Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-36873

ssh credentials does not support newer MAC/KEX algos due to outdated trilead-ssh2

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The ssh credentials plugin is unable to connect to slaves that have newer algorithms

      The keys from Jenkins (client) and slave (server below) have:

      fatal: no matching mac found:
      client: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
      server: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]
      

      Jenkins yields a trace:

      [06/22/15 14:49:05] [SSH] Opening SSH connection to 10.68.16.150:22.
      Key exchange was not finished, connection is closed.
      ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
      java.lang.IllegalStateException: Connection is not established!
      	at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
      	at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
      	at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
      	at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
      	at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
      	at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
      	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
      	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:745)
      [06/22/15 14:49:06] Launch failed - cleaning up connection
      [06/22/15 14:49:06] [SSH] Connection closed.
      

      On our slaves we would like to have hmac-sha2-512 / hmac-sha2-256 but that is not supported by Trilead SSH. As I understand it that Java installation is stall/no more updated by upstream and Jenkins core provides its own fork.

      Looks like the proper way to fix it would be to remove Trilead entirely and switch to another SSH implementation. Maybe Bouncy Castle.

      The workaround is to configure the slaves with some outdated algorithms supported by Trilead

      Our bug https://phabricator.wikimedia.org/T103351

        Attachments

          Issue Links

            Activity

            Hide
            hashar Antoine Musso added a comment -

            Sorry for the spam. It is an exact duplicate of JENKINS-33021

            Show
            hashar Antoine Musso added a comment - Sorry for the spam. It is an exact duplicate of JENKINS-33021

              People

              Assignee:
              stephenconnolly Stephen Connolly
              Reporter:
              hashar Antoine Musso
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: