[JIRA] (JENKINS-33021) trilead ssh MAC and key exchange algorithms severely outdated
Title: Message Title rsandell assigned an issue to rsandell Jenkins / JENKINS-33021 trilead ssh MAC and key exchange algorithms severely outdated Change By: rsandell Assignee: rsandell Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-33021) trilead ssh MAC and key exchange algorithms severely outdated
Title: Message Title stephenconnolly updated an issue Jenkins / JENKINS-33021 trilead ssh MAC and key exchange algorithms severely outdated Change By: stephenconnolly Component/s: credentials-plugin Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-33021) trilead ssh MAC and key exchange algorithms severely outdated
Title: Message Title Oleg Nenashev commented on JENKINS-33021 Re: trilead ssh MAC and key exchange algorithms severely outdated From what I see "no". Kohsuke was just a default assignee, but he rarely works on plugins now. Removed the assignee Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-33021) trilead ssh MAC and key exchange algorithms severely outdated
Title: Message Title Oleg Nenashev assigned an issue to Unassigned Jenkins / JENKINS-33021 trilead ssh MAC and key exchange algorithms severely outdated Change By: Oleg Nenashev Assignee: Kohsuke Kawaguchi Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-33021) trilead ssh MAC and key exchange algorithms severely outdated
Title: Message Title Yanick Girouard commented on JENKINS-33021 Re: trilead ssh MAC and key exchange algorithms severely outdated Has anyone found a working solution to this issue that doesn't involve changing accepted ciphers on the slaves? Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-33021) trilead ssh MAC and key exchange algorithms severely outdated
Title: Message Title Juan Martinez commented on JENKINS-33021 Re: trilead ssh MAC and key exchange algorithms severely outdated Having this same issue in Jenkins 2.x and SSH plugin 1.11. Our problem is the key exchange when checking out SVN repos. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-33021) trilead ssh MAC and key exchange algorithms severely outdated
Title: Message Title Emma Laurijssens commented on JENKINS-33021 Re: trilead ssh MAC and key exchange algorithms severely outdated Couldn't find a similar issue when I created this one, but apparently it did exist. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-33021) trilead ssh MAC and key exchange algorithms severely outdated
Title: Message Title Antoine Musso updated an issue Jenkins / JENKINS-33021 trilead ssh MAC and key exchange algorithms severely outdated Change By: Antoine Musso Component/s: credentials-plugin Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-33021) trilead ssh MAC and key exchange algorithms severely outdated
Title: Message Title Antoine Musso commented on JENKINS-33021 Re: trilead ssh MAC and key exchange algorithms severely outdated I have added a trace / some details from the duplicate task I have filled JENKINS-36873. As I understand it that Java installation is stall/no more updated by upstream and Jenkins core provides its own fork. Looks like the proper way to fix it would be to remove Trilead entirely and switch to another SSH implementation. Maybe Bouncy Castle? The workaround is to configure the slaves with some outdated algorithms supported by Trilead Our bug for my own reference https://phabricator.wikimedia.org/T103351 Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-33021) trilead ssh MAC and key exchange algorithms severely outdated
Title: Message Title
Antoine Musso updated an issue
Jenkins / JENKINS-33021
trilead ssh MAC and key exchange algorithms severely outdated
Change By:
Antoine Musso
The supported macs and kex methods in trilead are severely outdated, resulting in connection issues with properly secured ssh daemons on target machines. For instance:{noformat}sshd[9800]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-256,hmac-sha2-512,umac...@openssh.com,hmac-ripemd160 [preauth]{noformat}In [JENKINS-14709|http://jenkins-ci.org/issue/14709] a suggestion is made to replace trilead with orion, but Orion is not being maintained either. Orion refers to Ganymed, but even that hasn't been looked at for almost 2 years: [Ganymed commits|https://code.google.com/archive/p/ganymed-ssh-2/source/default/commits]. It does seem to support hmac-sha2 macs though. From JENKINS-36873 (dupe)The ssh credentials plugin is unable to connect to slaves that have newer algorithmsThe keys from Jenkins (client) and slave (server below) have:{noformat}fatal: no matching mac found:client: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5server: hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-...@openssh.com [preauth]{noformat}Jenkins yields a trace:{noformat}[06/22/15 14:49:05] [SSH] Opening SSH connection to 10.68.16.150:22.Key exchange was not finished, connection is closed.ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.java.lang.IllegalStateException: Connection is not established! at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030) at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88) at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80) at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207) at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169) at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745)[06/22/15 14:49:06] Launch failed - cleaning up connection[06/22/15 14:49:06] [SSH] Connection closed.{noformat}On our slaves we would like to have hmac-sha2-512 / hmac-sha2-256 but that is not supported by Trilead SSH.
[JIRA] (JENKINS-33021) trilead ssh MAC and key exchange algorithms severely outdated
Title: Message Title
Antoine Musso updated an issue
Jenkins / JENKINS-33021
trilead ssh MAC and key exchange algorithms severely outdated
Change By:
Antoine Musso
The supported macs and kex methods in trilead are severely outdated, resulting in connection issues with properly secured ssh daemons on target machines. For instance:{ { noformat} sshd[9800]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-256,hmac-sha2-512,umac...@openssh.com,hmac-ripemd160 [preauth] {noformat } } In [JENKINS-14709|http://jenkins-ci.org/issue/14709] a suggestion is made to replace trilead with orion, but Orion is not being maintained either. Orion refers to Ganymed, but even that hasn't been looked at for almost 2 years: [Ganymed commits|https://code.google.com/archive/p/ganymed-ssh-2/source/default/commits]. It does seem to support hmac-sha2 macs though.
Add Comment
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
--
You received this message because you are subscr
[JIRA] (JENKINS-33021) trilead ssh MAC and key exchange algorithms severely outdated
Title: Message Title Ryan An commented on JENKINS-33021 Re: trilead ssh MAC and key exchange algorithms severely outdated I used another fork of Trilead ssh2 instead which has sha256 implemented. it's called ConnectBot sshlib. available on GitHub. https://github.com/connectbot/sshlib Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
