Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25412

Update JSch to 0.1.49





      Today I faced an issue involving SSH with my Jenkins, the error is as follow:
      [SSH] Exception:Algorithm negotiation fail
      com.jcraft.jsch.JSchException: Algorithm negotiation fail
      at com.jcraft.jsch.Session.receive_kexinit(Session.java:520)
      at com.jcraft.jsch.Session.connect(Session.java:286)
      at com.jcraft.jsch.Session.connect(Session.java:150)
      at org.jvnet.hudson.plugins.SSHSite.createSession(SSHSite.java:141)
      at org.jvnet.hudson.plugins.SSHSite.executeCommand(SSHSite.java:151)
      at org.jvnet.hudson.plugins.SSHBuilder.perform(SSHBuilder.java:60)
      at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770)
      at hudson.model.Build$BuildExecution.build(Build.java:199)
      at hudson.model.Build$BuildExecution.doRun(Build.java:160)
      at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:533)
      at hudson.model.Run.execute(Run.java:1759)
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      at hudson.model.ResourceController.execute(ResourceController.java:89)
      at hudson.model.Executor.run(Executor.java:240)

      This error happened because my OpenSSH version just upgraded from 6.6 to 6.7 (as most debian jessie users), in the OpenSSH changelog you can clearly see "The default set of ciphers and MACs has been altered to remove unsafe algorithms".

      OpenSSH 6.7 default key exchange algorithms:

      • curve25519-sha256@libssh.org
      • ecdh-sha2-nistp256
      • ecdh-sha2-nistp384
      • ecdh-sha2-nistp521
      • diffie-hellman-group-exchange-sha256
      • diffie-hellman-group14-sha1

      Unfortunately ssh-credentials rely on JSch which use diffie-hellman-group-exchange-sha1 and diffie-hellman-group1-sha1 for key exchange, and those algorithms are no longer part of OpenSSH default key exchange algos.

      Since version 0.1.49 JSch support diffie-hellman-group-exchange-sha256.
      I would suggest to update ssh-credentials dependency to rely on JSch 0.1.49, so everybody feel up to date and secure.


        Issue Links


            theo01 theo . created issue -
            hashar Antoine Musso made changes -
            Field Original Value New Value
            Issue Type Improvement [ 4 ] Patch [ 5 ]
            tmotyl Tymoteusz Motylewski made changes -
            Link This issue duplicates JENKINS-25258 [ JENKINS-25258 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 159378 ] JNJira + In-Review [ 179962 ]
            stephenconnolly Stephen Connolly made changes -
            Assignee Stephen Connolly [ stephenconnolly ]


              Unassigned Unassigned
              theo01 theo .
              3 Vote for this issue
              6 Start watching this issue