Major Hi,
I am under the belief that the default setup (plugins) of Jenkins (2.17) listens for SSHD connections. It appears to default to an insecure key exchange algorithm. The by-pass is trivial, but unclear if its documented (in Jenkin's docs, I haven't found it.) Also, I haven't found anything mentioning the server side will be updated (another comment in docs might be good for that.)
user@ubuntu:~$ ssh -p 34213 admin@localhost version
Unable to negotiate with ::1 port 34213: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
user@ubuntu:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -p 34213 admin@localhost version
2.17
I might be missing information, but haven't found anything on this yet (aside from people doing the aforementioned workaround.)
- links to
[JENKINS-37236] Unable to negotiate: no matching key exchange method found
Some background on why this is now causing issues:
The diffie-hellman-group1-sha1 is insecure and considered "within range" of the LogJam attack.
I can confirm this error is a problem on modern OSX machines (using Brew SSH) - as Brew installs OpenSSH v7+
# El Capitan + Brew $ /usr/local/bin/ssh -V OpenSSH_7.3p1, OpenSSL 1.0.2h 3 May 2016 # El Capitan $ /usr/bin/ssh -V OpenSSH_6.9p1, LibreSSL 2.1.8
For some reason on my 16.04.1 server I couldn't get the .ssh/config update to work:
Oct 26 11:24:49 jenkins sshd[2764]: fatal: Unable to negotiate with 127.0.0.1 port 56112: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth]
I had to add:
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
to "/etc/ssh/sshd_config" in order to get things going. My installation is using 2.19.1 and tested on master (localhost) and a slave 16.04.1 server.
SSHD has been updated in https://github.com/jenkinsci/sshd-module/pull/12, can iterate on this
Once SSHD Module is upgraded to 2.0, the following Key Exchange Algorithms will be enabled by default (if the JVM instance supports them): ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
It should be enough though it may be possible to disable particular insecure exchange methods
SSHD Module 2.0 has been integrated towards the Jenkins 2.69 release
Please retest with the new version and report results
I am going to mark it as Resolved. If there are any issues, please feel free to reopen the ticket
I have the same problem. I'm using the docker image, and this issue first appeared on version 2.16, I tested on 2.15 and it still works.
My workaround was to edit the ~/.ssh/config and add:
## use kex algorithm ## Host <JENKINS_HOST_OR_IP> KexAlgorithms diffie-hellman-group1-sha1