Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33021

trilead ssh MAC and key exchange algorithms severely outdated

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Critical Critical
    • ssh-slaves-plugin
    • None
    • Jenkins 1.647, ssh-slaves-plugin 1.10

      The supported macs and kex methods in trilead are severely outdated, resulting in connection issues with properly secured ssh daemons on target machines. For instance:

      sshd[9800]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-256,hmac-sha2-512,umac-64@openssh.com,hmac-ripemd160 [preauth]
      

      In JENKINS-14709 a suggestion is made to replace trilead with orion, but Orion is not being maintained either. Orion refers to Ganymed, but even that hasn't been looked at for almost 2 years: Ganymed commits. It does seem to support hmac-sha2 macs though.

      From JENKINS-36873 (dupe)

      The ssh credentials plugin is unable to connect to slaves that have newer algorithms

      The keys from Jenkins (client) and slave (server below) have:

      fatal: no matching mac found:
      client: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
      server: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]
      

      Jenkins yields a trace:

      [06/22/15 14:49:05] [SSH] Opening SSH connection to 10.68.16.150:22.
      Key exchange was not finished, connection is closed.
      ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
      java.lang.IllegalStateException: Connection is not established!
      	at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
      	at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
      	at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
      	at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
      	at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
      	at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
      	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
      	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:745)
      [06/22/15 14:49:06] Launch failed - cleaning up connection
      [06/22/15 14:49:06] [SSH] Connection closed.
      

      On our slaves we would like to have hmac-sha2-512 / hmac-sha2-256 but that is not supported by Trilead SSH.

          [JENKINS-33021] trilead ssh MAC and key exchange algorithms severely outdated

          Antoine Musso added a comment -

          A few various pull requests have been sent. Seems the active one is now https://github.com/jenkinsci/trilead-ssh2/pull/14 proposed by Michael Clarke (assignee of this task).

          Antoine Musso added a comment - A few various pull requests have been sent. Seems the active one is now https://github.com/jenkinsci/trilead-ssh2/pull/14 proposed by Michael Clarke (assignee of this task).

          Code changed in jenkins
          User: Michael Clarke
          Path:
          src/com/trilead/ssh2/Connection.java
          src/com/trilead/ssh2/KnownHosts.java
          src/com/trilead/ssh2/crypto/CryptoWishList.java
          src/com/trilead/ssh2/crypto/dh/DhExchange.java
          src/com/trilead/ssh2/crypto/dh/DhGroupExchange.java
          src/com/trilead/ssh2/crypto/digest/HMAC.java
          src/com/trilead/ssh2/crypto/digest/HashForSSH2Types.java
          src/com/trilead/ssh2/crypto/digest/JreMessageDigestWrapper.java
          src/com/trilead/ssh2/crypto/digest/MAC.java
          src/com/trilead/ssh2/crypto/digest/MD5.java
          src/com/trilead/ssh2/crypto/digest/MessageMac.java
          src/com/trilead/ssh2/crypto/digest/SHA1.java
          src/com/trilead/ssh2/transport/KexManager.java
          src/com/trilead/ssh2/transport/KexState.java
          http://jenkins-ci.org/commit/trilead-ssh2/3aaec8394cb949499061186219ab9c513c0d9eea
          Log:
          Merge pull request #14 from jenkinsci/SHA256-and-SHA512-HMAC-support

          JENKINS-33021 Add support for SHA256 and SHA512 HMAC algorithms

          Compare: https://github.com/jenkinsci/trilead-ssh2/compare/d0178c21e393...3aaec8394cb9

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Michael Clarke Path: src/com/trilead/ssh2/Connection.java src/com/trilead/ssh2/KnownHosts.java src/com/trilead/ssh2/crypto/CryptoWishList.java src/com/trilead/ssh2/crypto/dh/DhExchange.java src/com/trilead/ssh2/crypto/dh/DhGroupExchange.java src/com/trilead/ssh2/crypto/digest/HMAC.java src/com/trilead/ssh2/crypto/digest/HashForSSH2Types.java src/com/trilead/ssh2/crypto/digest/JreMessageDigestWrapper.java src/com/trilead/ssh2/crypto/digest/MAC.java src/com/trilead/ssh2/crypto/digest/MD5.java src/com/trilead/ssh2/crypto/digest/MessageMac.java src/com/trilead/ssh2/crypto/digest/SHA1.java src/com/trilead/ssh2/transport/KexManager.java src/com/trilead/ssh2/transport/KexState.java http://jenkins-ci.org/commit/trilead-ssh2/3aaec8394cb949499061186219ab9c513c0d9eea Log: Merge pull request #14 from jenkinsci/SHA256-and-SHA512-HMAC-support JENKINS-33021 Add support for SHA256 and SHA512 HMAC algorithms Compare: https://github.com/jenkinsci/trilead-ssh2/compare/d0178c21e393...3aaec8394cb9

          paladox added a comment -

          Resolving the issue as a new trilead-ssh2 release has been done with ^^ change. All that needs doing is jenkins to be updated now.

          paladox added a comment - Resolving the issue as a new trilead-ssh2 release has been done with ^^ change. All that needs doing is jenkins to be updated now.

          paladox added a comment -

          Re opening as still in progress.

          paladox added a comment - Re opening as still in progress.

          Mark Lagendijk added a comment - You can follow progress here: https://issues.jenkins-ci.org/browse/JENKINS-43610

          Mark Lagendijk added a comment - - edited

          Edit: removed message about failure to patch Jenkins with the new trilead library. Building Jenkins from source with the new trilead library did work.

          Mark Lagendijk added a comment - - edited Edit: removed message about failure to patch Jenkins with the new trilead library. Building Jenkins from source with the new trilead library did work.

          Code changed in jenkins
          User: Michael Clarke
          Path:
          core/pom.xml
          http://jenkins-ci.org/commit/jenkins/b17d0763709be35d39f16d6af7afaf765ac6cf92
          Log:
          Bump Trilead version to receive a number of security enhancements
          JENKINS-41606JENKINS-33021JENKINS-26379JENKINS-31549

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Michael Clarke Path: core/pom.xml http://jenkins-ci.org/commit/jenkins/b17d0763709be35d39f16d6af7afaf765ac6cf92 Log: Bump Trilead version to receive a number of security enhancements JENKINS-41606 JENKINS-33021 JENKINS-26379 JENKINS-31549

          Oleg Nenashev added a comment -

          It has been merged towards 2.58

          Not a backporting candidate

          Oleg Nenashev added a comment - It has been merged towards 2.58 Not a backporting candidate

          Daniel Beck added a comment -

          In 2.58.

          Daniel Beck added a comment - In 2.58.

          Antoine Musso added a comment -

          Thank you Michael Clarke ! That works perfectly and we use:

           

          server: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]
          

          Antoine Musso added a comment - Thank you Michael Clarke ! That works perfectly and we use:   server: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]

            mc1arke Michael Clarke
            emma Emma Laurijssens
            Votes:
            13 Vote for this issue
            Watchers:
            20 Start watching this issue

              Created:
              Updated:
              Resolved: