发表新帖
发表新帖

What password encryption Jenkins is using?

后端 未结
关注
3 1150
盖世英雄少女心
盖世英雄少女心 2020-12-09 15:46

I am modifying an xml of a Jenkins job. There is a field which is a password. When I get the xml, where it was the raw password now there is a hash.

What I need is to

相关标签:
3条回答
  • 青春惊慌失措
    2020-12-09 16:10

    Another possibility would be to execute a Groovy script via Jenkins Groovy console (you can reach it via JENKINS_URL/script):

    println(hudson.util.Secret.decrypt("zlvnUMF1/hXwe3PLoitMpQ6BuQHBJ1FnpH7vmMmQ2qk="))

    Some other ways would be possible with python:

    https://github.com/tweksteen/jenkins-decrypt
    https://gist.github.com/menski/8f9980999ed43246b9b2

    0 讨论(0)
  • 渐次进展
    2020-12-09 16:15

    In fact, it's not a hash but rather an encrypted password. I guess encryption keys are stored in the master node. Actually, you can decrypt the password by executing following groovy script on master's script console 

    import hudson.util.Secret

def secret = Secret.fromString("zlvnUMF1/hXwe3PLoitMpQ6BuQHBJ1FnpH7vmMmQ2qk=")
println(secret.getPlainText())

    and if you want to encrypt the password, then

    import hudson.util.Secret

def secret = Secret.fromString("your password")
println(secret.getEncryptedValue())

    A password encrypted on a computer can be decrypted only on that particular computer since keys are randomly generated and obviously on different machines the keys are different.

    Check out core/src/main/java/hudson/util/Secret.java for more details

    0 讨论(0)
  • 余生分开走
    2020-12-09 16:24

    Jenkins uses AES-128-ECB for all its encryptions. It basically uses the master.key file to encrypt the key stored in hudson.util.Secret file. This key is then used to encrypt the password in credentials.xml.

    So to decrypt Jenkins password, you need basically access to hudson.util.Secret and master.key files. You can check exactly how Jenkins encrypts the password by looking into hudson.utils.Secret class and its fromString method. Basically the password is concatenated with a magic before being encrypted using KEY.

    For more details, please check: Credentials storage in Jenkins.

    To decrypt the password, follow these steps:

    1. While logged in as admin in Jenkins, go to: /script page.

    2. Run the following command:

      println(hudson.util.Secret.decrypt("{XXX=}"))

      or:

      println(hudson.util.Secret.fromString("{XXX=}").getPlainText())

      where {XXX=} is your encrypted password. This will print the plain password.

      To do opposite, run:

      println(hudson.util.Secret.fromString("some_text").getEncryptedValue())

    Source: gist at tuxfight3r/jenkins-decrypt.groovy.

    Alternatively check the following scripts: tweksteen/jenkins-decrypt, menski/jenkins-decrypt.py.

    0 讨论(0)
 看不清?
提交回复
热议问题