30

I am modifying an xml of a Jenkins job. There is a field which is a password. When I get the xml, where it was the raw password now there is a hash.

What I need is to know how to create this hash from the raw password value.

  <scm class="com.deluan.jenkins.plugins.rtc.JazzSCM">
    <username>user</username>
    <password>zlvnUMF1/hXwe3PLoitMpQ6BuQHBJ1FnpH7vmMmQ2qk=</password>
  </scm>

I have been reading Jenkins source code and I think the class HudsonPrivateSecurityRealm.java is involved but I am not sure about the salt parameter.

PS: This is not for the Jenkins password is for a plugin which in the job configuration it has a password field.

Community
  • 1
  • 1
Fran b
  • 3,016
  • 6
  • 38
  • 65
  • If you know the cleartext password you could try out some common hashing algorithms. – André Stannek Aug 28 '14 at 12:35
  • In a comment of HudsonPrivateSecurityRealm class says that PasswordEncoder is based on SHA-256 and random salt generation. Hence the problem is how to get the salt used by Jenkins or how to generate the same salt, right? – Fran b Aug 28 '14 at 19:05
  • Salts are generated when encrypting the password, and [included in the output](https://github.com/jenkinsci/jenkins/blob/0cc333faf285d587a87dee8a5ea54a4f75a2c758/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java#L602-L603). Since that hash doesn't fit the format, it might well not be generated by this code — it's setup by a plugin, after all. – Blaisorblade Apr 30 '15 at 14:08

3 Answers3

48

In fact, it's not a hash but rather an encrypted password. I guess encryption keys are stored in the master node. Actually, you can decrypt the password by executing following groovy script on master's script console 

import hudson.util.Secret

def secret = Secret.fromString("zlvnUMF1/hXwe3PLoitMpQ6BuQHBJ1FnpH7vmMmQ2qk=")
println(secret.getPlainText())

and if you want to encrypt the password, then

import hudson.util.Secret

def secret = Secret.fromString("your password")
println(secret.getEncryptedValue())

A password encrypted on a computer can be decrypted only on that particular computer since keys are randomly generated and obviously on different machines the keys are different.

Check out core/src/main/java/hudson/util/Secret.java for more details

tartakynov
  • 2,768
  • 3
  • 26
  • 23
19

Another possibility would be to execute a Groovy script via Jenkins Groovy console (you can reach it via JENKINS_URL/script):

println(hudson.util.Secret.decrypt("zlvnUMF1/hXwe3PLoitMpQ6BuQHBJ1FnpH7vmMmQ2qk="))

Some other ways would be possible with python:

https://github.com/tweksteen/jenkins-decrypt
https://gist.github.com/menski/8f9980999ed43246b9b2

Macarse
  • 91,829
  • 44
  • 175
  • 230
CSchulz
  • 10,882
  • 11
  • 60
  • 114
  • Cool. To bad I don't have the correct rights there... xxxxis missing the Overall/RunScripts permission – Cagy79 Jan 19 '17 at 13:35
17

Jenkins uses AES-128-ECB for all its encryptions. It basically uses the master.key file to encrypt the key stored in hudson.util.Secret file. This key is then used to encrypt the password in credentials.xml.

So to decrypt Jenkins password, you need basically access to hudson.util.Secret and master.key files. You can check exactly how Jenkins encrypts the password by looking into hudson.utils.Secret class and its fromString method. Basically the password is concatenated with a magic before being encrypted using KEY.

For more details, please check: Credentials storage in Jenkins.

To decrypt the password, follow these steps:

  1. While logged in as admin in Jenkins, go to: /script page.

  2. Run the following command:

    println(hudson.util.Secret.decrypt("{XXX=}"))

    or:

    println(hudson.util.Secret.fromString("{XXX=}").getPlainText())

    where {XXX=} is your encrypted password. This will print the plain password.

    To do opposite, run:

    println(hudson.util.Secret.fromString("some_text").getEncryptedValue())

Source: gist at tuxfight3r/jenkins-decrypt.groovy.

Alternatively check the following scripts: tweksteen/jenkins-decrypt, menski/jenkins-decrypt.py.

kenorb
  • 155,785
  • 88
  • 678
  • 743