Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33021

trilead ssh MAC and key exchange algorithms severely outdated

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Component/s: ssh-slaves-plugin
    • Labels:
      None
    • Environment:
      Jenkins 1.647, ssh-slaves-plugin 1.10
    • Similar Issues:

      Description

      The supported macs and kex methods in trilead are severely outdated, resulting in connection issues with properly secured ssh daemons on target machines. For instance:

      sshd[9800]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-256,hmac-sha2-512,umac-64@openssh.com,hmac-ripemd160 [preauth]
      

      In JENKINS-14709 a suggestion is made to replace trilead with orion, but Orion is not being maintained either. Orion refers to Ganymed, but even that hasn't been looked at for almost 2 years: Ganymed commits. It does seem to support hmac-sha2 macs though.

      From JENKINS-36873 (dupe)

      The ssh credentials plugin is unable to connect to slaves that have newer algorithms

      The keys from Jenkins (client) and slave (server below) have:

      fatal: no matching mac found:
      client: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
      server: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]
      

      Jenkins yields a trace:

      [06/22/15 14:49:05] [SSH] Opening SSH connection to 10.68.16.150:22.
      Key exchange was not finished, connection is closed.
      ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
      java.lang.IllegalStateException: Connection is not established!
      	at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
      	at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
      	at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
      	at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
      	at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
      	at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
      	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
      	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:745)
      [06/22/15 14:49:06] Launch failed - cleaning up connection
      [06/22/15 14:49:06] [SSH] Connection closed.
      

      On our slaves we would like to have hmac-sha2-512 / hmac-sha2-256 but that is not supported by Trilead SSH.

        Attachments

          Issue Links

            Activity

            emma Emma Laurijssens created issue -
            ollirajala Olli Rajala made changes -
            Field Original Value New Value
            Priority Minor [ 4 ] Major [ 3 ]
            oleg_nenashev Oleg Nenashev made changes -
            Priority Major [ 3 ] Critical [ 2 ]
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is related to JENKINS-26495 [ JENKINS-26495 ]
            hashar Antoine Musso made changes -
            Description The supported macs and kex methods in trilead are severely outdated, resulting in connection issues with properly secured ssh daemons on target machines. For instance:

            {{sshd[9800]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-256,hmac-sha2-512,umac-64@openssh.com,hmac-ripemd160 [preauth]
            }}

            In [JENKINS-14709|http://jenkins-ci.org/issue/14709] a suggestion is made to replace trilead with orion, but Orion is not being maintained either. Orion refers to Ganymed, but even that hasn't been looked at for almost 2 years: [Ganymed commits|https://code.google.com/archive/p/ganymed-ssh-2/source/default/commits]. It does seem to support hmac-sha2 macs though.
            The supported macs and kex methods in trilead are severely outdated, resulting in connection issues with properly secured ssh daemons on target machines. For instance:

            {noformat}
            sshd[9800]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-256,hmac-sha2-512,umac-64@openssh.com,hmac-ripemd160 [preauth]
            {noformat}

            In [JENKINS-14709|http://jenkins-ci.org/issue/14709] a suggestion is made to replace trilead with orion, but Orion is not being maintained either. Orion refers to Ganymed, but even that hasn't been looked at for almost 2 years: [Ganymed commits|https://code.google.com/archive/p/ganymed-ssh-2/source/default/commits]. It does seem to support hmac-sha2 macs though.
            hashar Antoine Musso made changes -
            Link This issue is duplicated by JENKINS-36873 [ JENKINS-36873 ]
            hashar Antoine Musso made changes -
            Description The supported macs and kex methods in trilead are severely outdated, resulting in connection issues with properly secured ssh daemons on target machines. For instance:

            {noformat}
            sshd[9800]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-256,hmac-sha2-512,umac-64@openssh.com,hmac-ripemd160 [preauth]
            {noformat}

            In [JENKINS-14709|http://jenkins-ci.org/issue/14709] a suggestion is made to replace trilead with orion, but Orion is not being maintained either. Orion refers to Ganymed, but even that hasn't been looked at for almost 2 years: [Ganymed commits|https://code.google.com/archive/p/ganymed-ssh-2/source/default/commits]. It does seem to support hmac-sha2 macs though.
            The supported macs and kex methods in trilead are severely outdated, resulting in connection issues with properly secured ssh daemons on target machines. For instance:

            {noformat}
            sshd[9800]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-256,hmac-sha2-512,umac-64@openssh.com,hmac-ripemd160 [preauth]
            {noformat}

            In [JENKINS-14709|http://jenkins-ci.org/issue/14709] a suggestion is made to replace trilead with orion, but Orion is not being maintained either. Orion refers to Ganymed, but even that hasn't been looked at for almost 2 years: [Ganymed commits|https://code.google.com/archive/p/ganymed-ssh-2/source/default/commits]. It does seem to support hmac-sha2 macs though.

            From JENKINS-36873 (dupe)

            The ssh credentials plugin is unable to connect to slaves that have newer algorithms

            The keys from Jenkins (client) and slave (server below) have:
            {noformat}
            fatal: no matching mac found:
            client: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
            server: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]
            {noformat}

            Jenkins yields a trace:
            {noformat}
            [06/22/15 14:49:05] [SSH] Opening SSH connection to 10.68.16.150:22.
            Key exchange was not finished, connection is closed.
            ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
            java.lang.IllegalStateException: Connection is not established!
            at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
            at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
            at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
            at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
            at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
            at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
            at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
            at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
            at java.util.concurrent.FutureTask.run(FutureTask.java:262)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
            at java.lang.Thread.run(Thread.java:745)
            [06/22/15 14:49:06] Launch failed - cleaning up connection
            [06/22/15 14:49:06] [SSH] Connection closed.
            {noformat}

            On our slaves we would like to have hmac-sha2-512 / hmac-sha2-256 but that is not supported by Trilead SSH.
            hashar Antoine Musso made changes -
            Component/s credentials-plugin [ 16523 ]
            emma Emma Laurijssens made changes -
            Link This issue duplicates JENKINS-31549 [ JENKINS-31549 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 168847 ] JNJira + In-Review [ 183259 ]
            oleg_nenashev Oleg Nenashev made changes -
            Assignee Kohsuke Kawaguchi [ kohsuke ]
            stephenconnolly Stephen Connolly made changes -
            Component/s credentials-plugin [ 16523 ]
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is related to JENKINS-39805 [ JENKINS-39805 ]
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is related to JENKINS-26379 [ JENKINS-26379 ]
            rsandell rsandell made changes -
            Assignee rsandell [ rsandell ]
            mc1arke Michael Clarke made changes -
            Assignee rsandell [ rsandell ] Michael Clarke [ mc1arke ]
            mc1arke Michael Clarke made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            mc1arke Michael Clarke made changes -
            Remote Link This issue links to "SHA256 and SHA512 HMAC Support (Web Link)" [ 15850 ]
            mc1arke Michael Clarke made changes -
            Remote Link This issue links to "Ed25519 Key Support (Web Link)" [ 15851 ]
            mc1arke Michael Clarke made changes -
            Remote Link This issue links to "ECDSA Key Support (Web Link)" [ 15852 ]
            paladox paladox made changes -
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Resolved [ 5 ]
            paladox paladox made changes -
            Resolution Fixed [ 1 ]
            Status Resolved [ 5 ] Reopened [ 4 ]
            danielbeck Daniel Beck made changes -
            Resolution Fixed [ 1 ]
            Status Reopened [ 4 ] Resolved [ 5 ]
            nperrenoud Nicolas Perrenoud made changes -
            Link This issue is related to JENKINS-44046 [ JENKINS-44046 ]
            cloudbees CloudBees Inc. made changes -
            Remote Link This issue links to "CloudBees Internal OSS-868 (Web Link)" [ 18814 ]
            cloudbees CloudBees Inc. made changes -
            Remote Link This issue links to "CloudBees Internal CLTS-1375 (Web Link)" [ 19240 ]

              People

              Assignee:
              mc1arke Michael Clarke
              Reporter:
              emma Emma Laurijssens
              Votes:
              13 Vote for this issue
              Watchers:
              20 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: