Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What password encryption Jenkins is using?

I am modifying an xml of a Jenkins job. There is a field which is a password. When I get the xml, where it was the raw password now there is a hash.

What I need is to know how to create this hash from the raw password value.

  <scm class="com.deluan.jenkins.plugins.rtc.JazzSCM">     <username>user</username>     <password>zlvnUMF1/hXwe3PLoitMpQ6BuQHBJ1FnpH7vmMmQ2qk=</password>   </scm> 

I have been reading Jenkins source code and I think the class HudsonPrivateSecurityRealm.java is involved but I am not sure about the salt parameter.

PS: This is not for the Jenkins password is for a plugin which in the job configuration it has a password field.

like image 301
Fran b Avatar asked Aug 28 '14 11:08

Fran b


People also ask

Where is Jenkins password stored?

This password is stored inside the file initialAdminPassword , which is located inside your jenkins_home directory. The file, along with its full path, is displayed on the Jenkins page, as shown in the following screenshot: On Windows: You can find the file under C:\Program Files (x86)\Jenkins\secrets .

How secure are Jenkins credentials?

Credential security To maximize security, credentials configured in Jenkins are stored in an encrypted form on the controller Jenkins instance (encrypted by the Jenkins instance ID) and are only handled in Pipeline projects via their credential IDs.

How do I check credentials in Jenkins?

Listing ids of secrets Before you ask Jenkins for a credential you need to know its id. You can list all credentials ids by reading the $JENKINS_HOME/credentials. xml file.


2 Answers

In fact, it's not a hash but rather an encrypted password. I guess encryption keys are stored in the master node. Actually, you can decrypt the password by executing following groovy script on master's script console

import hudson.util.Secret  def secret = Secret.fromString("zlvnUMF1/hXwe3PLoitMpQ6BuQHBJ1FnpH7vmMmQ2qk=") println(secret.getPlainText()) 

and if you want to encrypt the password, then

import hudson.util.Secret  def secret = Secret.fromString("your password") println(secret.getEncryptedValue()) 

A password encrypted on a computer can be decrypted only on that particular computer since keys are randomly generated and obviously on different machines the keys are different.

Check out core/src/main/java/hudson/util/Secret.java for more details

like image 114
tartakynov Avatar answered Oct 10 '22 06:10

tartakynov


Another possibility would be to execute a Groovy script via Jenkins Groovy console (you can reach it via JENKINS_URL/script):

println(hudson.util.Secret.decrypt("zlvnUMF1/hXwe3PLoitMpQ6BuQHBJ1FnpH7vmMmQ2qk="))  

Some other ways would be possible with python:

https://github.com/tweksteen/jenkins-decrypt
https://gist.github.com/menski/8f9980999ed43246b9b2

like image 21
CSchulz Avatar answered Oct 10 '22 08:10

CSchulz