发表新帖
发表新帖

Extract passphrase from Jenkins' credentials.xml

前端 未结
关注
5 979
一整个雨季
一整个雨季 2021-01-30 01:36

I have added an SSH credential to Jenkins.

Unfortunately, I have forgotten the SSH passphrase and would now like to obtain it from Jenkins\' credential archive, which is

相关标签:
5条回答
  • 暗喜
    2021-01-30 01:53

    Open your Jenkins' installation's script console by visiting http(s)://${JENKINS_ADDRESS}/script.

    There, execute the following Groovy script:

    println( hudson.util.Secret.decrypt("${ENCRYPTED_PASSPHRASE_OR_PASSWORD}") )

    where ${ENCRYPTED_PASSPHRASE_OR_PASSWORD} is the encrypted content of the <password> or <passphrase> XML element that you are looking for.

    0 讨论(0)
  • 太阳男子
    2021-01-30 01:57

    First, you need to get the encrypted value which is conveniently placed in the value attribute of the password field of that credentials item you are interested in. Navigate to the credentials item in Jenkins UI you, click Inspect Element on the password field, and copy its value attribute (something like {AQAABAAAa6VBbyzg5AWMW2RnfaBaj46}

    Then, go to JENKINS_URL/script and execute println( hudson.util.Secret.decrypt("{AQAABAAAa6VBbyzg5AWMW2RnfaBaj46}") ); decrypted password appears under the input field

    0 讨论(0)
  • 独厮守ぢ
    2021-01-30 02:16

    I know this is old, but... With pipelines it's extremely simple. Here's an example pipeline that will print the credentials to the console:

    node {
    def creds

    stage('Sandbox') {
        withCredentials([usernamePassword(credentialsId: 'my-creds', passwordVariable: 'C_PASS', usernameVariable: 'C_USER')]) {
            creds = "\nUser: ${C_USER}\nPassword: ${C_PASS}\n"
        }

        println creds
    }
}

    Executing this pipeline produces the following in the console:

    Started by user First Last (username)
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] node
Running on Jenkins in /jenkins/workspace/sandbox
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Sandbox)
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] echo

User: testuser
Password: Ab37%ahc*z

[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

    The trick here is that the credentials are only masked inside the withCredentials block. If you assign them to a variable defined outside the block and then print that variable outside the block, no masking is applied. This has been reported as a bug, however nothing is being done on it.

    0 讨论(0)
  • 南方客
    2021-01-30 02:16

    If you are using the Jenkins Credential Binding Plugin, you can get it to write your password to a file. You can't just output to the console, as the plugin will ***** it out.

    0 讨论(0)
  • 你的背包
    2021-01-30 02:18

    Yes you can get it back. It is AES encrypted and you have to do some things before like searching for the passphrase. Have a look into the Secret class.

    But you have look, there are already some scripts out there:

    https://github.com/tweksteen/jenkins-decrypt
    https://gist.github.com/menski/8f9980999ed43246b9b2

    More information and a way to do it with java, can you find here:

    What password encryption Jenkins is using?

    0 讨论(0)
 看不清?
提交回复
热议问题