Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25412

Update JSch to 0.1.49

    XMLWordPrintable

Details

    Description

      Hello,

      Today I faced an issue involving SSH with my Jenkins, the error is as follow:
      [SSH] Exception:Algorithm negotiation fail
      com.jcraft.jsch.JSchException: Algorithm negotiation fail
      at com.jcraft.jsch.Session.receive_kexinit(Session.java:520)
      at com.jcraft.jsch.Session.connect(Session.java:286)
      at com.jcraft.jsch.Session.connect(Session.java:150)
      at org.jvnet.hudson.plugins.SSHSite.createSession(SSHSite.java:141)
      at org.jvnet.hudson.plugins.SSHSite.executeCommand(SSHSite.java:151)
      at org.jvnet.hudson.plugins.SSHBuilder.perform(SSHBuilder.java:60)
      at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770)
      at hudson.model.Build$BuildExecution.build(Build.java:199)
      at hudson.model.Build$BuildExecution.doRun(Build.java:160)
      at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:533)
      at hudson.model.Run.execute(Run.java:1759)
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      at hudson.model.ResourceController.execute(ResourceController.java:89)
      at hudson.model.Executor.run(Executor.java:240)

      This error happened because my OpenSSH version just upgraded from 6.6 to 6.7 (as most debian jessie users), in the OpenSSH changelog you can clearly see "The default set of ciphers and MACs has been altered to remove unsafe algorithms".

      OpenSSH 6.7 default key exchange algorithms:

      • curve25519-sha256@libssh.org
      • ecdh-sha2-nistp256
      • ecdh-sha2-nistp384
      • ecdh-sha2-nistp521
      • diffie-hellman-group-exchange-sha256
      • diffie-hellman-group14-sha1

      Unfortunately ssh-credentials rely on JSch which use diffie-hellman-group-exchange-sha1 and diffie-hellman-group1-sha1 for key exchange, and those algorithms are no longer part of OpenSSH default key exchange algos.

      Since version 0.1.49 JSch support diffie-hellman-group-exchange-sha256.
      I would suggest to update ssh-credentials dependency to rely on JSch 0.1.49, so everybody feel up to date and secure.

      Attachments

        Issue Links

          Activity

            Removing myself as assignee. My current work assignments do not provide sufficient bandwidth to review these issues and in the majority of cases I am only assigned by virtue of being the default assignee. For the credentials-api and scm-api related plugins I have permission to allocate time reviewing changes to these APIs themselves to ensure these APIs remain cohesive, but that can be handled through PR reviews rather than assigning issues in JIRA

            stephenconnolly Stephen Connolly added a comment - Removing myself as assignee. My current work assignments do not provide sufficient bandwidth to review these issues and in the majority of cases I am only assigned by virtue of being the default assignee. For the credentials-api and scm-api related plugins I have permission to allocate time reviewing changes to these APIs themselves to ensure these APIs remain cohesive, but that can be handled through PR reviews rather than assigning issues in JIRA
            hashar Antoine Musso added a comment -

            I am proposing the bump with the lame patch https://github.com/jenkinsci/ssh-credentials-plugin/pull/14

            hashar Antoine Musso added a comment - I am proposing the bump with the lame patch https://github.com/jenkinsci/ssh-credentials-plugin/pull/14
            hashar Antoine Musso added a comment - - edited

            Wikimedia faced the same issue when the ssh algorithm got tweaked. Downstream bugs are:

            https://phabricator.wikimedia.org/T100509 (incident report)
            https://phabricator.wikimedia.org/T100517 (tracking this Jenkins bug)

            The symptom was:

            fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-512,hmac-sha2-256 [preauth]
            error: Could not load host key: /etc/ssh/ssh_host_ed25519_key

            The related puppet change to /etc/ssh/sshd_config that fixed it for us:

            -KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
            -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

            The SSH agent plugin depends on https://github.com/jenkinsci/ssh-credentials-plugin which we are running at version 1.11.

            The pom.xml lists com.jcraft jsch version 0.1.42. The lib changelog is http://www.jcraft.com/jsch/ChangeLog and:

            algo jsch version
            aes256-ctr 0.1.40
            diffie-hellman-group-exchange-sha25 0.1.49

            Both made to be defaults with 0.1.51.

            So bumping to 0.1.49 would provide diffie-hellman-group-exchange-sha25 and solve the issue for us.

            hashar Antoine Musso added a comment - - edited Wikimedia faced the same issue when the ssh algorithm got tweaked. Downstream bugs are: https://phabricator.wikimedia.org/T100509 (incident report) https://phabricator.wikimedia.org/T100517 (tracking this Jenkins bug) The symptom was: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-512,hmac-sha2-256 [preauth] error: Could not load host key: /etc/ssh/ssh_host_ed25519_key The related puppet change to /etc/ssh/sshd_config that fixed it for us: -KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com The SSH agent plugin depends on https://github.com/jenkinsci/ssh-credentials-plugin which we are running at version 1.11. The pom.xml lists com.jcraft jsch version 0.1.42. The lib changelog is http://www.jcraft.com/jsch/ChangeLog and: algo jsch version aes256-ctr 0.1.40 diffie-hellman-group-exchange-sha25 0.1.49 Both made to be defaults with 0.1.51. So bumping to 0.1.49 would provide diffie-hellman-group-exchange-sha25 and solve the issue for us.

            Hi, i would appriciate an update too!

            dphilpot Dennis Philpot added a comment - Hi, i would appriciate an update too!
            uwehermann Uwe Hermann added a comment -

            Hi, any updates on this?

            I have the exact same issue:

            [SSH] Exception:Algorithm negotiation fail
            com.jcraft.jsch.JSchException: Algorithm negotiation fail
            at com.jcraft.jsch.Session.receive_kexinit(Session.java:520)
            at com.jcraft.jsch.Session.connect(Session.java:286)
            at com.jcraft.jsch.Session.connect(Session.java:150)
            at org.jvnet.hudson.plugins.SSHSite.createSession(SSHSite.java:141)
            at org.jvnet.hudson.plugins.SSHSite.executeCommand(SSHSite.java:151)
            at org.jvnet.hudson.plugins.SSHBuilder.perform(SSHBuilder.java:60)
            at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
            at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770)
            at hudson.model.Build$BuildExecution.build(Build.java:199)
            at hudson.model.Build$BuildExecution.doRun(Build.java:160)
            at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:533)
            at hudson.model.Run.execute(Run.java:1718)
            at hudson.matrix.MatrixRun.run(MatrixRun.java:146)
            at hudson.model.ResourceController.execute(ResourceController.java:89)
            at hudson.model.Executor.run(Executor.java:240)
            Build step 'Execute shell script on remote host using ssh' marked build as failure

            uwehermann Uwe Hermann added a comment - Hi, any updates on this? I have the exact same issue: [SSH] Exception:Algorithm negotiation fail com.jcraft.jsch.JSchException: Algorithm negotiation fail at com.jcraft.jsch.Session.receive_kexinit(Session.java:520) at com.jcraft.jsch.Session.connect(Session.java:286) at com.jcraft.jsch.Session.connect(Session.java:150) at org.jvnet.hudson.plugins.SSHSite.createSession(SSHSite.java:141) at org.jvnet.hudson.plugins.SSHSite.executeCommand(SSHSite.java:151) at org.jvnet.hudson.plugins.SSHBuilder.perform(SSHBuilder.java:60) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770) at hudson.model.Build$BuildExecution.build(Build.java:199) at hudson.model.Build$BuildExecution.doRun(Build.java:160) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:533) at hudson.model.Run.execute(Run.java:1718) at hudson.matrix.MatrixRun.run(MatrixRun.java:146) at hudson.model.ResourceController.execute(ResourceController.java:89) at hudson.model.Executor.run(Executor.java:240) Build step 'Execute shell script on remote host using ssh' marked build as failure

            People

              Unassigned Unassigned
              theo01 theo .
              Votes:
              3 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: