Hmmm, I already hardened by that link: https://www.ssh.com/ssh/sshd_config
My /etc/ssh/sshd_config has: Ciphers aes128-ctr,aes192-ctr,aes256-ctr This is still showing up on my security scan though. Am I missing something? Thanks, Eric On Tue, Feb 9, 2021 at 12:23 PM kuisathaverat <kuisathave...@gmail.com> wrote: > There is work in progress to bump the version of the library and convert > the sshd-module in a plugin to resolve this kind of issues quickly. For the > moment you can configure your sshd servers on the Agents side to do not > allow weak ciphers, see https://www.ssh.com/ssh/sshd_config. > > https://github.com/jenkinsci/sshd-module/pull/37 > https://github.com/jenkinsci/sshd-module/pull/38 > > > El mar, 9 feb 2021 a las 17:19, eric....@gmail.com (<eric.fet...@gmail.com>) > escribió: > >> I'm sorry, I just saw the last comment on here and, once again, this >> showed up on our vulnerability report. I don't get exactly what I need to >> do in order to fix this. Can someone lay it out for me please? Thanks - >> Eric >> >> On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 kuisat...@gmail.com >> wrote: >> >>> I was wrong you cannot configure the ciphers for the ssh server on the >>> Java security files. The SSH server on Jenkins uses the >>> https://github.com/apache/mina-sshd , IIRC the Jenkins implementation >>> of the ssh server not read the sshd_config files so it is not posible to >>> configure the ssh server. Apache mina has deprecated and disable those >>> algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, >>> the sshd-module and CLI are using 1.7.0 >>> https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and >>> https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I >>> guess both should bump the dependency to remove support for weak algorithms >>> >>> >>> El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, >>> eric....@gmail.com escribió: >>> >>>> I think I found the solution to this: >>>> >>>> >>>> https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/ >>>> >>>> >>>> On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 eric....@gmail.com >>>> wrote: >>>> >>>>> I'm confused. It doesn't look like the ciphers the vulnerability is >>>>> citing are allowed in the java.security file on this system. We're >>>>> getting >>>>> flagged for: >>>>> >>>>> hmac-md5 >>>>> hmac-md5-96 >>>>> hmac-sha1-96 >>>>> >>>>> Settings are: >>>>> >>>>> jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < >>>>> 1024, \ >>>>> EC keySize < 224, 3DES_EDE_CBC, anon, NULL >>>>> >>>>> Am I missing this, not a java security expert by any means... Thanks! >>>>> On Monday, August 24, 2020 at 11:09:43 AM UTC-6 kuisat...@gmail.com >>>>> wrote: >>>>> >>>>>> Yes, configuring the ciphers accepted by your JDK edit the >>>>>> file lib\security\java.security (the path will vary based on your Java >>>>>> version) >>>>>> >>>>>> El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, >>>>>> eric....@gmail.com escribió: >>>>>> >>>>>>> Hi all! I'm getting hit by my secuity team for a vulnerability for >>>>>>> the Jenkins CLI via ssh allowing the following weak ciphers: >>>>>>> >>>>>>> hmac-md5 >>>>>>> hmac-md5-96 >>>>>>> hmac-sha1-96 >>>>>>> >>>>>>> Is there a way to configure ciphers accepted for the Jenkins CLI? >>>>>>> >>>>>>> Thanks, >>>>>>> Eric >>>>>>> >>>>>> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Jenkins Users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> jenkinsci-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com >> <https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > Un Saludo > Iván Fernández Calvo > https://www.linkedin.com/in/iv%C3%A1n-fern%C3%A1ndez-calvo-21425033 > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Jenkins Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > jenkinsci-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrruVhwNoAi_XfMoFmHf_iwg-wPVBM%2BiwyRajRuyvmrbeQ%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrruVhwNoAi_XfMoFmHf_iwg-wPVBM%2BiwyRajRuyvmrbeQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY8swNixDjYvy0_VkiRWZKs_wrw6QFm0jxOVFR1rEx%3DKw%40mail.gmail.com.
