From be1588606ee0d923357d3e8649de36e88c9ba7cf Mon Sep 17 00:00:00 2001 From: Akash Manna Date: Thu, 18 Dec 2025 21:24:10 +0530 Subject: [PATCH 1/7] Prefer MinGit ssh over system OpenSSH on Windows, keeping OpenSSH as fallback --- .../org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java b/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java index 8fe922e6c8..5f31a34d80 100644 --- a/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java +++ b/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java @@ -2685,6 +2685,15 @@ public File getSSHExecutable() { } } + // Check for ssh.exe on the system PATH as last resort (supports Microsoft OpenSSH and other alternate implementations) + String sshPath = getPathToExe("ssh"); + if (sshPath != null) { + sshexe = new File(sshPath); + if (sshexe.exists()) { + return sshexe; + } + } + throw new RuntimeException( "ssh executable not found. The git plugin only supports official git client https://git-scm.com/download/win"); } From 0323d28f253b1c12354fa8f69f17d01b5d38b4c8 Mon Sep 17 00:00:00 2001 From: Akash Manna Date: Thu, 18 Dec 2025 22:29:58 +0530 Subject: [PATCH 2/7] Enhance SSH command options for improved security by adding BatchMode and disabling PasswordAuthentication --- .../java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java b/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java index 5f31a34d80..56aa23ae60 100644 --- a/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java +++ b/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java @@ -2710,7 +2710,8 @@ Path createWindowsGitSSH(Path key, String user, Path knownHosts) throws IOExcept w.write("setlocal enabledelayedexpansion"); w.newLine(); w.write("\"" + sshexe.getAbsolutePath() - + "\" -i \"!JENKINS_GIT_SSH_KEYFILE!\" -l \"!JENKINS_GIT_SSH_USERNAME!\" " + + "\" -T -i \"!JENKINS_GIT_SSH_KEYFILE!\" -l \"!JENKINS_GIT_SSH_USERNAME!\" " + + "-o BatchMode=yes -o PasswordAuthentication=no " + getHostKeyFactory().forCliGit(listener).getVerifyHostKeyOption(knownHosts) + " %* "); w.newLine(); } @@ -2733,7 +2734,8 @@ Path createUnixGitSSH(Path key, String user, Path knownHosts) throws IOException w.newLine(); w.write("fi"); w.newLine(); - w.write("ssh -i \"$JENKINS_GIT_SSH_KEYFILE\" -l \"$JENKINS_GIT_SSH_USERNAME\" " + w.write("ssh -T -i \"$JENKINS_GIT_SSH_KEYFILE\" -l \"$JENKINS_GIT_SSH_USERNAME\" " + + "-o BatchMode=yes -o PasswordAuthentication=no " + getHostKeyFactory().forCliGit(listener).getVerifyHostKeyOption(knownHosts) + " \"$@\""); w.newLine(); } From 135b8a2085e521cb0a17710ba4213f8a8fa94d52 Mon Sep 17 00:00:00 2001 From: Akash Manna Date: Thu, 18 Dec 2025 22:31:03 +0530 Subject: [PATCH 3/7] apply mvn spotless:apply --- .../java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java b/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java index 56aa23ae60..696a7e7109 100644 --- a/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java +++ b/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java @@ -2685,7 +2685,8 @@ public File getSSHExecutable() { } } - // Check for ssh.exe on the system PATH as last resort (supports Microsoft OpenSSH and other alternate implementations) + // Check for ssh.exe on the system PATH as last resort (supports Microsoft OpenSSH and other alternate + // implementations) String sshPath = getPathToExe("ssh"); if (sshPath != null) { sshexe = new File(sshPath); From 9981442b1180f6dbb9dd697c17fd6fd848d6ce1a Mon Sep 17 00:00:00 2001 From: Akash Manna Date: Fri, 19 Dec 2025 00:14:57 +0530 Subject: [PATCH 4/7] Refactor ssh executable search logic to prioritize system PATH check --- .../plugins/gitclient/CliGitAPIImpl.java | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java b/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java index 696a7e7109..62e27346ce 100644 --- a/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java +++ b/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java @@ -2626,6 +2626,15 @@ public File getSSHExecutable() { return sshexe; } + // Check for ssh.exe on the system PATH (supports Microsoft OpenSSH and other alternate implementations) + String sshPath = getPathToExe("ssh"); + if (sshPath != null) { + sshexe = new File(sshPath); + if (sshexe.exists()) { + return sshexe; + } + } + // Check Program Files sshexe = getFileFromEnv("ProgramFiles", "\\Git\\bin\\ssh.exe"); if (sshexe != null && sshexe.exists()) { @@ -2685,16 +2694,6 @@ public File getSSHExecutable() { } } - // Check for ssh.exe on the system PATH as last resort (supports Microsoft OpenSSH and other alternate - // implementations) - String sshPath = getPathToExe("ssh"); - if (sshPath != null) { - sshexe = new File(sshPath); - if (sshexe.exists()) { - return sshexe; - } - } - throw new RuntimeException( "ssh executable not found. The git plugin only supports official git client https://git-scm.com/download/win"); } From 9f337917f079acbc98843b1fbf206d859dcb901e Mon Sep 17 00:00:00 2001 From: Akash Manna Date: Sat, 27 Dec 2025 21:01:51 +0530 Subject: [PATCH 5/7] Enhance SSH command options by adding -n flag to prevent reading from stdin --- .../java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java b/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java index 62e27346ce..0728c75106 100644 --- a/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java +++ b/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java @@ -2710,7 +2710,7 @@ Path createWindowsGitSSH(Path key, String user, Path knownHosts) throws IOExcept w.write("setlocal enabledelayedexpansion"); w.newLine(); w.write("\"" + sshexe.getAbsolutePath() - + "\" -T -i \"!JENKINS_GIT_SSH_KEYFILE!\" -l \"!JENKINS_GIT_SSH_USERNAME!\" " + + "\" -n -T -i \"!JENKINS_GIT_SSH_KEYFILE!\" -l \"!JENKINS_GIT_SSH_USERNAME!\" " + "-o BatchMode=yes -o PasswordAuthentication=no " + getHostKeyFactory().forCliGit(listener).getVerifyHostKeyOption(knownHosts) + " %* "); w.newLine(); @@ -2734,7 +2734,7 @@ Path createUnixGitSSH(Path key, String user, Path knownHosts) throws IOException w.newLine(); w.write("fi"); w.newLine(); - w.write("ssh -T -i \"$JENKINS_GIT_SSH_KEYFILE\" -l \"$JENKINS_GIT_SSH_USERNAME\" " + w.write("ssh -n -T -i \"$JENKINS_GIT_SSH_KEYFILE\" -l \"$JENKINS_GIT_SSH_USERNAME\" " + "-o BatchMode=yes -o PasswordAuthentication=no " + getHostKeyFactory().forCliGit(listener).getVerifyHostKeyOption(knownHosts) + " \"$@\""); w.newLine(); From 4ed6db84fff9e7efb612982b9e85d500bae94da4 Mon Sep 17 00:00:00 2001 From: Akash Manna Date: Sat, 27 Dec 2025 21:24:23 +0530 Subject: [PATCH 6/7] Enhance SSH command options by adding StrictHostKeyChecking for improved security --- .../java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java b/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java index 0728c75106..4d05524de4 100644 --- a/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java +++ b/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java @@ -2711,7 +2711,7 @@ Path createWindowsGitSSH(Path key, String user, Path knownHosts) throws IOExcept w.newLine(); w.write("\"" + sshexe.getAbsolutePath() + "\" -n -T -i \"!JENKINS_GIT_SSH_KEYFILE!\" -l \"!JENKINS_GIT_SSH_USERNAME!\" " - + "-o BatchMode=yes -o PasswordAuthentication=no " + + "-o BatchMode=yes -o PasswordAuthentication=no -o StrictHostKeyChecking=yes " + getHostKeyFactory().forCliGit(listener).getVerifyHostKeyOption(knownHosts) + " %* "); w.newLine(); } @@ -2735,7 +2735,7 @@ Path createUnixGitSSH(Path key, String user, Path knownHosts) throws IOException w.write("fi"); w.newLine(); w.write("ssh -n -T -i \"$JENKINS_GIT_SSH_KEYFILE\" -l \"$JENKINS_GIT_SSH_USERNAME\" " - + "-o BatchMode=yes -o PasswordAuthentication=no " + + "-o BatchMode=yes -o PasswordAuthentication=no -o StrictHostKeyChecking=yes " + getHostKeyFactory().forCliGit(listener).getVerifyHostKeyOption(knownHosts) + " \"$@\""); w.newLine(); } From 227f469762ab72c699d0add869fe2d1b2a493fc1 Mon Sep 17 00:00:00 2001 From: Akash Manna Date: Sun, 28 Dec 2025 21:29:27 +0530 Subject: [PATCH 7/7] Remove StrictHostKeyChecking option from SSH command for improved flexibility --- .../java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java b/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java index 4d05524de4..0728c75106 100644 --- a/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java +++ b/src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java @@ -2711,7 +2711,7 @@ Path createWindowsGitSSH(Path key, String user, Path knownHosts) throws IOExcept w.newLine(); w.write("\"" + sshexe.getAbsolutePath() + "\" -n -T -i \"!JENKINS_GIT_SSH_KEYFILE!\" -l \"!JENKINS_GIT_SSH_USERNAME!\" " - + "-o BatchMode=yes -o PasswordAuthentication=no -o StrictHostKeyChecking=yes " + + "-o BatchMode=yes -o PasswordAuthentication=no " + getHostKeyFactory().forCliGit(listener).getVerifyHostKeyOption(knownHosts) + " %* "); w.newLine(); } @@ -2735,7 +2735,7 @@ Path createUnixGitSSH(Path key, String user, Path knownHosts) throws IOException w.write("fi"); w.newLine(); w.write("ssh -n -T -i \"$JENKINS_GIT_SSH_KEYFILE\" -l \"$JENKINS_GIT_SSH_USERNAME\" " - + "-o BatchMode=yes -o PasswordAuthentication=no -o StrictHostKeyChecking=yes " + + "-o BatchMode=yes -o PasswordAuthentication=no " + getHostKeyFactory().forCliGit(listener).getVerifyHostKeyOption(knownHosts) + " \"$@\""); w.newLine(); }