I previously asked how to get Jenkins to deny anonymous read access here: Jenkins security - hide all screens unless user is logged in. That solution worked great, except that it broke access to Jenkins via the CLI jar, despite the fact that we're using the CLI via an SSH key associated with a user - I guess that access doesn't constitute an "authentication". Is there a way to get the CLI to have read access, but not users using the front-end UI?
After some more experimentation, this looks to be a flat-out Jenkins bug - granting the Anonymous user Administrative rights is necessary to make access via the cli jar (with an SSH key) or via HTTP (with the user's API token) work.
When using the CLI, you can pass -jnlpCredentials or -auth parameter.
Found it through trial an error using this:
java -jar slave.jar --help
In your case, you'd use the -auth parameter to specify username:pass
Related
I am using Jenkins version 2.89.2.
I have Role-based strategy enabled for authorization. Anonymous has not been granted any rights. I have some jobs being triggered remotely using the Jenkins cli. This used to work well when I was using an older version of Jenkins but once I moved to this version I am not able to get this working without granting Anonymous user build/job permissions.
In order to get this working without any permissions granted to Anonymous user, I tried to have a user whose ssh public key is updated in the Jenkins web ui (user configuration).
With this setup, when I try to use Jenkins-cli.jar as below, I get an error: ERROR: No such job 'testing'
java -jar jenkins-cli.jar -s http://<servername>:<port>/
-i /user/jen/.ssh/id_rsa build "testing"
While searching around the internet, I saw that we can make this work by granting the "Anonymous user" read permission, I did that too but with that when I try to run the jerkins-cli jar (same command as above) I get the error: ERROR: anonymous is missing the Job/Build permission
I do not want to grant anonymous user Job/Build permissions.
Any ideas/thoughts to fix this please ?
What i am trying seems quite simple, but i cant really get my head wrapped around what i need to do:
Inside a job, i have a build-step that executes shell-commands. This shell command tries using the Jenkins CLI.
So basically it says "java -jar theCliFile -s jenkinsURL / command
So inside of a job, i am trying to make a SSH connection to the jenkins-server itself.
This fails, console output says that "[WARN] Failed to authenticate with your SSH keys. Proceeding as anonymous
You must authenticate to access this Jenkins.".
I could provide a username and password as clear text inside of the shell, but i would like to avoid that.
What do i need to setup in order to allow an automatic authentication? I don't understand who needs what kind of keys.
The Jenkins CLI Wiki says to configured a /me/configure user. I just don't see how this makes sense. I guess this was meant to be for use cases where someone tries to build a SSH connection from a remote machine, not from the Jenkins itself, as in my case.
Actually, i solved it myself:
I had both a private and public key on the Jenkins-Server (incase you don't have those, just generate them on the server machine that the Jenkins runs on (there are tons of tutorials on how to do so out there)).
To allow what i was trying in my question, i had to take the public key and enter it in some user existing for the jenkins-application.
As far as i understand, entering the Jenkins Servers public key in any user will make the SSH request authenticate as this user and thus the shell will have the rights of said user.
I have a Jenkins installation on a machine running Windows Server 2008. The Jenkins installation is secured using Jenkins own user database with matrix-based security authorization. Anonymous users don't have any access, except to register an account. I have set up an account and gave this account full access.
Now I'd like to trigger a build remotely from a different machine that hosts the repository. I believe this should be possible by accessing the following URL:
https://[username]:[user_api_token]#[address.of.jenkins]:8080/job/[project]/build?token=[project_api_token]
However, this does not seem to be working for me. When I access this site in a browser, Jenkins forwards to the login-page, and does not start the build.
What am I doing wrong? It seems to be an authentication problem, as I'm not logged in after opening the URL above. Furthermore, if I give anonymous users full access, the URL works.
Try invoking the build from a command-line program like curl:
curl http://[userid]:[user_token]#localhost:8080/job/[project]/build?token=[proj_token]
or
curl --user [userid]:[user_token] http://localhost:8080/job/[project]/build?token=[proj_token]
I think your issue could be browser related, embedding credentials within the URL (Firefox pops up a warning in my case telling me I'm about to login to Jenkins)
I have one windows service which will use plink.exe for SSH connection and I found that Plink cannot find the running Pageant.
Here is the steps I have done so far.
Install Windows service to run as particular user
Before starting Windows service, I log in as that user and start Pageant with PuTTY generated key.
Then I start the Windows service (but I can't manage to make it work since Plink cannot find Pageant and server reply as No supported authentication methods available.)
Note: If I run Windows service as console application with that user, everything is working fine.
PLink will be run in Service session (Session\0) while pageant runs in user session (Session\1). Plink uses some interprocess communication which, as it looks from your problem, doesn't work across sessions. Most likely there's MMF communication inside and objects are created without prefix, i.e. they become session-only (not global). You would need to build custom version of plink to solve the problem.
Pageant explicitly allows feeding keys to an application (PuTTY, PSFTP, PSCP, WinSCP, FileZilla) running in the same Windows session only. This is obviously for security reasons, not to allow a different user on the same machine hijack private keys loaded by another users. And even for convenience (ironically), so that you do not inadvertently use keys of a different user (leading possibly to having your account locked due to invalid login attempts).
Also note that the Pageant is not intended for an automation anyway. For the automation, use the private key explicitly, using the -i command-line parameter.
See https://the.earth.li/~sgtatham/putty/latest/htmldoc/Chapter3.html#using-cmdline-identity
Such private key have to be unencrypted. Note that this imposes security risk, if someone gains access to the key. You should consider restricting an access to the unprotected private key file to the local account that runs the script only (using Windows file system permissions).
As #Eugene point out, it is Session 0 Isolation.
I managed to solve the issue by not using agent but directly passed the private key and password to plink.exe. By doing that, I'm able to run without using pageant.
To start plink.exe without agent;
plink.exe -noagent -i private_key.ppk -pw mypassword -P 1234 user#host.com
Is anyone successfully using MsDeploy for deploying windows services with a preSync runCommand? I've got it working using an Administrator account, but can't for the life of me get it working on a standard user account. Unfortunately I can't use integrated authentication (we're deploying to an external box), and the thought of our Administrator password sitting in plaintext in logs on our build server doesn't exactly make me feel too comfortable. For that matter, neither does any user credentials - but I can't see a way around that.
The command I'm using is this:
"tools/deploy/msdeploy.exe" -verb:sync
-preSync:runCommand="tools\Deploy\PreSyncCommand.cmd",waitInterval=30000
-source:dirPath="C:\BuiltSourcePath"
-dest:computerName=https://server:8172/msdeploy.axd?site=dummysitename,userName=service-deploy,password=service-deploy-pass,authType=basic,dirPath="C:\DeployPath\"
-allowUntrusted
with rules set up in IIS for the dummy site to allow the authentication for the service-deploy windows account, with contentPath and runCommand permissions (for the moment set to C:\ as it's not entirely clear whether this needs to be set to the temporary path that MsDeploy streams to, or the deployment path?). The service-deploy account also has full control of the target directory. I get the following back:
Performing '-preSync'...
Info: Using ID '7a7d34a1-b5d8-49f1-960a-31c9cf825868' for connections to the remote server.
Info: Using ID '4d0b910c-aca4-4640-84bd-3597d22d99d1' for connections to the remote server.
Info: Updating runCommand (C:\TeamCity\buildAgent\work\aec989676b349656\tools\De
ploy\PreSyncCommand.cmd).
Warning: Access is denied.
Warning: The process 'C:\Windows\system32\cmd.exe' (command line '/c "C:\Windows
\ServiceProfiles\LocalService\AppData\Local\Temp\giz2t0kb.0ay.cmd"') exited with
code '0x1'.
This happens even if the contents of PreSyncCommand.cmd is blank. The same command runs fine if I pass in Administrator credentials. I've tried using ProcessMonitor to check if anything's being denied access but can't see any - so I'm guessing it's still a MsDeploy authentication rule. There's nothing in WmSvc.log (debugging is enabled), nor in the event log.
Any ideas? Thanks!
Since you're using Web Deploy via WmSvc, you need to setup appropriate delegation rules on the destination server:
Within IIS Manager, open the "Management Service Delegation" feature. Add a new rule which at least specifies the runCommand provider. In the Run As section, choose Specific User and provide credentials for a local administrator account on that machine. This is the identity under which your runCommand scripts will be executed. Finally, the user which you're specifying for the destination dirPath provider needs to be added to the delegation rule.
That allows you to invoke a deployment using a non-privileged account, and yet have it executed on the target machine under administrative credentials.
More information on IIS feature delegation: http://learn.iis.net/page.aspx/516/configure-the-web-deployment-handler/