphrase: empty
ID: empty
description: bitbucket.org
I noticed that on another Windows Jenkins server the private key has a different number of characters per line
我注意到在另一台 Windows Jenkins 服务器上,私钥每行的字符数不同
Does anybody know what is the expected format of Private Key in Jenkins Credentials? Or maybe there is something else that I could check.
有人知道 Jenkins Credentials 中私钥的预期格式是什么吗?或者也许还有其他我可以检查的东西。
Any help is greatly appreciated.
任何帮助是极大的赞赏。
回答by VonC
Check the version of Git for Windows that you are using: Starting 2.19.2, it comes with OpenSSH v7.9p1(from 7.7 before)
检查您使用的适用于 Windows 的 Git 版本:从 2.19.2 开始,它带有OpenSSH v7.9p1(从 7.7 之前)
And... openssh 7.8just changed the default ssh-keygen format, from a classic PEM 64-chars, to an OPENSSH one 70 chars!
而且... openssh 7.8只是将默认的 ssh-keygen 格式从经典的 PEM 64 字符更改为 OPENSSH 70 字符!
Only ssh-keygen -m PEM -t rsa -P "" -f afilewould generate the old format (-m PEM)
只会ssh-keygen -m PEM -t rsa -P "" -f afile生成旧格式 ( -m PEM)
ssh-keygen(1):write OpenSSH format private keys by default instead of using OpenSSL's PEM format.
The OpenSSH format, supported in OpenSSH releases since 2014 and described in the
PROTOCOL.keyfile in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys.
If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key.
ssh-keygen(1):默认情况下写入 OpenSSH 格式的私钥,而不是使用 OpenSSL 的 PEM 格式。
OpenSSH 格式自 2014 年以来在 OpenSSH 版本中得到支持,并在
PROTOCOL.key源代码分发的文件中进行了描述,它提供了更好的保护以防止离线密码猜测,并支持私钥中的关键注释。
如有必要,可以通过-m PEM在生成或更新密钥时向 ssh-keygen 的参数添加“ ”来编写旧的 PEM 样式的密钥。
回答by Houcheng
I also got this error message and eventually found out that the Jenkins credential should be RSA secret key, not public key. Below is my steps for configuring Jenkins to clone from bitbucket:
我也收到此错误消息,最终发现 Jenkins 凭据应该是 RSA 密钥,而不是公钥。以下是我将 Jenkins 配置为从 bitbucket 进行克隆的步骤:
- Add credential in Jenkins credentials
- 在 Jenkins 凭证中添加凭证
Kind: SSH username and private key Scope: Global Username: <my username in bitbucket> Private key: <Enter directly> -----BEGIN RSA PRIVATE KEY----- ...... -----END RSA PRIVATE KEY-----
Kind: SSH username and private key Scope: Global Username: <my username in bitbucket> Private key: <Enter directly> -----BEGIN RSA PRIVATE KEY----- ...... -----END RSA PRIVATE KEY-----
- Create a job and configure the repository path and credential as following:
- 创建作业并配置存储库路径和凭据如下:
回答by Bart C
In the end, I couldn't find a way to make pasting private keys to Jenkins credentials work.
最后,我找不到将私钥粘贴到 Jenkins 凭据的方法。
While it might common knowledge for many, I decided to put the workaround below anyway.
虽然这对许多人来说可能是常识,但我还是决定将解决方法放在下面。
Here is what I did as a workaround to pull my private repositories from Bitbucket.org:
这是我从 Bitbucket.org 中提取我的私人存储库的解决方法:
- Log in to your Windows host as the user which runs Jenkins Service. In my case, Jenkins Service runs as a dedicated user because I needed to access network shares with write privileges restricted to this user only.
- Open Git-bash and generate SSH keys with
ssh-keygencommand accepting all defaults - In Jenkins, enter the git repo URL as [email protected]:team_name/repo_name and leave the credentials as
None
- 以运行 Jenkins 服务的用户身份登录到您的 Windows 主机。在我的情况下,Jenkins 服务作为专用用户运行,因为我需要访问网络共享,写入权限仅限于该用户。
- 打开 Git-bash 并使用
ssh-keygen接受所有默认值的命令生成 SSH 密钥 - 在 Jenkins 中,输入 git repo URL 为 [email protected]:team_name/repo_name 并将凭据保留为
None
This way Git and SSH will be able to find SSH keys in the default location, which usually is c:\Users\username.ssh\
这样 Git 和 SSH 将能够在默认位置找到 SSH 密钥,通常是 c:\Users\username.ssh\
Hope this helps somebody.
希望这可以帮助某人。
回答by erpel
So just to add an answer to actually convert a key from the new OPENSSH format to the older PEM format:
所以只是添加一个答案来实际将密钥从新的 OPENSSH 格式转换为旧的 PEM 格式:
$ ssh-keygen -f blah.key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in blah.key.
Your public key has been saved in blah.key.pub.
The key fingerprint is:
SHA256:ndMFvZjbD7M3MoqFy8+me74gPhcuoDVLF2/Oh+hXQ8I [email protected]
$ head -n 1 blah.key
-----BEGIN OPENSSH PRIVATE KEY-----
$ ssh-keygen -f blah.key -m PEM -p
Key has comment 'redacted'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
$ head -n 1 blah.key
-----BEGIN RSA PRIVATE KEY-----
ssh-keygen -p changes the passphrase but it does not mind the new passphrase being the same (even none) as the old one and in the process can convert the format.
ssh-keygen -p 更改密码,但它不介意新密码与旧密码相同(甚至没有),并且在此过程中可以转换格式。
回答by Panda World
Somehow I got it work again but the real steps that fix the issue is unclear.
不知何故,我让它再次工作,但解决问题的真正步骤尚不清楚。
what I did is to regenerate the ssh key again and put everything to its default location. Reupload the public key, replace the private key in the credential and then it starts to work.
我所做的是再次重新生成 ssh 密钥并将所有内容放到其默认位置。重新上传公钥,替换凭证中的私钥,然后它开始工作。
