Loading...

This issue is archived. You can view it, but you can't modify it. Learn more

XML

Word

Printable

Type: Improvement
Resolution: Fixed
Priority: Critical
Component/s: ssh-slaves-plugin
Labels:
- issue-exported-to-github
Environment:
Jenkins 1.647, ssh-slaves-plugin 1.10

The supported macs and kex methods in trilead are severely outdated, resulting in connection issues with properly secured ssh daemons on target machines. For instance:

sshd[9800]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-256,hmac-sha2-512,umac-64@openssh.com,hmac-ripemd160 [preauth]

In JENKINS-14709 a suggestion is made to replace trilead with orion, but Orion is not being maintained either. Orion refers to Ganymed, but even that hasn't been looked at for almost 2 years: Ganymed commits. It does seem to support hmac-sha2 macs though.

From ~~JENKINS-36873~~ (dupe)

The ssh credentials plugin is unable to connect to slaves that have newer algorithms

The keys from Jenkins (client) and slave (server below) have:

fatal: no matching mac found:
client: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
server: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]

Jenkins yields a trace:

[06/22/15 14:49:05] [SSH] Opening SSH connection to 10.68.16.150:22.
Key exchange was not finished, connection is closed.
ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
java.lang.IllegalStateException: Connection is not established!
	at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
	at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
	at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
	at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
	at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
	at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
[06/22/15 14:49:06] Launch failed - cleaning up connection
[06/22/15 14:49:06] [SSH] Connection closed.

On our slaves we would like to have hmac-sha2-512 / hmac-sha2-256 but that is not supported by Trilead SSH.

duplicates

JENKINS-31549 sshcredentials via trilead-ssh2 Cannot Connect to Servers Requiring Strong MACs

Resolved

is duplicated by

JENKINS-36873 ssh credentials does not support newer MAC/KEX algos due to outdated trilead-ssh2

Closed

is related to

JENKINS-26379 Jenkins - ssh connection exception

Resolved

JENKINS-26495 SSH Key Exchange not finished

Closed

JENKINS-39805 Remove unsafe cyphers of SSHD module

Resolved

JENKINS-44046 Git SSH connection issues with Jenkins 2.58

Closed

links to

CloudBees Internal CLTS-1375

CloudBees Internal OSS-868

ECDSA Key Support

Ed25519 Key Support

SHA256 and SHA512 HMAC Support

(1 is related to, 5 links to)

Assignee:: Michael Clarke
Reporter:: Emma Laurijssens

Created:: 2016-02-18 20:51
Updated:: Yesterday 09:43
Resolved:: 2017-05-01 20:05
Archived:: Yesterday 09:43

Details

Description

Attachments

Issue Links

Activity

People

Dates