-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
linux/centos7
I am trying to do ssh hardening on jenkins server and slave following https://www.sshaudit.com/ recommendations (https://www.sshaudit.com/hardening_guides.html#rhel7)
But as soon as the ssh hardening is enabled on the slave, jenkins can no longer connect to the slave.
{{[05/02/18 15:26:59] [SSH] Opening SSH connection to <IP>
Key exchange was not finished, connection is closed.
java.io.IOException: There was a problem while connecting to <IP>:22
at com.trilead.ssh2.Connection.connect(Connection.java:818)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1324)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:831)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:820)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: Key exchange was not finished, connection is closed.
at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:93)
at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:230)
at com.trilead.ssh2.Connection.connect(Connection.java:770)
... 7 more
Caused by: java.io.IOException: Cannot negotiate, proposals do not match.
at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:405)
at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:777)
at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:489)
... 1 more
[05/02/18 15:26:59] Launch failed - cleaning up connection}}
the error and the "workaround" is describe here:
- https://stackoverflow.com/questions/50136080/jenkins-master-slave-key-exchange-was-not-finished-connection-is-closed
But the workaround is to "almost" go back to no hardening (I went from a score of F-33 to A-100 and when disable MAC/KexAlgorithm, score when back to F-49)
I am able to keep the hardening "on" only if I change the plugin to use ssh command line, but now I need to maintain manually the remoting.jar
'cd /var/lib/jenkins && java -jar remoting.jar -workDir /var/lib/jenkins'
I am not sure if this a limitation in the library used to do ssh or if this can simply be fix via java security configuration on the main jenkins server?
Have you guys tried hardening of server/slave?
Any recommendations?