Extract passphrase from Jenkins credentials.
I have added SSH credentials for Jenkins.
Unfortunately I forgot the SSH passphrase and would now like to retrieve it from the Jenkins accounts archive that is in ${JENKINS_HOME}/credentials.xml
.
This XML document appears to have credentials encrypted in XML <passphrase>
or tags <password>
.
How can I get the plaintext passphrase?
source to share
Open the script console of your Jenkins installation by visiting http(s)://${JENKINS_ADDRESS}/script
.
In this case, execute the following Groovy script:
println( hudson.util.Secret.decrypt("${ENCRYPTED_PASSPHRASE_OR_PASSWORD}") )
where ${ENCRYPTED_PASSPHRASE_OR_PASSWORD}
is the encrypted content of the XML element <password>
or <passphrase>
that you are looking for.
source to share
I know this is old, but ... With pipelines it's very simple. Here's an example pipeline that prints credentials to the console:
node {
def creds
stage('Sandbox') {
withCredentials([usernamePassword(credentialsId: 'my-creds', passwordVariable: 'C_PASS', usernameVariable: 'C_USER')]) {
creds = "\nUser: ${C_USER}\nPassword: ${C_PASS}\n"
}
println creds
}
}
Running this pipeline produces the following in the console:
Started by user First Last (username)
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] node
Running on Jenkins in /jenkins/workspace/sandbox
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Sandbox)
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] echo
User: testuser
Password: Ab37%ahc*z
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS
The trick is that credentials are only masked inside the block withCredentials
. If you assign them to a variable defined outside the block and then print that variable outside the block, no masking is applied. This is reported as an error, however nothing is done about it.
source to share
If you are using Jenkins Credential Binding Plugin , you can force it to write its password to a file. You cannot just output to the console, since the plugin will be *****.
source to share
Yes, you can return it. It's AES encrypted and you need to do something before looking for the phrase. Explore the Secret class .
But look, there are already some scripts:
https://github.com/tweksteen/jenkins-decrypt
https://gist.github.com/menski/8f9980999ed43246b9b2
More information and a way to do it using java you can find here:
source to share
First, you need to get an encrypted value that can be conveniently placed in the attribute of value
the password field of the credential element of interest. Navigate to the credentials item in Jenkins UI, click Validate Item in the password field and copy its attribute value
(something like{AQAABAAAa6VBbyzg5AWMW2RnfaBaj46}
Then go to JENKINS_URL/script
and execute println( hudson.util.Secret.decrypt("{AQAABAAAa6VBbyzg5AWMW2RnfaBaj46}") )
; the decrypted password appears below the input field
source to share