Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-36873

ssh credentials does not support newer MAC/KEX algos due to outdated trilead-ssh2

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • core, credentials-plugin
    • None
    • Jenkins 1.651

      The ssh credentials plugin is unable to connect to slaves that have newer algorithms

      The keys from Jenkins (client) and slave (server below) have:

      fatal: no matching mac found:
client: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
server: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]

      Jenkins yields a trace:

      [06/22/15 14:49:05] [SSH] Opening SSH connection to 10.68.16.150:22.
Key exchange was not finished, connection is closed.
ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
java.lang.IllegalStateException: Connection is not established!
	at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
	at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
	at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
	at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
	at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
	at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
	at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
[06/22/15 14:49:06] Launch failed - cleaning up connection
[06/22/15 14:49:06] [SSH] Connection closed.

      On our slaves we would like to have hmac-sha2-512 / hmac-sha2-256 but that is not supported by Trilead SSH. As I understand it that Java installation is stall/no more updated by upstream and Jenkins core provides its own fork.

      Looks like the proper way to fix it would be to remove Trilead entirely and switch to another SSH implementation. Maybe Bouncy Castle.

      The workaround is to configure the slaves with some outdated algorithms supported by Trilead

      Our bug https://phabricator.wikimedia.org/T103351

          [JENKINS-36873] ssh credentials does not support newer MAC/KEX algos due to outdated trilead-ssh2

          Antoine Musso created issue -
          Antoine Musso made changes -
          Description Original: The ssh credentials plugin is unable to connect to slaves that have newer algorithms

          The keys from Jenkins (client) and slave (server below) have:
          {{
          fatal: no matching mac found:
          client: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
          server: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]
          }}

          Jenkins yields a trace:
          {{
          [06/22/15 14:49:05] [SSH] Opening SSH connection to 10.68.16.150:22.
          Key exchange was not finished, connection is closed.
          ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
          java.lang.IllegalStateException: Connection is not established!
          at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
          at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
          at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
          at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
          at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
          at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
          at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
          at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
          at java.util.concurrent.FutureTask.run(FutureTask.java:262)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
          at java.lang.Thread.run(Thread.java:745)
          [06/22/15 14:49:06] Launch failed - cleaning up connection
          [06/22/15 14:49:06] [SSH] Connection closed.
          }}

          On our slaves we would like to have hmac-sha2-512 / hmac-sha2-256 but that is not supported by Trilead SSH. As I understand it that Java installation is stall/no more updated by upstream and Jenkins core provides its own fork.

          Looks like the proper way to fix it would be to remove Trilead entirely and switch to another SSH implementation. Maybe Bouncy Castle.

          The workaround is to configure the slaves with some outdated algorithms supported by Trilead :(

          Our bug https://phabricator.wikimedia.org/T103351           		New: The ssh credentials plugin is unable to connect to slaves that have newer algorithms

          The keys from Jenkins (client) and slave (server below) have:
          {{noformat}}
          fatal: no matching mac found:
          client: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
          server: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]
          {{noformat}}

          Jenkins yields a trace:
          {{noformat}}
          [06/22/15 14:49:05] [SSH] Opening SSH connection to 10.68.16.150:22.
          Key exchange was not finished, connection is closed.
          ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
          java.lang.IllegalStateException: Connection is not established!
          at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
          at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
          at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
          at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
          at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
          at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
          at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
          at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
          at java.util.concurrent.FutureTask.run(FutureTask.java:262)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
          at java.lang.Thread.run(Thread.java:745)
          [06/22/15 14:49:06] Launch failed - cleaning up connection
          [06/22/15 14:49:06] [SSH] Connection closed.
          {{noformat}}

          On our slaves we would like to have hmac-sha2-512 / hmac-sha2-256 but that is not supported by Trilead SSH. As I understand it that Java installation is stall/no more updated by upstream and Jenkins core provides its own fork.

          Looks like the proper way to fix it would be to remove Trilead entirely and switch to another SSH implementation. Maybe Bouncy Castle.

          The workaround is to configure the slaves with some outdated algorithms supported by Trilead :(

          Our bug https://phabricator.wikimedia.org/T103351
          Antoine Musso made changes -
          Description Original: The ssh credentials plugin is unable to connect to slaves that have newer algorithms

          The keys from Jenkins (client) and slave (server below) have:
          {{noformat}}
          fatal: no matching mac found:
          client: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
          server: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]
          {{noformat}}

          Jenkins yields a trace:
          {{noformat}}
          [06/22/15 14:49:05] [SSH] Opening SSH connection to 10.68.16.150:22.
          Key exchange was not finished, connection is closed.
          ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
          java.lang.IllegalStateException: Connection is not established!
          at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
          at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
          at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
          at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
          at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
          at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
          at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
          at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
          at java.util.concurrent.FutureTask.run(FutureTask.java:262)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
          at java.lang.Thread.run(Thread.java:745)
          [06/22/15 14:49:06] Launch failed - cleaning up connection
          [06/22/15 14:49:06] [SSH] Connection closed.
          {{noformat}}

          On our slaves we would like to have hmac-sha2-512 / hmac-sha2-256 but that is not supported by Trilead SSH. As I understand it that Java installation is stall/no more updated by upstream and Jenkins core provides its own fork.

          Looks like the proper way to fix it would be to remove Trilead entirely and switch to another SSH implementation. Maybe Bouncy Castle.

          The workaround is to configure the slaves with some outdated algorithms supported by Trilead :(

          Our bug https://phabricator.wikimedia.org/T103351           		New: The ssh credentials plugin is unable to connect to slaves that have newer algorithms

          The keys from Jenkins (client) and slave (server below) have:
          {noformat}
          fatal: no matching mac found:
          client: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
          server: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]
          {noformat}

          Jenkins yields a trace:
          {noformat}
          [06/22/15 14:49:05] [SSH] Opening SSH connection to 10.68.16.150:22.
          Key exchange was not finished, connection is closed.
          ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
          java.lang.IllegalStateException: Connection is not established!
          at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
          at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
          at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
          at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
          at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
          at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
          at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
          at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
          at java.util.concurrent.FutureTask.run(FutureTask.java:262)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
          at java.lang.Thread.run(Thread.java:745)
          [06/22/15 14:49:06] Launch failed - cleaning up connection
          [06/22/15 14:49:06] [SSH] Connection closed.
          {noformat}

          On our slaves we would like to have hmac-sha2-512 / hmac-sha2-256 but that is not supported by Trilead SSH. As I understand it that Java installation is stall/no more updated by upstream and Jenkins core provides its own fork.

          Looks like the proper way to fix it would be to remove Trilead entirely and switch to another SSH implementation. Maybe Bouncy Castle.

          The workaround is to configure the slaves with some outdated algorithms supported by Trilead :(

          Our bug https://phabricator.wikimedia.org/T103351
          Antoine Musso made changes -
          Summary Original: ssh credentials does not support newer MAC/KEX also due to outdated trilead-ssh2 New: ssh credentials does not support newer MAC/KEX altos due to outdated trilead-ssh2
          Antoine Musso made changes -
          Summary Original: ssh credentials does not support newer MAC/KEX altos due to outdated trilead-ssh2 New: ssh credentials does not support newer MAC/KEX algos due to outdated trilead-ssh2
          Antoine Musso made changes -
          Link New: This issue duplicates JENKINS-33021 [ JENKINS-33021 ]
          Antoine Musso made changes -
          Resolution New: Duplicate [ 3 ]
          Status Original: Open [ 1 ] New: Closed [ 6 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 173620 ] New: JNJira + In-Review [ 210230 ]

            stephenconnolly Stephen Connolly
            hashar Antoine Musso
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: