Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25412

Update JSch to 0.1.49

    XMLWordPrintable

Details

    Description

      Hello,

      Today I faced an issue involving SSH with my Jenkins, the error is as follow:
      [SSH] Exception:Algorithm negotiation fail
      com.jcraft.jsch.JSchException: Algorithm negotiation fail
      at com.jcraft.jsch.Session.receive_kexinit(Session.java:520)
      at com.jcraft.jsch.Session.connect(Session.java:286)
      at com.jcraft.jsch.Session.connect(Session.java:150)
      at org.jvnet.hudson.plugins.SSHSite.createSession(SSHSite.java:141)
      at org.jvnet.hudson.plugins.SSHSite.executeCommand(SSHSite.java:151)
      at org.jvnet.hudson.plugins.SSHBuilder.perform(SSHBuilder.java:60)
      at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770)
      at hudson.model.Build$BuildExecution.build(Build.java:199)
      at hudson.model.Build$BuildExecution.doRun(Build.java:160)
      at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:533)
      at hudson.model.Run.execute(Run.java:1759)
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      at hudson.model.ResourceController.execute(ResourceController.java:89)
      at hudson.model.Executor.run(Executor.java:240)

      This error happened because my OpenSSH version just upgraded from 6.6 to 6.7 (as most debian jessie users), in the OpenSSH changelog you can clearly see "The default set of ciphers and MACs has been altered to remove unsafe algorithms".

      OpenSSH 6.7 default key exchange algorithms:

      • curve25519-sha256@libssh.org
      • ecdh-sha2-nistp256
      • ecdh-sha2-nistp384
      • ecdh-sha2-nistp521
      • diffie-hellman-group-exchange-sha256
      • diffie-hellman-group14-sha1

      Unfortunately ssh-credentials rely on JSch which use diffie-hellman-group-exchange-sha1 and diffie-hellman-group1-sha1 for key exchange, and those algorithms are no longer part of OpenSSH default key exchange algos.

      Since version 0.1.49 JSch support diffie-hellman-group-exchange-sha256.
      I would suggest to update ssh-credentials dependency to rely on JSch 0.1.49, so everybody feel up to date and secure.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              theo01 theo .
              Votes:
              3 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: