Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62311

Add support for rsa-sha2-256 and rsa-sha2-512 key algorithms

    XMLWordPrintable

Details

    Description

      As announced in OpenSSH 8.2, the ssh-rsa key algorithm is being deprecated due to weaknesses in SHA-1. To continue supporting RSA keys, use of rsa-sha2-256 or rsa-sha2-512 key algorithms as specified in RFC 8332 needs to be added to Trilead.

      Alternatively, SSH Build Agents should migrate to using Apache SSH which is actively maintained, supports these key algorithms, and is overall more modern.

      Attachments

        Issue Links

          Activity

            I have started a fresh environment, then I've update the trilead-api-plugin. The agent that fails only accepts 'ssh-rsa' (https://github.com/kuisathaverat/jenkins-issues/blob/master/JENKINS-62311/ssh-agent-rsa/ssh/config) so I guess the support for that type is removed in some way by the change.

            ifernandezcalvo Ivan Fernandez Calvo added a comment - I have started a fresh environment, then I've update the trilead-api-plugin. The agent that fails only accepts 'ssh-rsa' ( https://github.com/kuisathaverat/jenkins-issues/blob/master/JENKINS-62311/ssh-agent-rsa/ssh/config ) so I guess the support for that type is removed in some way by the change.
            jvz Matt Sicker added a comment -

            Hmm, seems like I probably only tested this out on servers by disabling the RSA/SHA1 signature type. I'll look more closely into fixing this later this week.

            jvz Matt Sicker added a comment - Hmm, seems like I probably only tested this out on servers by disabling the RSA/SHA1 signature type. I'll look more closely into fixing this later this week.
            jvz Matt Sicker added a comment -

            Looking more closely at this, it seems it would be a little tricky to implement this the "right" way as suggested in the RFC. There's an extension mechanism (RFC 8308) for checking if a server or client supports the RSA SHA-2 signature types, but Trilead doesn't implement extension negotiation (I had confused that with Apache SSH which does).

            The way I'll solve this is by just retrying a userauth request with other supported key algorithm formats until we run out. I tried this idea out with your docker setup, and it seems to solve the problem. The RFC mentions some SSH servers apply an authentication penalty for authentication failures, so the extension list mechanism is a more reliable way to try and detect supported formats before using them. We could potentially add an option to allow users to default to SHA-1 instead of SHA-2 as the first attempted algorithm for RSA keys in that scenario, though.

            jvz Matt Sicker added a comment - Looking more closely at this, it seems it would be a little tricky to implement this the "right" way as suggested in the RFC. There's an extension mechanism (RFC 8308) for checking if a server or client supports the RSA SHA-2 signature types, but Trilead doesn't implement extension negotiation (I had confused that with Apache SSH which does). The way I'll solve this is by just retrying a userauth request with other supported key algorithm formats until we run out. I tried this idea out with your docker setup, and it seems to solve the problem. The RFC mentions some SSH servers apply an authentication penalty for authentication failures, so the extension list mechanism is a more reliable way to try and detect supported formats before using them. We could potentially add an option to allow users to default to SHA-1 instead of SHA-2 as the first attempted algorithm for RSA keys in that scenario, though.
            jvz Matt Sicker added a comment - https://github.com/jenkinsci/trilead-ssh2/pull/48
            ifernandezcalvo Ivan Fernandez Calvo added a comment - released in ssh-slaves-1.31.4 trilead-api-1.0.12

            People

              jvz Matt Sicker
              jvz Matt Sicker
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: