Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62311

Add support for rsa-sha2-256 and rsa-sha2-512 key algorithms

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      As announced in OpenSSH 8.2, the ssh-rsa key algorithm is being deprecated due to weaknesses in SHA-1. To continue supporting RSA keys, use of rsa-sha2-256 or rsa-sha2-512 key algorithms as specified in RFC 8332 needs to be added to Trilead.

      Alternatively, SSH Build Agents should migrate to using Apache SSH which is actively maintained, supports these key algorithms, and is overall more modern.

        Attachments

          Issue Links

            Activity

            Show
            jvz Matt Sicker added a comment - https://github.com/jenkinsci/trilead-ssh2/pull/48
            Hide
            jvz Matt Sicker added a comment -

            Looking more closely at this, it seems it would be a little tricky to implement this the "right" way as suggested in the RFC. There's an extension mechanism (RFC 8308) for checking if a server or client supports the RSA SHA-2 signature types, but Trilead doesn't implement extension negotiation (I had confused that with Apache SSH which does).

            The way I'll solve this is by just retrying a userauth request with other supported key algorithm formats until we run out. I tried this idea out with your docker setup, and it seems to solve the problem. The RFC mentions some SSH servers apply an authentication penalty for authentication failures, so the extension list mechanism is a more reliable way to try and detect supported formats before using them. We could potentially add an option to allow users to default to SHA-1 instead of SHA-2 as the first attempted algorithm for RSA keys in that scenario, though.

            Show
            jvz Matt Sicker added a comment - Looking more closely at this, it seems it would be a little tricky to implement this the "right" way as suggested in the RFC. There's an extension mechanism (RFC 8308) for checking if a server or client supports the RSA SHA-2 signature types, but Trilead doesn't implement extension negotiation (I had confused that with Apache SSH which does). The way I'll solve this is by just retrying a userauth request with other supported key algorithm formats until we run out. I tried this idea out with your docker setup, and it seems to solve the problem. The RFC mentions some SSH servers apply an authentication penalty for authentication failures, so the extension list mechanism is a more reliable way to try and detect supported formats before using them. We could potentially add an option to allow users to default to SHA-1 instead of SHA-2 as the first attempted algorithm for RSA keys in that scenario, though.
            Hide
            jvz Matt Sicker added a comment -

            Hmm, seems like I probably only tested this out on servers by disabling the RSA/SHA1 signature type. I'll look more closely into fixing this later this week.

            Show
            jvz Matt Sicker added a comment - Hmm, seems like I probably only tested this out on servers by disabling the RSA/SHA1 signature type. I'll look more closely into fixing this later this week.
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            I have started a fresh environment, then I've update the trilead-api-plugin. The agent that fails only accepts 'ssh-rsa' (https://github.com/kuisathaverat/jenkins-issues/blob/master/JENKINS-62311/ssh-agent-rsa/ssh/config) so I guess the support for that type is removed in some way by the change.

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - I have started a fresh environment, then I've update the trilead-api-plugin. The agent that fails only accepts 'ssh-rsa' ( https://github.com/kuisathaverat/jenkins-issues/blob/master/JENKINS-62311/ssh-agent-rsa/ssh/config ) so I guess the support for that type is removed in some way by the change.
            Hide
            jvz Matt Sicker added a comment -

            Is this issue only for upgrades? Or do you get the same errors when configuring a fresh agent using the updated plugin? That should help me isolate the problem.

            Show
            jvz Matt Sicker added a comment - Is this issue only for upgrades? Or do you get the same errors when configuring a fresh agent using the updated plugin? That should help me isolate the problem.

              People

              Assignee:
              jvz Matt Sicker
              Reporter:
              jvz Matt Sicker
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: