Hello,

      Today I faced an issue involving SSH with my Jenkins, the error is as follow:
      [SSH] Exception:Algorithm negotiation fail
      com.jcraft.jsch.JSchException: Algorithm negotiation fail
      at com.jcraft.jsch.Session.receive_kexinit(Session.java:520)
      at com.jcraft.jsch.Session.connect(Session.java:286)
      at com.jcraft.jsch.Session.connect(Session.java:150)
      at org.jvnet.hudson.plugins.SSHSite.createSession(SSHSite.java:141)
      at org.jvnet.hudson.plugins.SSHSite.executeCommand(SSHSite.java:151)
      at org.jvnet.hudson.plugins.SSHBuilder.perform(SSHBuilder.java:60)
      at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770)
      at hudson.model.Build$BuildExecution.build(Build.java:199)
      at hudson.model.Build$BuildExecution.doRun(Build.java:160)
      at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:533)
      at hudson.model.Run.execute(Run.java:1759)
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      at hudson.model.ResourceController.execute(ResourceController.java:89)
      at hudson.model.Executor.run(Executor.java:240)

      This error happened because my OpenSSH version just upgraded from 6.6 to 6.7 (as most debian jessie users), in the OpenSSH changelog you can clearly see "The default set of ciphers and MACs has been altered to remove unsafe algorithms".

      OpenSSH 6.7 default key exchange algorithms:

      • curve25519-sha256@libssh.org
      • ecdh-sha2-nistp256
      • ecdh-sha2-nistp384
      • ecdh-sha2-nistp521
      • diffie-hellman-group-exchange-sha256
      • diffie-hellman-group14-sha1

      Unfortunately ssh-credentials rely on JSch which use diffie-hellman-group-exchange-sha1 and diffie-hellman-group1-sha1 for key exchange, and those algorithms are no longer part of OpenSSH default key exchange algos.

      Since version 0.1.49 JSch support diffie-hellman-group-exchange-sha256.
      I would suggest to update ssh-credentials dependency to rely on JSch 0.1.49, so everybody feel up to date and secure.

          [JENKINS-25412] Update JSch to 0.1.49

          Uwe Hermann added a comment -

          Hi, any updates on this?

          I have the exact same issue:

          [SSH] Exception:Algorithm negotiation fail
          com.jcraft.jsch.JSchException: Algorithm negotiation fail
          at com.jcraft.jsch.Session.receive_kexinit(Session.java:520)
          at com.jcraft.jsch.Session.connect(Session.java:286)
          at com.jcraft.jsch.Session.connect(Session.java:150)
          at org.jvnet.hudson.plugins.SSHSite.createSession(SSHSite.java:141)
          at org.jvnet.hudson.plugins.SSHSite.executeCommand(SSHSite.java:151)
          at org.jvnet.hudson.plugins.SSHBuilder.perform(SSHBuilder.java:60)
          at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
          at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770)
          at hudson.model.Build$BuildExecution.build(Build.java:199)
          at hudson.model.Build$BuildExecution.doRun(Build.java:160)
          at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:533)
          at hudson.model.Run.execute(Run.java:1718)
          at hudson.matrix.MatrixRun.run(MatrixRun.java:146)
          at hudson.model.ResourceController.execute(ResourceController.java:89)
          at hudson.model.Executor.run(Executor.java:240)
          Build step 'Execute shell script on remote host using ssh' marked build as failure

          Uwe Hermann added a comment - Hi, any updates on this? I have the exact same issue: [SSH] Exception:Algorithm negotiation fail com.jcraft.jsch.JSchException: Algorithm negotiation fail at com.jcraft.jsch.Session.receive_kexinit(Session.java:520) at com.jcraft.jsch.Session.connect(Session.java:286) at com.jcraft.jsch.Session.connect(Session.java:150) at org.jvnet.hudson.plugins.SSHSite.createSession(SSHSite.java:141) at org.jvnet.hudson.plugins.SSHSite.executeCommand(SSHSite.java:151) at org.jvnet.hudson.plugins.SSHBuilder.perform(SSHBuilder.java:60) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770) at hudson.model.Build$BuildExecution.build(Build.java:199) at hudson.model.Build$BuildExecution.doRun(Build.java:160) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:533) at hudson.model.Run.execute(Run.java:1718) at hudson.matrix.MatrixRun.run(MatrixRun.java:146) at hudson.model.ResourceController.execute(ResourceController.java:89) at hudson.model.Executor.run(Executor.java:240) Build step 'Execute shell script on remote host using ssh' marked build as failure

          Hi, i would appriciate an update too!

          Dennis Philpot added a comment - Hi, i would appriciate an update too!

          Antoine Musso added a comment - - edited

          Wikimedia faced the same issue when the ssh algorithm got tweaked. Downstream bugs are:

          https://phabricator.wikimedia.org/T100509 (incident report)
          https://phabricator.wikimedia.org/T100517 (tracking this Jenkins bug)

          The symptom was:

          fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-512,hmac-sha2-256 [preauth]
          error: Could not load host key: /etc/ssh/ssh_host_ed25519_key

          The related puppet change to /etc/ssh/sshd_config that fixed it for us:

          -KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
          -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

          The SSH agent plugin depends on https://github.com/jenkinsci/ssh-credentials-plugin which we are running at version 1.11.

          The pom.xml lists com.jcraft jsch version 0.1.42. The lib changelog is http://www.jcraft.com/jsch/ChangeLog and:

          algo jsch version
          aes256-ctr 0.1.40
          diffie-hellman-group-exchange-sha25 0.1.49

          Both made to be defaults with 0.1.51.

          So bumping to 0.1.49 would provide diffie-hellman-group-exchange-sha25 and solve the issue for us.

          Antoine Musso added a comment - - edited Wikimedia faced the same issue when the ssh algorithm got tweaked. Downstream bugs are: https://phabricator.wikimedia.org/T100509 (incident report) https://phabricator.wikimedia.org/T100517 (tracking this Jenkins bug) The symptom was: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-512,hmac-sha2-256 [preauth] error: Could not load host key: /etc/ssh/ssh_host_ed25519_key The related puppet change to /etc/ssh/sshd_config that fixed it for us: -KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com The SSH agent plugin depends on https://github.com/jenkinsci/ssh-credentials-plugin which we are running at version 1.11. The pom.xml lists com.jcraft jsch version 0.1.42. The lib changelog is http://www.jcraft.com/jsch/ChangeLog and: algo jsch version aes256-ctr 0.1.40 diffie-hellman-group-exchange-sha25 0.1.49 Both made to be defaults with 0.1.51. So bumping to 0.1.49 would provide diffie-hellman-group-exchange-sha25 and solve the issue for us.

          Antoine Musso added a comment -

          I am proposing the bump with the lame patch https://github.com/jenkinsci/ssh-credentials-plugin/pull/14

          Antoine Musso added a comment - I am proposing the bump with the lame patch https://github.com/jenkinsci/ssh-credentials-plugin/pull/14

          Removing myself as assignee. My current work assignments do not provide sufficient bandwidth to review these issues and in the majority of cases I am only assigned by virtue of being the default assignee. For the credentials-api and scm-api related plugins I have permission to allocate time reviewing changes to these APIs themselves to ensure these APIs remain cohesive, but that can be handled through PR reviews rather than assigning issues in JIRA

          Stephen Connolly added a comment - Removing myself as assignee. My current work assignments do not provide sufficient bandwidth to review these issues and in the majority of cases I am only assigned by virtue of being the default assignee. For the credentials-api and scm-api related plugins I have permission to allocate time reviewing changes to these APIs themselves to ensure these APIs remain cohesive, but that can be handled through PR reviews rather than assigning issues in JIRA

            Unassigned Unassigned
            theo01 theo .
            Votes:
            3 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: