Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58910

[security] ssh slave hardening - ssh slave weak Key Exchange Algorithms/Message Authentication Codes

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • ssh-slaves-plugin
    • None
    • linux/centos7

    Description

      I am trying to do ssh hardening on jenkins server and slave following https://www.sshaudit.com/ recommendations (https://www.sshaudit.com/hardening_guides.html#rhel7)

      But as soon as the ssh hardening is enabled on the slave, jenkins can no longer connect to the slave.

      {{[05/02/18 15:26:59] [SSH] Opening SSH connection to <IP>
      Key exchange was not finished, connection is closed.
      java.io.IOException: There was a problem while connecting to <IP>:22
      at com.trilead.ssh2.Connection.connect(Connection.java:818)
      at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1324)
      at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:831)
      at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:820)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:748)
      Caused by: java.io.IOException: Key exchange was not finished, connection is closed.
      at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:93)
      at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:230)
      at com.trilead.ssh2.Connection.connect(Connection.java:770)
      ... 7 more
      Caused by: java.io.IOException: Cannot negotiate, proposals do not match.
      at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:405)
      at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:777)
      at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:489)
      ... 1 more
      [05/02/18 15:26:59] Launch failed - cleaning up connection}}

      the error and the "workaround" is describe here:

      I am able to keep the hardening "on" only if I change the plugin to use ssh command line, but now I need to maintain manually the remoting.jar
      'cd /var/lib/jenkins && java -jar remoting.jar -workDir /var/lib/jenkins'

      I am not sure if this a limitation in the library used to do ssh or if this can simply be fix via java security configuration on the main jenkins server?

      Have you guys tried hardening of server/slave?

      Any recommendations?

      Attachments

        Activity

          please read How to report an issue, for questions you should use the google groups, also you do not provide Jenkins core version or ssh-slaves version number you are using nor the encryption settings you are using, however, I guess you are using ed25519 that it is supported in the latest versions of the Jenkins core (trilead-ssh2 module on jenkins-2.189) see https://issues.jenkins-ci.org/browse/JENKINS-55133 and https://github.com/jenkinsci/jenkins/pull/3827

          ifernandezcalvo Ivan Fernandez Calvo added a comment - please read How to report an issue , for questions you should use the google groups, also you do not provide Jenkins core version or ssh-slaves version number you are using nor the encryption settings you are using, however, I guess you are using ed25519 that it is supported in the latest versions of the Jenkins core (trilead-ssh2 module on jenkins-2.189) see https://issues.jenkins-ci.org/browse/JENKINS-55133 and https://github.com/jenkinsci/jenkins/pull/3827

          People

            ifernandezcalvo Ivan Fernandez Calvo
            dany dany alain
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: