►
From YouTube: GSoC 2021 Git credentials binding 2021 08 04
Description
Jenkins git credentials binding office hours August 4, 2021. Topics included discussing issues with private keys, using the sshd-core library to resolve the primary private key algorithms, and dependeng on a plugin vs depending directly on sshd-core.
Meeting notes are available at https://docs.google.com/document/d/1gZneYIDWrT5S-1ACG641wfvxs7vnDC0RCYqy-EuuhwY/edit#heading=h.m0lph2u36pvh
A
A
B
C
I
tried
reading
passwords,
protected,
rsv
keys
opens
by
generating
them
from
open,
ssh
and
then
using
the
ssjs
client
they've
provided
to
connect
to
a
server.
But
I
was
unable
to
do
so.
I'm
not
sure
why
it
was
not
connecting.
It
was
giving
me
a
timeout
exception,
but
it
was
not
working
for
me.
C
D
D
C
D
Yeah,
so
I
found
out
that
the
the
fingerprint
of
the
private
key
that
is
generated
using
the
decrypted
privacy
that
is
generated
using
the
ssj
library
is
different
from
the
fingerprint
of
the
private
key.
That
is,
you
know
encrypted.
So
I
think,
due
to
that,
we
are
not
able
to
connect,
so
the
keys
are
different,
so
the
server
won't
be
able
to
recognize
a
match
for
that
private
key
with
the
public
key.
C
But
I
just
wanted
to
before
you
introduce
the
new
library.
Did
you
ever
try
to
read
the
keys
and
use
the
client
called
ssh
client
provided
by
assistant
to
connect
to
a
remote
server
using
you
know
any
of
your
ssh
keeper.
D
C
Yeah
I
mean
the
I
thought
that
the
fastest
way
to
know
if
ssj
will
be
able
to
decrypt
the
keys
correctly,
and
then
you
know
they
it
is
going
to
provide
this
keys,
which
are
going
to
work,
is
to
use
their
own
client
to
establish
a
connection
with
any
server
any
you
know
any
place
which
has
a
22
port
open
and
we
can
establish
a
connection
with
them.
If
that
is
possible,
then
those
keys,
we
can
be
sure
that
ssj
is
not
creating
an
issue
for
us.
C
I
mean,
but
you
found
a
new
library
right
and
yeah
yeah
and
you
were
yeah.
Please
move
forward
with
me.
D
D
D
C
Use
have
you
used?
Have
you
used
this
library
to
use
rsa
passwords
connected
keys
and
then
were
you
able
to
do
that.
D
So
but
the
issue
I'm
facing
is
you
know
the
dependency
issue,
so
I
think
I
mentioned
it
on
the
gita
chart.
So
so
what
should
we
do
next
right?
Should
we
define
this
dependency
explicitly
in
git
plugin,
and
if
we
do
that,
then
we
have
to
you
know,
increase
the
jenkins
version
great
more
than
two
point
above
I
think
it's
two
point.
Eight.
D
B
C
B
A
A
Mark
on
whether
they
pick
we
pick
so
it
looks
like
there's
two
plugins,
there's
310
and
304.
A
One
of
them
is
a
higher
jenkins
version,
and
one
of
them
is
a
slightly
lower
one,
the
other
one's
2.282,
not
sure.
If
you
have
any.
B
B
So
but
if
you're
on
2.289.2
you're
not
in
danger,
because
the
security
fix
is
backported
to
it
so
making
it
2.289.1
seems
very
reasonable
to
me,
and
I
knew
we
knew
we
were
going
to
have
to
eventually
upgrade
yeah.
There
will
be
people
who
say,
but
I
want
to
run
the
credentials
binding
without
having
to
upgrade
to
289
289.1.
And
the
answer
is
sorry.
You
can't.
B
So
so
how
should
it
feel
it
sounds
like,
then?
What
your
technique
would
be
is
you'll
set
the
jenkins
dot
version
in
the
in
the
palm
to
be
2.289.1,
and
then
you
can
use
that
that
library
that
we
that's
available.
B
Does
the
git
plugin
already
rely
on
ssh
server
plugin?
I
don't,
I
didn't
think
it
did
directly,
but
let's
check
I
mean
that
may
be
a
circular
dependency.
I'm
not
sure
what
that
will
mean,
because
I
would
expect
the
ssh
server
plug-in
probably
relies
on
the
git
plugin.
A
B
E
B
Okay,
what's
what's
the
what's
the?
What
do
you
call
the
address
of
that
thing?
The
coordinates
of
that
thing
you're
looking
at.
Is
it
org.jenkins.ci.modules
yeah?
It
is
okay.
So
that's
the
thing
that
that
ssh
server
or
that
git
server
plug-in
depends
on,
and
I
think
is
so
harsh
it
is-
is
sshd
from
apache
or
from
this
code.
The
thing
that
provides
the
method
you
need
or
do
you
need
something
that's
actually
in
the
git
server
plugin.
D
D
E
B
C
Why
do
we
need
to
increase
the
jenkins
number
two?
This
is.
This
is
an
external
dependency
right
in
an
external
library.
C
C
D
Now
we
have
to
increase
if
you
can
see
on
line
34,
but
also,
if
we,
you
know,
define
external
dependency
that
is
sssb
apache,
then
in
the
mavin
dependency
tree
it
will
be
used
rather
than
the
it
will
be
used
in
for
the
sshd
server
or
in
a
plug-in
jenkins
plug-in.
D
C
No,
but
you
can
exclude
the
depend
since
you're
going
to
directly
use
this
library
this
dependency.
Then
you
can
exclude
that
from
the
the
plugin,
which
requires
a
newer
jenkins
version,
and
then
you
can
use
directly
this
time.
I
don't
understand.
Why
would
we
need
a
new
gentleman's
version
for
that.
C
D
B
So
so
back
to
richard's
question,
but
to
ask
it
in
the
form
of
the
question:
is
org.apache.sshd
version
2.7.0
enough
for
you
to
have
the
api
you
need
harshad,
or
do
you
need
something
that
is?
It
is
yeah
okay.
So
then
I
I'm
prone
to
agree
with
with
rashab
that
we
should
at
least
try
to
just
depend
on
that
library.
If
that
still
requires
us
to
upgrade
jenkins.version.
B
B
Well-
and
I
think
sshd
plugin
is
an
unavoidable
plugin
because
it
was
bundled
in
core.
Oh
was
it
oh,
I
think
so
I
think
there's
I
think,
sshd
plug-in
is
one
that
was
discussed
just
recently
on
the
mailing
list
with
wow.
Why
is
this
there?
I
don't
need
sshd,
and
the
answer
is
well
because
it
was
bundled
in
core
and
years
ago,
and
thus
it's
still
its
api
still
has
to
be
available
in
core
okay.
Well,.
D
D
B
C
D
E
C
D
So
explicit,
so
we
can
implicitly
we
are,
you
know
using
a
lab
core
ssd
core
of
version
2.7
0
only
instead
of
the
lower
version
that
is
1.7.0.
B
Opening
look
at
that.
B
B
Odd,
when
I
tell
it
to
depend
on
to
to
require
jenkins
2.289.1,
it
doesn't
even
have
a
dependency
on
ssh
decor,
interesting
okay,
but
you
you've
done
the
experiment
harshit,
and
you
said
that
by
upgrading
the
by
forcing
the
jenkins
jenkins.version
to
2.289.1,
you
get
the
you
get
access
to
the
sshd
core
library
version.
You.
B
D
B
Yeah-
and
I
think
I
think
that's
the
right
approach,
I
think
we
should
accept
that
in
order
to
get
this
functionality
they
have
to
at
least
be
running
jenkins
2.289.1,
because
we
need
the
version
of
sshd
core
that
apache
provides,
and
that
is
that
is
available
only
beginning
with
2.289.1.
That's
that's.
B
C
So
how
should
with
this
library
is?
Was
there
a
specific
algorithm.
D
D
Yeah,
I
was
thinking
of
you
know,
using
the
there's,
a
pem
format,
support
for
pam,
formatted
keys
or
pkcs8
format,
keys
in
the
lab
in
that
library
as
well,
but.
D
C
But
so
my
question
is
that
do
we
want
to
first
focus
on
the
algorithms
or
on
the
use
cases
which,
which
will
be
90
of
what
we're
going
to
serve,
or
I'm
not
sure
how?
How
many?
In
how
many
cases
we're
going
to
see
the
pkcs8
encrypted
m,
encoded
format,
keys.
D
A
Yeah
I
mean
I
think,
like
like
we
talked
about
the
last
time.
You
probably
could
start
with.
You
know
just
loading
in
support
for
the
top
ones
and
if
we
find
that
you
know
pem
supports
not
working,
we
can
document
that
as
unsupported
and
that's
a
jira
ticket
or
something
like
that
for
later
right.
D
C
A
Yeah,
I
guess
from
a
from
a
process
and
work
perspective
like
if
it's
easy
for
you
to
get
them
all
in
one
pr,
like
maybe
that's
okay,
I
guess
one
thing
I
could
see
is
like
if
it's
hard
to
start
getting
the
bouncy
castle
stuff,
then
maybe
it's
a
good
idea
to
start
with
the
the
most
critical
algorithms
to
cover
and
then
do
those
in
a
pr.
But
then
I
I
also
realized,
there's
some
testing
and
stuff
like
that
involved
too.
So
those
are
the
things
that
I
would
think
about
for
that.
D
So
one
doubt
I
have
is
that,
should
I
you
know
explicitly
define
the
this:
is
the
plugin
that
the
jenkins
module,
ssd
plugin
right
in
the
poem
of
the
plugin.
B
B
D
B
B
B
B
I
bet
and
then
that'd
be
in
the
git
plugin
right,
not
in
the
git
client
yeah.
C
Hey,
I
have
a
question
I
I
was
also
looking
at
the
dependency
graph
and
I
can
see
that,
as
as
have
mentioned,
that
in
the
jenkins
pool
jar,
we're
getting
sshd
code,
sshd
plugin
as
a
test
score,
can
we
not
remove
this
all
together?
Do
we
need
the
ssh
plugin
for
anything.
B
C
I
was
yeah
okay,
we
use
this
depend.
I
just
thought
that
this
is
being
bundled,
but
we
don't
use
it.
B
B
C
And
is
the
kit
plug-in
using
this
library.
C
Yes,
my
question
was
that:
can
we
not
just
remove
this
exclude
this
and
sshd4
directly,
the
plugin
all
together.
B
B
Okay,
so
I
would
expect
jenkins
will
say
I've
already
loaded,
sshd
core.
I
refuse
to
load
another
one
and
then
we'll
be
stuck
because
git
plugin,
though,
won't
be
able
to
find
the
apis.
It
needs
that
are
only
available
with
newer
than
1.7.0
harshit.
I
think
I
was
describing
it
correctly.
Do
you
need
to
correct
something?
I
said
there
and
tell
me
no
mark.
You
made
a
mistake.
D
Myself
so
I
know
the
error
will
be,
you
know
no
class,
no
class
found
exception.
You
know
that
was
coming
because
the
library
that
was
loaded
was
one
ssd,
co
1.7
and
I
need
the
libraries
of
ssd
core
2.7.
So
there
was,
I
was
stuck
for.
You
know
for
one
day
whole
one
day
depending
on
what
why?
Why
is
it
this
happening?
A
A
Does
that
kind
of
help
you,
with
all
the
questions
you
have
for
for
that
specific
one
harshet.
B
Sure
but
but
this
issue
is,
I
think
this
is
a
major
victory
that
you've
reached.
As
far
as
you
have
keep
going,
that's
great,
and
did
you
see
harshit
that
we
have
one
more
person
who's
interested
in
in
the
work
and
did
some
experiments?
We
can
ignore
their
results
if
we
need
to,
but
I
was
delighted
it's
great,
that
we
got
people
who
want
to
use
your
code.
B
So
I
I
had
closed
the
bug
report
from
someone
who
asked
for
the
ability
to
add
a
special
case
to
the
jenkins
git
publisher.
That
would
allow
it
to
push
push
multiple
tags
and
the
the
person
actually
submitted
a
pull
request
to
the
get
plug-in
saying:
hey,
here's,
the
implementation
and
it
was
a
good
implementation.
They
did
a
good
job
with
it.
B
A
B
B
Yeah
and-
and
I
pointed
the
user
and
said-
hey
use,
username
password,
it
works
now
and
he
said
no.
I
have
to
have
private
key
and
this
is
his
effort
trying
to
work
with
private
keys.
So
that's
great
nice
yeah.
Yes,
it
didn't
work.
That's
that's
not
a
problem.
The
fact
that
we've
got
one
more
person
trying
it
is
really
great.
A
Mark
did
you
have
any
opinions
on
the
pem
format
and
including
bouncy
castle
in
the
in
the
next
pr,
or
do
you
think
that
should
be
like
a
separate
pr?
What's
your.
B
D
C
Are
we
also?
Are
we
also
covering
the
cases
or
thinking
about
the
cases
when
ssh
key
gen
did
not
produce
open,
ssh
keys
before
this
format
was
adopted?.
B
B
C
Yeah,
yes,
I
think.
Actually,
I
think
I
I'd
rather
look
at
what
hershey's
code
is.
I
look
at
his
implementation.
How
it
depends
on
these
algorithms
how
it
functions
with
these
algorithms.
Is
it
do
you
have
to
write
different
code
for
each
of
them
like?
Is
there
a
different
term?
C
I
I
just
look
at
the
code
and
I
think
mark
that
should
be
fine
for
us
that
we
run
those
tests
and
then
we
figure
out.
D
B
B
If
that's,
if
that's
easy
enough
for
you,
I
that
would
be
the
way
I
would
go
if,
if
you
find
it
easier
to
combine
them
into
a
single
pr
and
still
allow
us
to
do,
allow
me
and
others
to
do
testing
that
that's
fine
too,
but
for
me,
a
separate
pr
with
the
bouncy
castle.
Work
feels
better
just
because
I
want
to
be
sure
that
rsa
and
ed25519
keys
work,
because
those
are
the
keys
that
are
important
to
me.
D
B
B
I
I
just
don't
want
to
be
blocked,
testing,
rsa
or
ed25519
because
of
a
format
that
I
don't
use
now.
Other
people
may
have
a
very
different
opinion
and
say:
hey.
I
use
pem
format
all
the
time,
but
I
truly
do
not
recall
ever
using
a
no.
Maybe
I
guess
I
did
use
one
once
because
some
of
the
cloud
vendors
give
you
a
pim
format
key.
A
B
A
A
D
B
Good
shot
mark,
I'm
good
great
for
me
as
well
thanks
harshad,
thanks
very
much
and
congrats
on
finding
the
solution
to
the
ssh
decor
challenge.
Yeah.