You can make groovy magic on the Jenkins console, grab the credential, and
extract the public key, but sounds odd. but this pipeline make the job for
any credential and it is easy :D
pipeline {
agent any
parameters {
credentials credentialType:
'com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey',
defaultValue: '', description: '', name: 'credential', required: true
}
stages {
stage('Hello') {
steps {
sshagent([params.credential]) {
sh 'ssh-add -L'
}
}
}
}
}
El martes, 26 de mayo de 2020, 19:35:48 (UTC+2), Jason Pyeron escribió:
>
> For a given existing credential, how can an authorized keys entry be
> extracted from Jenkins? (It is easy to do (in java, openssl, ssh-keygen,
> etc..) if you know the private key)
>
>
>
> TL;DR
>
>
>
> Take the following ssh-key being added to Jenkins:
>
>
>
> $ ssh-keygen.exe -f /tmp/jenkins-issue -t rsa -N '' -C
> jenkins-issue@hostname
>
> Generating public/private rsa key pair.
>
> Your identification has been saved in /tmp/jenkins-issue
>
> Your public key has been saved in /tmp/jenkins-issue.pub
>
> The key fingerprint is:
>
> SHA256:NDX21mT0Fp47rDryohouLU88iMAtS6K5enLLHO0PuUE jenkins-issue@hostname
>
> The key's randomart image is:
>
> +---[RSA 3072]----+
>
> | + .+. |
>
> | o o +..o|
>
> | o o .oo|
>
> |. . . . . ...|
>
> |o+ .E S + |
>
> |=.+oo. . .|
>
> |oo..*= . |
>
> |.+o=o=o o .. |
>
> |+++.*=o.. +o. |
>
> +----[SHA256]-----+
>
>
>
> $ cat /tmp/jenkins-issue
>
> -----BEGIN OPENSSH PRIVATE KEY-----
>
> b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
>
> NhAAAAAwEAAQAAAYEAy6NY6POJ4K4+QF4k6oFFbsonb8POvSSYWiIudXtqST8biPsKGFcl
>
> 3dYlKaxk86cKf6E/JTnBrlecyyB5QL9B0U9nxNdm+dY61dP02PS1T7MRGEm8q4v4jkQGfQ
>
> m7/7ubSiaJ4xJ/QYCs1gzw0+7A4Sb7dSmruOn7C7nE07rJDlLdmM8TZSdITgVfiw+382bE
>
> ojDEwYh0itAoUVxlkiF4QDmohWkexLjINE6klzVsbGUatc7RrMJ21ifxf5ko6z5o7XhGAf
>
> HOIxkstOL7WHPeRRMTACBBfCs6FcjhRm5tloA8mv5OTyj8MRJfTIKEVRQZWNcFfZhKEbn3
>
> BR0dhvAHrl26gSuqMLb3vVbV/FnqsZ47ME8GL3UjMqdERjqw6KyvcjOOWqoBtMq2wWsFFc
>
> 3IyfLl3cVul8gnb3qQiuuW42o7VsVEfyHHh7T9nHWH1qyVEUUjszOT4syMt2DzMsHCwdsa
>
> OPxB/PszpYv9epU9Mit8ZxzKxvNv9BfO3nPaUfULAAAFkJEmPFaRJjxWAAAAB3NzaC1yc2
>
> EAAAGBAMujWOjzieCuPkBeJOqBRW7KJ2/Dzr0kmFoiLnV7akk/G4j7ChhXJd3WJSmsZPOn
>
> Cn+hPyU5wa5XnMsgeUC/QdFPZ8TXZvnWOtXT9Nj0tU+zERhJvKuL+I5EBn0Ju/+7m0omie
>
> MSf0GArNYM8NPuwOEm+3Upq7jp+wu5xNO6yQ5S3ZjPE2UnSE4FX4sPt/NmxKIwxMGIdIrQ
>
> KFFcZZIheEA5qIVpHsS4yDROpJc1bGxlGrXO0azCdtYn8X+ZKOs+aO14RgHxziMZLLTi+1
>
> hz3kUTEwAgQXwrOhXI4UZubZaAPJr+Tk8o/DESX0yChFUUGVjXBX2YShG59wUdHYbwB65d
>
> uoErqjC2971W1fxZ6rGeOzBPBi91IzKnREY6sOisr3IzjlqqAbTKtsFrBRXNyMny5d3Fbp
>
> fIJ296kIrrluNqO1bFRH8hx4e0/Zx1h9aslRFFI7Mzk+LMjLdg8zLBwsHbGjj8Qfz7M6WL
>
> /XqVPTIrfGccysbzb/QXzt5z2lH1CwAAAAMBAAEAAAGBALoEWwFhBn/haygtV5eHwr8zlt
>
> a3jTCmLy2Wr83NkQebyDFW8J/Pa9268nOg8Q7JdgOkbiQ5ID179tRus5R7oUnsOSRMh9qM
>
> 4W3WkoFk+AL31hPTt68Uy1ZZuXua2sr+uxn/HlH44ZoaSse1RoCyRirmCym5iQ3/Xr4VUk
>
> D/DQ4ykA44isUKHzh2HBLRpv2G0PQ/jFwlpB/xigLYXkggntI8WT6VCfA1w1xUwnEF8icK
>
> LF4LsOkZMqjqD+a5J/HMLTcF1wqd7SNlUFuNCrWjsfSPejQEE8WDqCFaFkOcho4276ICjP
>
> dlNJV/F2hrOcLMzWenNfQbch1Sp0aFin6OpTSzqt66i8W3QZl4zQ61iLJS+jlVRABwMK0d
>
> 2Zc1Xwk9O9px2ResXUf31slMVeXXgGTjQzwLvOytifGhOTVIIIeTxgQfcsyY7OgRwhe64o
>
> W1Pcj1uzkS6Tj/Lc24jdk/fjwQai7RWVP0k2xYgBkbe/A9V/8bZUQHmsjzSmja2ex/0QAA
>
> AMB1l84CrCRmMS7nmFULtSCM0a5bgbobptUoN9f0hCvzt6s2Wu9ImLWyig0R/e5lz2kCqM
>
> hoVXAXjFZnWsyQKsZu4vZ2NBm9yGQOp24LXk7/VX+RaIfgrUKrUP+Qep83s44TRtV6q7T4
>
> KYMLLMY31ibECBxPdNQz5o+GxjoNdyxV4lmPGOgz7l0voPu7v6CLN6aW/NQB3TBBgJLEV7
>
> QTvsrXW94pWVyISpa4wGU/+oKGZOEoQAHc4n4xJ6Swezm9Q1cAAADBAPXqOjQoeYUImOqg
>
> OVmSCCFkeMJVQNOTevF5FOOSu9MoTsXla2ot2uJDqxkyRvhxKsqHX22rSS5ZbMggXN5gSH
>
> gPmDtRpbdqHGSmoPGYcXF45L48E+8gDmySFS0FEx3I5hfcRS0mv6VcVel3P0TG70GP5J/R
>
> GDFxbGlWe+U3dSyXaWJBX43ok+Ly4LocdslV8nkqkAtztgjM+MMA5VQjZumi4AZOqeZZgW
>
> Qc6Gh/Dyq3ZeVRXFEIz/j+GujTFnJMjQAAAMEA0/1FLiAfJoi0sjbB8zBzwngNQ+XxkuXO
>
> ZSNjIfV84VSaUFh1/x3RoV+/00aDyoHVQ7BCNyiLaJ7pC6UTxURkdw1MubbFUB/ZKZadtX
>
> OFT2M/FDr3SjoImRpuoUZItddSKuSxmuRiSwCsScwk6QcHQJ2+EMseggEBwZRjO8JJanLw
>
> x08wtUWlzBaKsOkhm2mW6SGzPpjDfBum9EnEtFIxaMmGCSHjtBUUcTDnerOo65Nax3cjGV
>
> mL5+q+icjzHr33AAAAFmplbmtpbnMtaXNzdWVAaG9zdG5hbWUBAgME
>
> -----END OPENSSH PRIVATE KEY-----
>
>
>
> $ cat /tmp/jenkins-issue.pub
>
> ssh-rsa
> AAAAB3NzaC1yc2EAAAADAQABAAABgQDLo1jo84ngrj5AXiTqgUVuyidvw869JJhaIi51e2pJPxuI+woYVyXd1iUprGTzpwp/oT8lOcGuV5zLIHlAv0HRT2fE12b51jrV0/TY9LVPsxEYSbyri/iORAZ9Cbv/u5tKJonjEn9BgKzWDPDT7sDhJvt1Kau46fsLucTTuskOUt2YzxNlJ0hOBV+LD7fzZsSiMMTBiHSK0ChRXGWSIXhAOaiFaR7EuMg0TqSXNWxsZRq1ztGswnbWJ/F/mSjrPmjteEYB8c4jGSy04vtYc95FExMAIEF8KzoVyOFGbm2WgDya/k5PKPwxEl9MgoRVFBlY1wV9mEoRufcFHR2G8AeuXbqBK6owtve9VtX8WeqxnjswTwYvdSMyp0RGOrDorK9yM45aqgG0yrbBawUVzcjJ8uXdxW6XyCdvepCK65bjajtWxUR/IceHtP2cdYfWrJURRSOzM5PizIy3YPMywcLB2xo4/EH8+zOli/16lT0yK3xnHMrG82/0F87ec9pR9Qs=
>
> jenkins-issue@hostname
>
>
>
> It can be added to Jenkins like so:
>
>
>
> [Images reduced]
>
>
>
> Which then shows up as:
>
>
>
>
>
> This screen does not show the public key for a job author / node
> administrator to add to the authorized_keys, etc.
>
>
>
> Drilling in to the detail by clicking on the entry takes to another screen:
>
>
>
>
>
> But this screen does not have the public key either.
>
>
>
> Choosing update, shows us the configuration, less the private key:
>
>
>
>
>
> Still no public key. Now this screen may be restricted more than those who
> need the public key have access too. But if you could get here, and could
> see the private key, you could regenerate the public key from the private
> key.
>
>
>
> The only workaround, known to me, is to put the public key in the
> description at the time of import.
>
>
>
>
>
> This has a quite annoying drawback – it puts a horizontal scroll bar on
> every screen where the credential is mentioned or used. This makes
> configuring jobs fragile when controls are pushed outside of the normal UI
> limits.
>
>
>
> v/r,
>
>
>
> JAson
>
>
>
> --
>
> Jason Pyeron | Architect
>
> PD Inc |
>
> 10 w 24th St |
>
> Baltimore, MD |
>
>
>
> .mil: jason.j...@mail.mil <javascript:>
>
> .com: jpy...@pdinc.us <javascript:>
>
> tel : 202-741-9397
>
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/9a0beff4-3079-4e99-873b-ac86d9cb4268%40googlegroups.com.
