Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62311

Add support for rsa-sha2-256 and rsa-sha2-512 key algorithms

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      As announced in OpenSSH 8.2, the ssh-rsa key algorithm is being deprecated due to weaknesses in SHA-1. To continue supporting RSA keys, use of rsa-sha2-256 or rsa-sha2-512 key algorithms as specified in RFC 8332 needs to be added to Trilead.

      Alternatively, SSH Build Agents should migrate to using Apache SSH which is actively maintained, supports these key algorithms, and is overall more modern.

        Attachments

          Issue Links

            Activity

            jvz Matt Sicker created issue -
            jvz Matt Sicker made changes -
            Field Original Value New Value
            Description As announced in [OpenSSH 8.2|https://www.openssh.com/txt/release-8.2], the {{ssh-rsa}} key algorithm is being deprecated due to weaknesses in SHA-1. To continue supporting RSA keys, use of {{rsa-sha2-256}} or {{rsa-sha2-512}} key algorithms as specified in [RFC 8332|https://tools.ietf.org/html/rfc8332] needs to be added to Trilead. As announced in [OpenSSH 8.2|https://www.openssh.com/txt/release-8.2], the {{ssh-rsa}} key algorithm is being deprecated due to weaknesses in SHA-1. To continue supporting RSA keys, use of {{rsa-sha2-256}} or {{rsa-sha2-512}} key algorithms as specified in [RFC 8332|https://tools.ietf.org/html/rfc8332] needs to be added to Trilead.

            Alternatively, SSH Build Agents should migrate to using [Apache SSH|https://github.com/apache/mina-sshd] which is actively maintained, supports these key algorithms, and is overall more modern.
            jvz Matt Sicker made changes -
            Component/s trilead-api-plugin [ 22324 ]
            jvz Matt Sicker made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Hide
            jvz Matt Sicker added a comment -

            Added link to proof of concept PR to update Trilead.

            Show
            jvz Matt Sicker added a comment - Added link to proof of concept PR to update Trilead.
            jvz Matt Sicker made changes -
            Remote Link This issue links to "Trilead PR (Web Link)" [ 24924 ]
            Hide
            simontunnat Simon Tunnat added a comment -

            This change seems to give us some problems on a Jenkins instance running on CentOS 6.

            The connection from the master to the agent failed with a "permission denied" error after updating the trilead-api-plugin to version 1.0.7.
            I don't have the full logs for this, because the error occurred on our only production system and I had to revert the plugin update immediately. For some reason I could not find the full error message in the Jenkins logs.

            The OpenSSL version is "OpenSSL 1.0.1e-fips 11 Feb 2013".

            We are planning a upgrade from CentOS 6 to 7 later this year, but it would be nice to be able to update plugins before this.

            Show
            simontunnat Simon Tunnat added a comment - This change seems to give us some problems on a Jenkins instance running on CentOS 6. The connection from the master to the agent failed with a "permission denied" error after updating the trilead-api-plugin to version 1.0.7. I don't have the full logs for this, because the error occurred on our only production system and I had to revert the plugin update immediately. For some reason I could not find the full error message in the Jenkins logs. The OpenSSL version is "OpenSSL 1.0.1e-fips 11 Feb 2013". We are planning a upgrade from CentOS 6 to 7 later this year, but it would be nice to be able to update plugins before this.
            Hide
            jvz Matt Sicker added a comment -

            Huh, strange! What version of SSH?

            Show
            jvz Matt Sicker added a comment - Huh, strange! What version of SSH?
            Hide
            jvz Matt Sicker added a comment -

            Simon Tunnat by SSH I mean specifically your SSH server (presumably OpenSSH). The Trilead side should be using the JDK crypto library which I can't even determine uses OpenSSL or not (doesn't seem to by default).

            Show
            jvz Matt Sicker added a comment - Simon Tunnat by SSH I mean specifically your SSH server (presumably OpenSSH). The Trilead side should be using the JDK crypto library which I can't even determine uses OpenSSL or not (doesn't seem to by default).
            Hide
            jvz Matt Sicker added a comment -

            I think I found this issue here. Opening a new PR.

            Show
            jvz Matt Sicker added a comment - I think I found this issue here. Opening a new PR.
            Hide
            jvz Matt Sicker added a comment -

            Figured out the errors and pushed a new PR. Tested on macOS and with Docker.

            Show
            jvz Matt Sicker added a comment - Figured out the errors and pushed a new PR. Tested on macOS and with Docker.
            jvz Matt Sicker made changes -
            Remote Link This issue links to "Pull Request Try #2 (Web Link)" [ 24957 ]
            jvz Matt Sicker made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            Hide
            simontunnat Simon Tunnat added a comment -

            Wanted to post here sooner:
            Thanks for the bugfix. It is working fine now!

            Show
            simontunnat Simon Tunnat added a comment - Wanted to post here sooner: Thanks for the bugfix. It is working fine now!
            Hide
            jvz Matt Sicker added a comment -

            Merged. Release will be published later.

            Show
            jvz Matt Sicker added a comment - Merged. Release will be published later.
            jvz Matt Sicker made changes -
            Resolution Fixed [ 1 ]
            Status In Review [ 10005 ] Resolved [ 5 ]
            Show
            jvz Matt Sicker added a comment - Released in https://github.com/jenkinsci/trilead-ssh2/releases/tag/trilead-ssh2-build-217-jenkins-22
            jvz Matt Sicker made changes -
            Status Resolved [ 5 ] Closed [ 6 ]
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited

            I have tested the PR https://github.com/jenkinsci/trilead-api-plugin/pull/11 on the environment https://github.com/kuisathaverat/jenkins-issues/tree/master/JENKINS-62311 and the changes breaks the RSA connections, steps to replicate the issue:

            • - build the trilead-api-plugin
              • git clone git@github.com:jenkinsci/trilead-api-plugin.git
              • cd trilead-api-plugin
              • hub pr checkout 11
              • mvn package
            • - start the test environment (require Docker and docker-compose)
              • git clone git@github.com:kuisathaverat/jenkins-issues.git
              • cd jenkins-issues/JENKINS-62311
              • make start
            • - Connect to the local environment at http://localhost:8080
              • check all agents are connected
            • - Install the trilead-api-plugin you have built and check the restart checkbox
              • The RSA agent will be disconnected because the key is rejected.
            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited I have tested the PR https://github.com/jenkinsci/trilead-api-plugin/pull/11 on the environment https://github.com/kuisathaverat/jenkins-issues/tree/master/JENKINS-62311 and the changes breaks the RSA connections, steps to replicate the issue: - build the trilead-api-plugin git clone git@github.com:jenkinsci/trilead-api-plugin.git cd trilead-api-plugin hub pr checkout 11 mvn package - start the test environment (require Docker and docker-compose) git clone git@github.com:kuisathaverat/jenkins-issues.git cd jenkins-issues/ JENKINS-62311 make start - Connect to the local environment at http://localhost:8080 check all agents are connected - Install the trilead-api-plugin you have built and check the restart checkbox The RSA agent will be disconnected because the key is rejected.
            ifernandezcalvo Ivan Fernandez Calvo made changes -
            Resolution Fixed [ 1 ]
            Status Closed [ 6 ] Reopened [ 4 ]
            Hide
            jvz Matt Sicker added a comment -

            Is this issue only for upgrades? Or do you get the same errors when configuring a fresh agent using the updated plugin? That should help me isolate the problem.

            Show
            jvz Matt Sicker added a comment - Is this issue only for upgrades? Or do you get the same errors when configuring a fresh agent using the updated plugin? That should help me isolate the problem.
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            I have started a fresh environment, then I've update the trilead-api-plugin. The agent that fails only accepts 'ssh-rsa' (https://github.com/kuisathaverat/jenkins-issues/blob/master/JENKINS-62311/ssh-agent-rsa/ssh/config) so I guess the support for that type is removed in some way by the change.

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - I have started a fresh environment, then I've update the trilead-api-plugin. The agent that fails only accepts 'ssh-rsa' ( https://github.com/kuisathaverat/jenkins-issues/blob/master/JENKINS-62311/ssh-agent-rsa/ssh/config ) so I guess the support for that type is removed in some way by the change.
            Hide
            jvz Matt Sicker added a comment -

            Hmm, seems like I probably only tested this out on servers by disabling the RSA/SHA1 signature type. I'll look more closely into fixing this later this week.

            Show
            jvz Matt Sicker added a comment - Hmm, seems like I probably only tested this out on servers by disabling the RSA/SHA1 signature type. I'll look more closely into fixing this later this week.
            jvz Matt Sicker made changes -
            Status Reopened [ 4 ] In Progress [ 3 ]
            Hide
            jvz Matt Sicker added a comment -

            Looking more closely at this, it seems it would be a little tricky to implement this the "right" way as suggested in the RFC. There's an extension mechanism (RFC 8308) for checking if a server or client supports the RSA SHA-2 signature types, but Trilead doesn't implement extension negotiation (I had confused that with Apache SSH which does).

            The way I'll solve this is by just retrying a userauth request with other supported key algorithm formats until we run out. I tried this idea out with your docker setup, and it seems to solve the problem. The RFC mentions some SSH servers apply an authentication penalty for authentication failures, so the extension list mechanism is a more reliable way to try and detect supported formats before using them. We could potentially add an option to allow users to default to SHA-1 instead of SHA-2 as the first attempted algorithm for RSA keys in that scenario, though.

            Show
            jvz Matt Sicker added a comment - Looking more closely at this, it seems it would be a little tricky to implement this the "right" way as suggested in the RFC. There's an extension mechanism (RFC 8308) for checking if a server or client supports the RSA SHA-2 signature types, but Trilead doesn't implement extension negotiation (I had confused that with Apache SSH which does). The way I'll solve this is by just retrying a userauth request with other supported key algorithm formats until we run out. I tried this idea out with your docker setup, and it seems to solve the problem. The RFC mentions some SSH servers apply an authentication penalty for authentication failures, so the extension list mechanism is a more reliable way to try and detect supported formats before using them. We could potentially add an option to allow users to default to SHA-1 instead of SHA-2 as the first attempted algorithm for RSA keys in that scenario, though.
            jvz Matt Sicker made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            Show
            jvz Matt Sicker added a comment - https://github.com/jenkinsci/trilead-ssh2/pull/48

              People

              Assignee:
              jvz Matt Sicker
              Reporter:
              jvz Matt Sicker
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: