What feature do you want to see added?
Please add support for SSH password authentication when launching Windows agents with AMI Type windows-ssh.
Today windows-ssh requires key-based SSH authentication using the configured EC2 key pair/private key. That works for basic process launch, but it creates a Windows network logon session that does not have the same current-user credential/DPAPI behavior as a password-authenticated logon.
For Windows build agents, some tools require a usable current-user security context. One concrete case is Azure Trusted Signing through SignTool.exe with Azure.CodeSigning.Dlib.dll. When using key auth, the current-user security context is not available so any signing commands will fail with Access Denied. If I could have Jenkins do SSH auth using a password instead these commands would work as expected.
WinRM actually has the same issue because it authenticates with NTLM and doesn't have a path for CredSSP, which is required for DPAPI to work correctly. So I'm kind of stuck not being able to run any commands via Jenkins that access credential or certificate APIs for the current user on windows.
Upstream changes
No response
Are you interested in contributing this feature?
No response
What feature do you want to see added?
Please add support for SSH password authentication when launching Windows agents with AMI Type
windows-ssh.Today
windows-sshrequires key-based SSH authentication using the configured EC2 key pair/private key. That works for basic process launch, but it creates a Windows network logon session that does not have the same current-user credential/DPAPI behavior as a password-authenticated logon.For Windows build agents, some tools require a usable current-user security context. One concrete case is Azure Trusted Signing through
SignTool.exewithAzure.CodeSigning.Dlib.dll. When using key auth, the current-user security context is not available so any signing commands will fail with Access Denied. If I could have Jenkins do SSH auth using a password instead these commands would work as expected.WinRM actually has the same issue because it authenticates with NTLM and doesn't have a path for CredSSP, which is required for DPAPI to work correctly. So I'm kind of stuck not being able to run any commands via Jenkins that access credential or certificate APIs for the current user on windows.
Upstream changes
No response
Are you interested in contributing this feature?
No response