I am able to connect from other hosts using same ssh credentials

magneto09 : any news about your problem ? did you succeed to solve it ? I have the same problem and even after double checked everything I can't fix my problem.

magneto09 https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue#Howtoreportanissue-WhatinformationtoprovideforEnvironmentandDescription

For fdrouet the issue occurs when moving an agent from a server to another (same account, same ssh key).
The main difference between servers hosting the agents : the old is an ubuntu 12.04 and the new one an ubuntu 14.04
Doing a diff between verbose connexion logs of a classical ssh gives :

jenkins@master:~$ diff -u old new
--- old	2015-06-08 22:38:39.000000000 +0200
+++ new	2015-06-08 22:37:53.000000000 +0200
@@ -1,7 +1,7 @@
 OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012
 debug1: Reading configuration data /etc/ssh/ssh_config
 debug1: /etc/ssh/ssh_config line 19: Applying options for *
-debug1: Connecting to old [A.B.C.D] port 22.
+debug1: Connecting to new [E.F.G.H] port 22.
 debug1: Connection established.
 debug1: identity file /opt/jenkins/.ssh/id_rsa type 1
 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
@@ -11,20 +11,22 @@
 debug1: identity file /opt/jenkins/.ssh/id_dsa-cert type -1
 debug1: identity file /opt/jenkins/.ssh/id_ecdsa type -1
 debug1: identity file /opt/jenkins/.ssh/id_ecdsa-cert type -1
-debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.4
-debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.4 pat OpenSSH*
+debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
+debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH*
 debug1: Enabling compatibility mode for protocol 2.0
 debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4
 debug1: SSH2_MSG_KEXINIT sent
 debug1: SSH2_MSG_KEXINIT received
-debug1: kex: server->client aes128-ctr hmac-md5 none
-debug1: kex: client->server aes128-ctr hmac-md5 none
-debug1: sending SSH2_MSG_KEX_ECDH_INIT
-debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
-debug1: Server host key: ECDSA 7f:04:0f:f4:64:0c:82:8a:15:0a:2d:f9:d3:bf:8f:60
-debug1: Host 'old' is known and matches the ECDSA host key.
-debug1: Found key in /opt/jenkins/.ssh/known_hosts:10
-debug1: ssh_ecdsa_verify: signature correct
+debug1: kex: server->client aes128-ctr hmac-sha2-256 none
+debug1: kex: client->server aes128-ctr hmac-sha2-256 none
+debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<4096<8192) sent
+debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
+debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
+debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
+debug1: Server host key: RSA b8:92:db:37:ba:2d:c6:52:0e:82:da:6d:4b:2e:83:ca
+debug1: Host 'new' is known and matches the RSA host key.
+debug1: Found key in /opt/jenkins/.ssh/known_hosts:8
+debug1: ssh_rsa_verify: signature correct
 debug1: SSH2_MSG_NEWKEYS sent
 debug1: expecting SSH2_MSG_NEWKEYS
 debug1: SSH2_MSG_NEWKEYS received
@@ -37,7 +39,7 @@
 debug1: Server accepts key: pkalg ssh-rsa blen 279
 debug1: read PEM private key done: type RSA
 debug1: Authentication succeeded (publickey).
-Authenticated to old ([A.B.C.D]:22).
+Authenticated to new ([E.F.G.H]:22).
 debug1: channel 0: new [client-session]
 debug1: Requesting no-more-sessions@openssh.com
 debug1: Entering interactive session.
@@ -45,3 +47,4 @@
 debug1: Sending env LC_ALL = en_US.UTF-8
 debug1: Sending env LANG = en_GB.UTF-8
 debug1: Sending env LC_CTYPE = UTF-8

I have found a workaround which allow my jenkins server (akka master) (Ubuntu 12.04 + jdk-oracle-7u67-x64) to start a Jenkins slave agent on the new server (Ubuntu 14.04) by commenting the MACs ... configuration line on the new server /etc/ssh/sshd_config file.

After reloading SSH server, no more problem for jenkins master to establish a ssh connexion.

For information, the MACs parameter of my new server was :

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

fdrouet Can you tell us what is the default MACs value (man sshd_config must give you the list AFAIR) thus the one which is working ....

The man on my Ubuntu 14.04 server says :

     MACs    Specifies the available MAC (message authentication code) algorithms.  The MAC algorithm is used in protocol version 2 for data integrity protection.  Multiple algorithms must be comma-separated.  The algorithms that contain “-etm” calculate the MAC after encryption (encrypt-then-mac).  These are
             considered safer and their use recommended.  The default is:

                   hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
                   umac-64-etm@openssh.com,umac-128-etm@openssh.com,
                   hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
                   hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
                   hmac-md5-96-etm@openssh.com,
                   hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
                   hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
                   hmac-sha1-96,hmac-md5-96

Additional note on fdrouet case, the exception was :

[06/09/15 00:36:25] [SSH] Opening SSH connection to new:22.
Key exchange was not finished, connection is closed.
ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
java.lang.IllegalStateException: Connection is not established!
	at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
	at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
	at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
	at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
	at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
	at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
[06/09/15 00:36:25] Launch failed - cleaning up connection
[06/09/15 00:36:25] [SSH] Connection closed.

The important error is Key exchange was not finished, connection is closed. I'm not sure if it couldn't be better to open a dedicated issue just for this problem. JERKINS-26379 is too generic and without enough details (or we change its subject but I'm not sure this is the problem that magneto09 had)

I'm running into the same error as Frédéric when trying to connect to a slave with Jenkins 1.617 (both up-to-date CentOS 7 VM's) if I specify MACs as

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

If I remove the MACs config completely from /etc/ssh/sshd_config on the slave and it uses the default, it works. Trying to find out what the problem was has actually cost me a day, so please respond if you need more info to solve this issue. For the moment my workaround is to use default MACs on build node ssh config. But if you have any info on which MAC algorithm should work, I'd be glad to test it out.

I saw the exception that aheritier listed above. The remote OS was not running (behind a firewall with port forwarding if it makes a difference.)

credentials are set to use a private key.

Jenkins 1.609.3
JDK 8 on Windows 8 64bit
ssh-credentials 1.11
credentials plugin 1.23
ssh slaves 1.10

[09/17/15 11:25:46] [SSH] Opening SSH connection to some.remote.host:22.
Connection timed out: connect
ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
java.lang.IllegalStateException: Connection is not established!
	at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
	at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
	at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
	at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
	at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
	at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1212)
	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:711)
	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:706)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
[09/17/15 11:26:07] Launch failed - cleaning up connection
[09/17/15 11:26:07] [SSH] Connection closed.

Limited Key Exchange Algorithms are supported

https://github.com/jenkinsci/ssh-slaves-plugin/blob/master/src/main/java/hudson/plugins/sshslaves/SFTPClient.java references com.trilead.ssh2.Connection

SSH Library in use therefor is https://github.com/jenkinsci/trilead-ssh2

https://github.com/jenkinsci/trilead-ssh2/blob/master/src/com/trilead/ssh2/transport/KexManager.java#L416-L449 https://github.com/jenkinsci/trilead-ssh2/blob/master/src/com/trilead/ssh2/transport/KexManager.java#L326-L341

Illustrate that only diffie-hellman-group-exchange-sha1 && diffie-hellman-group1-sha1 are supported for key exchange

As noted by google sha1 is to be considered weak: https://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html

In short, the trilead-ssh2 library needs to be updated to add support for more current key exchange algorithms

e.g.

• curve25519-sha256@libssh.org
• diffie-hellman-group-exchange-sha256

Limited MAC algortihms are supported

https://github.com/jenkinsci/trilead-ssh2/blob/master/src/com/trilead/ssh2/crypto/digest/MAC.java#L19

Shows support only for weaker MAC algorithms: "hmac-sha1-96", "hmac-sha1", "hmac-md5-96", "hmac-md5"

More current algorithms should be considered and the library updated to support them.

e.g.

• hmac-sha2-512-etm@openssh.com
• hmac-sha2-256-etm@openssh.com
• hmac-ripemd160-etm@openssh.com
• umac-128-etm@openssh.com
• hmac-sha2-51
• hmac-sha2-256
• hmac-ripemd160
• umac-128@openssh.com

Summary

https://github.com/jenkinsci/trilead-ssh2 does not meet the more stringent requirements faced when used in a hardened SSH configuration envrionment; this is likely to become an increasing issue as more users move to a more secure configuration.

As such the library must be updated or replaced to bring in support for more secure algorithms, otherwise users are forced to deploy a known weak configuration to continue using this feature.

I'm having the same issue. The unix slave (cent os) has been running for months and suddenly, last week (January 30th), I have started to have the same issue described here. We probably did update some Jenkins plugins, but not Jenkins itself. I would need to ask the IT department if something has changed regarding firewalls, other security, ... but I doubt it.

Jenkins folks, Is it possible to get an indication of when this issue might be resolved? We have a security requirement from our client that is impacting, and are keen to at least be able to report on when a resolution might be planned. Thanks!

Same here. Haven't got a clue why this suddenly started occurring. Worked fine for months...

My logs after restart of my Jenkins master VM (deleting all logs before starting Jenkins again).

feb 18, 2016 12:06:36 PM winstone.Logger logInternal
INFO: Beginning extraction from war file
feb 18, 2016 12:06:36 PM org.eclipse.jetty.util.log.JavaUtilLog info
INFO: jetty-winstone-2.9
feb 18, 2016 12:06:40 PM org.eclipse.jetty.util.log.JavaUtilLog info
INFO: NO JSP Support for , did not find org.apache.jasper.servlet.JspServlet
feb 18, 2016 12:06:41 PM org.eclipse.jetty.util.log.JavaUtilLog info
INFO: Started SelectChannelConnector@0.0.0.0:8080
feb 18, 2016 12:06:41 PM winstone.Logger logInternal
INFO: Winstone Servlet Engine v2.0 running: controlPort=disabled
feb 18, 2016 12:06:42 PM jenkins.InitReactorRunner$1 onAttained
INFO: Started initialization
feb 18, 2016 12:06:42 PM jenkins.InitReactorRunner$1 onAttained
INFO: Listed all plugins
Feb 18, 2016 12:06:43 PM jenkins.InitReactorRunner$1 onAttained
INFO: Prepared all plugins
Feb 18, 2016 12:06:56 PM jenkins.InitReactorRunner$1 onAttained
INFO: Started all plugins
Feb 18, 2016 12:06:56 PM jenkins.InitReactorRunner$1 onAttained
INFO: Augmented all extensions
Feb 18, 2016 12:06:56 PM hudson.slaves.SlaveComputer tryReconnect
INFO: Attempting to reconnect DEV-G-UX
Feb 18, 2016 12:06:56 PM hudson.slaves.SlaveComputer tryReconnect
INFO: Attempting to reconnect SRV-CI-MADE-UNIX
Feb 18, 2016 12:07:01 PM jenkins.InitReactorRunner$1 onAttained
INFO: Loaded all jobs
Feb 18, 2016 12:07:02 PM hudson.model.AsyncPeriodicWork$1 run
INFO: Started Download metadata
Feb 18, 2016 12:07:02 PM hudson.model.AsyncPeriodicWork$1 run
INFO: Finished Download metadata. 3 ms
Feb 18, 2016 12:07:04 PM org.springframework.context.support.AbstractApplicationContext prepareRefresh
INFO: Refreshing org.springframework.web.context.support.StaticWebApplicationContext@2e6b353e: display name [Root WebApplicationContext]; startup date [Thu Feb 18 12:07:04 CET 2016]; root of context hierarchy
Feb 18, 2016 12:07:04 PM org.springframework.context.support.AbstractApplicationContext obtainFreshBeanFactory
INFO: Bean factory for application context [org.springframework.web.context.support.StaticWebApplicationContext@2e6b353e]: org.springframework.beans.factory.support.DefaultListableBeanFactory@646d5af4
Feb 18, 2016 12:07:04 PM org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons
INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@646d5af4: defining beans [authenticationManager]; root of factory hierarchy
Feb 18, 2016 12:07:04 PM org.springframework.context.support.AbstractApplicationContext prepareRefresh
INFO: Refreshing org.springframework.web.context.support.StaticWebApplicationContext@196a1c5d: display name [Root WebApplicationContext]; startup date [Thu Feb 18 12:07:04 CET 2016]; root of context hierarchy
Feb 18, 2016 12:07:04 PM org.springframework.context.support.AbstractApplicationContext obtainFreshBeanFactory
INFO: Bean factory for application context [org.springframework.web.context.support.StaticWebApplicationContext@196a1c5d]: org.springframework.beans.factory.support.DefaultListableBeanFactory@508b1fd3
Feb 18, 2016 12:07:04 PM org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons
INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@508b1fd3: defining beans [filter,legacy]; root of factory hierarchy
Feb 18, 2016 12:07:04 PM org.jenkinsci.main.modules.sshd.SSHD start
INFO: Started SSHD at port 49503
Feb 18, 2016 12:07:04 PM jenkins.InitReactorRunner$1 onAttained
INFO: Completed initialization
Feb 18, 2016 12:07:04 PM hudson.slaves.SlaveComputer tryReconnect
INFO: Attempting to reconnect DEV-G-UX
Feb 18, 2016 12:07:09 PM jenkins.InitReactorRunner$1 onAttained
INFO: Started initialization
Feb 18, 2016 12:07:09 PM jenkins.InitReactorRunner$1 onAttained
INFO: Listed all plugins
Feb 18, 2016 12:07:09 PM jenkins.InitReactorRunner$1 onAttained
INFO: Prepared all plugins
Feb 18, 2016 12:07:09 PM jenkins.InitReactorRunner$1 onAttained
INFO: Started all plugins
Feb 18, 2016 12:07:09 PM jenkins.InitReactorRunner$1 onAttained
INFO: Augmented all extensions
Feb 18, 2016 12:07:09 PM jenkins.InitReactorRunner$1 onAttained
INFO: Loaded all jobs
Feb 18, 2016 12:07:09 PM jenkins.InitReactorRunner$1 onAttained
INFO: Completed initialization
Feb 18, 2016 12:07:09 PM hudson.WebAppMain$3 run
INFO: Jenkins is fully up and running
Feb 18, 2016 12:07:13 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
INFO: Accepted connection #1 from /192.168.1.42:61342
Feb 18, 2016 12:07:14 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
INFO: Accepted connection #2 from /192.168.1.164:57140
Feb 18, 2016 12:07:14 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
INFO: Accepted connection #3 from /192.168.1.55:64914
Feb 18, 2016 12:07:14 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
INFO: Accepted connection #4 from /192.168.1.124:57017
Feb 18, 2016 12:07:14 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
INFO: Accepted connection #5 from /192.168.1.64:55873
Feb 18, 2016 12:07:15 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
INFO: Accepted connection #6 from /192.168.222.40:54503
Feb 18, 2016 12:07:15 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
INFO: Accepted connection #7 from /192.168.1.154:60209
Feb 18, 2016 12:07:21 PM javax.jmdns.impl.DNSStatefulObject$DefaultImplementation waitForAnnounced
WARNING: Wait for announced timed out: DNS: SRV-CI-MADE-WIN.local. state: announcing 1 task: Announcer(SRV-CI-MADE-WIN.local.) state: announcing 1
Feb 18, 2016 12:07:28 PM javax.jmdns.impl.DNSStatefulObject$DefaultImplementation waitForAnnounced
WARNING: Wait for announced timed out: DNS: SRV-CI-MADE-WIN.local. state: probing 2 task: Prober(SRV-CI-MADE-WIN.local.) state: probing 2
Feb 18, 2016 12:07:28 PM hudson.slaves.SlaveComputer tryReconnect
INFO: Attempting to reconnect DEV-G-UX
Feb 18, 2016 12:08:28 PM hudson.slaves.SlaveComputer tryReconnect
INFO: Attempting to reconnect DEV-G-UX
Feb 18, 2016 12:08:42 PM hudson.TcpSlaveAgentListener$ConnectionHandler run
INFO: Accepted connection #8 from /192.168.1.172:49192
Feb 18, 2016 12:09:28 PM hudson.slaves.SlaveComputer tryReconnect
INFO: Attempting to reconnect DEV-G-UX

Running from: C:\Jenkins\jenkins.war
webroot: EnvVars.masterEnvVars.get("JENKINS_HOME")
Jenkins home directory: C:\Jenkins found at: EnvVars.masterEnvVars.get("JENKINS_HOME")
[02/18/16 12:06:59] SSH Launch of DEV-G-UX on DEV-G-UX failed in 2,469 ms
[02/18/16 12:07:04] SSH Launch of DEV-G-UX on DEV-G-UX failed in 38 ms
[02/18/16 12:07:06] SSH Launch of SRV-CI-MADE-UNIX on 192.168.1.152 completed in 9,781 ms
[02/18/16 12:07:36] SSH Launch of DEV-G-UX on DEV-G-UX failed in 7,834 ms
[02/18/16 12:08:07] SSH Launch of DEV-G-UX on DEV-G-UX failed in 2,261 ms
[02/18/16 12:08:31] SSH Launch of DEV-G-UX on DEV-G-UX failed in 2,258 ms
[02/18/16 12:09:31] SSH Launch of DEV-G-UX on DEV-G-UX failed in 2,321 ms

In Jenkins:

[02/18/16 12:08:05] [SSH] Opening SSH connection to DEV-G-UX:22.
DEV-G-UX
ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
java.lang.IllegalStateException: Connection is not established!
at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPasswordAuthenticator.canAuthenticate(TrileadSSHPasswordAuthenticator.java:82)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1212)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:711)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:706)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
[02/18/16 12:08:07] Launch failed - cleaning up connection
[02/18/16 12:08:07] [SSH] Connection closed.
[02/18/16 12:08:28] [SSH] Opening SSH connection to DEV-G-UX:22.
DEV-G-UX
ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
java.lang.IllegalStateException: Connection is not established!
at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPasswordAuthenticator.canAuthenticate(TrileadSSHPasswordAuthenticator.java:82)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1212)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:711)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:706)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
[02/18/16 12:08:31] Launch failed - cleaning up connection
[02/18/16 12:08:31] [SSH] Connection closed.
[02/18/16 12:09:29] [SSH] Opening SSH connection to DEV-G-UX:22.
DEV-G-UX
ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
java.lang.IllegalStateException: Connection is not established!
at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPasswordAuthenticator.canAuthenticate(TrileadSSHPasswordAuthenticator.java:82)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1212)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:711)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:706)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
[02/18/16 12:09:31] Launch failed - cleaning up connection
[02/18/16 12:09:31] [SSH] Connection closed.

Installing the Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files doesn't resolve the issue.

Kind regards, Lieven Cardoen

Also doesn't work with root user.

Kind regards, Lieven Cardoen

Using port 443 instead of port 22 also doesn't work. (suggested by someone on Stackoverflow).

http://stackoverflow.com/questions/27226845/unable-to-start-slave-node-in-jenkins

Anything interesting in the sshd error log? Consider running as `sshd -d` (for OpenSSH) for verbose output logged to standard out. You'll probably find that there's no overlap between server and client supported key exchange algorithms as previously commented by oneiroi.

Where can I find the sshd error log?

How do you configure it in Jenkins to run as sshd -d?

Add -d in the JVM Options?

From the logs on the CentOs machine:

Feb 19 09:10:09 DEV-G-UX sshd[1122]: Accepted password for root from 192.168.1.65 port 57926 ssh2
Feb 19 09:10:09 DEV-G-UX sshd[1122]: pam_unix(sshd:session): session opened for user root by (uid=0)

But in Jenkins I still get:

[02/19/16 09:16:19] [SSH] Opening SSH connection to DEV-G-UX:22.
DEV-G-UX
ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
java.lang.IllegalStateException: Connection is not established!
at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPasswordAuthenticator.canAuthenticate(TrileadSSHPasswordAuthenticator.java:82)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1212)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:711)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:706)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
[02/19/16 09:16:21] Launch failed - cleaning up connection
[02/19/16 09:16:21] [SSH] Connection closed.

But in Jenkins I still get

Are your clocks so much out of sync, or are you looking at two different events?

They could well be out of sync. Could that be the reason?

I don't know. I'm more concerned that you're looking at unrelated log entries.

there are two workaround ways:
1. update of "JSch dependency plugin" with jsch-0.1.53.jar
2. modify key exchange algorithm on your slave:
vi /etc/ssh/sshd_config
<<<
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Hi Anton,

Have added

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

curve25519... is unkown... ( Unsupported KEX algorithm "curve25519-sha256@libssh.org" ).

The plugin JSch dependency plugin wasn't even installed... So I installed it, but I don't know if that was of any use.

restarted sshd service.

In Jenkins still the same error...

Do I need to add Ciphers and/or MACs?

In my sshd_config there were no KexAlgorithms, Ciphers or MACs defined.

Lieven Cardoen

So in Jenkins:

[03/01/16 12:17:10] [SSH] Opening SSH connection to DEV-G-UX:22.
DEV-G-UX
ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
java.lang.IllegalStateException: Connection is not established!
at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPasswordAuthenticator.canAuthenticate(TrileadSSHPasswordAuthenticator.java:82)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1212)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:711)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:706)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
[03/01/16 12:17:13] Launch failed - cleaning up connection
[03/01/16 12:17:13] [SSH] Connection closed.

In my sshd log file (actually /var/log/secure ) on Centos:

Mar 1 12:14:08 SRV-CI-MADE-UNIX sshd[14189]: Received signal 15; terminating.
Mar 1 12:14:08 SRV-CI-MADE-UNIX sshd[14289]: Server listening on 0.0.0.0 port 22.
Mar 1 12:14:08 SRV-CI-MADE-UNIX sshd[14289]: Server listening on :: port 22.

So I can't see any trace of my Jenkins trying to log in...

Lieven

Never mind. DNS problem apparently. With IP address it does work.

I had the same error, using the mDNS name, `localhost`, and `127.0.0.1` didn't work, but using the IP address on our local network did.

I have the same error and I use IP instead of hostname, and then the problem disappeared.
This should be fixed.

Putting in an IP address (instead of a hostname for DNS lookup) does not help my case. I'm still getting an exception:
com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPasswordAuthenticator.canAuthenticate

I am using Jenkins 2.19.3.

After adding valid Java path in Advanced... section of node configuration, above issue got resolved.

Code changed in jenkins
User: Oliver Gondža
Path:
src/main/java/hudson/plugins/sshslaves/SSHLauncher.java
http://jenkins-ci.org/commit/ssh-slaves-plugin/44d7e2f9b1c768c52002e06b3ebecf5399f81cdb
Log:
[FIXED JENKINS-26379][FIXED JENKINS-41163]JENKINS-34100 Do not swallow IOException in case it is not recoverable.

I've currently got Pull Requests raised for adding newer MAC, KEX and Key Algorithms into Trilead. These will add support for:

Key Exchange (KEX):

• diffie-hellman-group-exchange-sha256

MAC:

• hmac-sha2-512
• hmac-sha2-256

Key Algorithms:

• ecdsa-sha2-nistp256
• ecdsa-sha2-nistp384
• ecdsa-sha2-nistp521
• Ec25519

I've not done anything on implementation specific variants (e.g. anything ending in @openssh.com or similar) that have been mentioned in any of the above comments

I've currently got Pull Requests raised for adding newer MAC, KEX and Key Algorithms into Trilead. These will add support for:

Key Exchange (KEX):

• diffie-hellman-group-exchange-sha256

MAC:

• hmac-sha2-512
• hmac-sha2-256

Key Algorithms:

• ecdsa-sha2-nistp256
• ecdsa-sha2-nistp384
• ecdsa-sha2-nistp521
• Ec25519

I've not done anything on implementation specific variants (e.g. anything ending in @openssh.com or similar) that have been mentioned in any of the above comments

Those pulls were merged a new release of trilead-ssh2 has been done. Jenkins will be updated shortly to use the new release.

Code changed in jenkins
User: Michael Clarke
Path:
core/pom.xml
http://jenkins-ci.org/commit/jenkins/b17d0763709be35d39f16d6af7afaf765ac6cf92
Log:
Bump Trilead version to receive a number of security enhancements
JENKINS-41606JENKINS-33021JENKINS-26379JENKINS-31549

The fix has been integrated towards 2.58. It is not a backporting candidate

thanks a lot mc1arke !!!