Clever Geek Handbook

Extract passphrase from Jenkins credentials.

I have added SSH credentials for Jenkins.

Unfortunately I forgot the SSH passphrase and would now like to retrieve it from the Jenkins accounts archive that is in ${JENKINS_HOME}/credentials.xml

.

This XML document appears to have credentials encrypted in XML <passphrase>

or tags <password>

.

How can I get the plaintext passphrase?

+45


source to share


5 answers


Open the script console of your Jenkins installation by visiting http(s)://${JENKINS_ADDRESS}/script

.

In this case, execute the following Groovy script:



println( hudson.util.Secret.decrypt("${ENCRYPTED_PASSPHRASE_OR_PASSWORD}") )

where ${ENCRYPTED_PASSPHRASE_OR_PASSWORD}

is the encrypted content of the XML element <password>

or <passphrase>

that you are looking for.

+109


source


I know this is old, but ... With pipelines it's very simple. Here's an example pipeline that prints credentials to the console:

node {
    def creds

    stage('Sandbox') {
        withCredentials([usernamePassword(credentialsId: 'my-creds', passwordVariable: 'C_PASS', usernameVariable: 'C_USER')]) {
            creds = "\nUser: ${C_USER}\nPassword: ${C_PASS}\n"
        }

        println creds
    }
}

Running this pipeline produces the following in the console:



Started by user First Last (username)
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] node
Running on Jenkins in /jenkins/workspace/sandbox
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Sandbox)
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] echo

User: testuser
Password: Ab37%ahc*z

[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

The trick is that credentials are only masked inside the block withCredentials

. If you assign them to a variable defined outside the block and then print that variable outside the block, no masking is applied. This is reported as an error, however nothing is done about it.

+7


source


If you are using Jenkins Credential Binding Plugin , you can force it to write its password to a file. You cannot just output to the console, since the plugin will be *****.

Configuring Credential Binding Plugin to Get Password Text on Windows

+4


source


Yes, you can return it. It's AES encrypted and you need to do something before looking for the phrase. Explore the Secret class .

But look, there are already some scripts:

https://github.com/tweksteen/jenkins-decrypt
https://gist.github.com/menski/8f9980999ed43246b9b2

More information and a way to do it using java you can find here:

What kind of password encryption does Jenkins use?

+2


source


First, you need to get an encrypted value that can be conveniently placed in the attribute of value

the password field of the credential element of interest. Navigate to the credentials item in Jenkins UI, click Validate Item in the password field and copy its attribute value

(something like{AQAABAAAa6VBbyzg5AWMW2RnfaBaj46}

Then go to JENKINS_URL/script

and execute println( hudson.util.Secret.decrypt("{AQAABAAAa6VBbyzg5AWMW2RnfaBaj46}") )

; the decrypted password appears below the input field

0


source






More articles:


All Articles