-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
Jenkins 2.387.1
Gerrit 2.14.6
Gerrit-Trigger -plugin-Version: 2.39.0
Jsch Plugin Version: 0.2.8-65.v052c39de79b_2
This had been all working until the latest plugin updates. And does work with newer Gerrit version instances.
Gerrit Trigger fails to connect Gerrit 2.14 - com.jcraft.jsch.JSchException: verify: false
IOException: com.jcraft.jsch.JSchException: verify: false at com.jcraft.jsch.Session.connect(Session.java:330) at com.sonymobile.tools.gerrit.gerritevents.ssh.SshConnectionImpl.connect(SshConnectionImpl.java:196) Caused: com.sonymobile.tools.gerrit.gerritevents.ssh.SshException at com.sonymobile.tools.gerrit.gerritevents.ssh.SshConnectionImpl.connect(SshConnectionImpl.java:200) at com.sonymobile.tools.gerrit.gerritevents.ssh.SshConnectionFactory.getConnection(SshConnectionFactory.java:140) at com.sonymobile.tools.gerrit.gerritevents.ssh.SshConnectionFactory.getConnection(SshConnectionFactory.java:117) at com.sonymobile.tools.gerrit.gerritevents.GerritConnection.connect(GerritConnection.java:498) at com.sonymobile.tools.gerrit.gerritevents.GerritConnection.run(GerritConnection.java:404)
Cannot connect to Gerrit server! Host:
- relates to
-
-
- Closed
-
[JENKINS-71273] Gerrit Trigger fails to connect Gerrit 2.14 - com.jcraft.jsch.JSchException: verify: false
Same here:
Jenkins 2.387.3
Gerrit 2.14.8
Gerrit Trigger plugin 2.39.0
JSch Dependency plugin: currently installed working OK: 0.1.55.61.va_e9ee26616e7, new version causing issues 0.2.8-65.v052c39de79b_2
All other Jenkins plugins updated to latest version.
Marek
added a comment - - edited Same here:
Jenkins 2.387.3
Gerrit 2.14.8
Gerrit Trigger plugin 2.39.0
JSch Dependency plugin: currently installed working OK: 0.1.55.61.va_e9ee26616e7, new version causing issues 0.2.8-65.v052c39de79b_2
All other Jenkins plugins updated to latest version. For us the error looks similar, but probably is a different one?
IOException:
com.jcraft.jsch.JSchException: verify: false
at com.jcraft.jsch.Session.connect(Session.java:330)
at com.sonymobile.tools.gerrit.gerritevents.ssh.SshConnectionImpl.connect(SshConnectionImpl.java:196)
Caused: com.sonymobile.tools.gerrit.gerritevents.ssh.SshException
at com.sonymobile.tools.gerrit.gerritevents.ssh.SshConnectionImpl.connect(SshConnectionImpl.java:200)
at com.sonymobile.tools.gerrit.gerritevents.ssh.SshConnectionFactory.getConnection(SshConnectionFactory.java:140)
at com.sonymobile.tools.gerrit.gerritevents.ssh.SshConnectionFactory.getConnection(SshConnectionFactory.java:117)
at com.sonymobile.tools.gerrit.gerritevents.GerritConnection.connect(GerritConnection.java:498)
at com.sonymobile.tools.gerrit.gerritevents.GerritConnection.run(GerritConnection.java:404)
There is no hint whatsoever about the root cause in the Jenkins log. If I add a log recorder for com.jcraft.jsch, nothing will be displayed, regardless of the log level.
Artur Rekawek
added a comment - - edited Hi Jörg
Try to downgrade only
JSch Dependency plugin into 0.1.55.61.va_e9ee26616e7
arturito We did already. No success. I may be even related to the server itself and have nothing to do with Jenkins at all. We will need to check.
The "issue" is caused the latest jsch plugin: using mwiede/jsch instead of jcratf/jsch
And jsch since v2.0 disabled the ssh-rsa in 5fb0f736abdd98497a2906f8681db24072b6c67e , which modified jsch.server_host_key and PubkeyAcceptedAlgorithms ( jsch.client_pubkey ) as below, and it also shows in the readme of mwiede/jsch:
So, it's pretty easy to re-enable by add into `JAVA_OPT` via:
-Djsch.client_pubkey="ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa" -Djsch.server_host_key="ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa"
works in Jenkins 2.401.1-lts-jdk11 and 2.411
-------------------------------------------------
btw, here are jsch plugin dependencies tree for jsch v0.2.8-65.v052c39de79b_2 in Jenkins 2.401.1-lts-jdk11
jsch ( 0.2.8-65.v052c39de79b_2 ) |... ssh-credentials ( 305.v8f4381501156 ) | |... credentials ( 1254.vb_96f366e7b_a_d ) | | |... structs ( 324.va_f5d6774f3a_d ) | | | |... javax-activation-api ( 1.2.0-6 ) | | | |... javax-mail-api ( 1.6.2-9 ) | | | | |... javax-activation-api ( 1.2.0-6 ) | | | |... instance-identity ( 173.va_37c494ec4e5 ) | | | | |... bouncycastle-api ( 2.28 ) | | |... configuration-as-code ( 1647.ve39ca_b_829b_42 ) | | | |... caffeine-api ( 3.1.6-115.vb_8b_b_328e59d8 ) | | | |... commons-text-api ( 1.10.0-36.vc008c8fcda_7b_ ) | | | | |... commons-lang3-api ( 3.12.0-36.vd97de6465d5b_ ) | | | | | |... javax-activation-api ( 1.2.0-6 ) | | | | | |... javax-mail-api ( 1.6.2-9 ) | | | | | | |... javax-activation-api ( 1.2.0-6 ) | | | | | |... instance-identity ( 173.va_37c494ec4e5 ) | | | | | | |... bouncycastle-api ( 2.28 ) | | | |... snakeyaml-api ( 1.33-95.va_b_a_e3e47b_fa_4 ) | |... trilead-api ( 2.84.v72119de229b_7 ) | |... instance-identity ( 173.va_37c494ec4e5 ) | | |... bouncycastle-api ( 2.28 ) |... trilead-api ( 2.84.v72119de229b_7 ) |... javax-activation-api ( 1.2.0-6 ) |... javax-mail-api ( 1.6.2-9 ) | |... javax-activation-api ( 1.2.0-6 ) |... instance-identity ( 173.va_37c494ec4e5 ) | |... bouncycastle-api ( 2.28 )
and this is the jsch v0.1.55.61.va_e9ee26616e7 dependencies tree list:
jsch ( 0.1.55.61.va_e9ee26616e7 ) |... ssh-credentials ( 305.v8f4381501156 ) | |... credentials ( 1224.vc23ca_a_9a_2cb_0 ) | | |... structs ( 324.va_f5d6774f3a_d ) | | | |... javax-activation-api ( 1.2.0-6 ) | | | |... javax-mail-api ( 1.6.2-9 ) | | | | |... javax-activation-api ( 1.2.0-6 ) | | | |... instance-identity ( 142.v04572ca_5b_265 ) | | | | |... bouncycastle-api ( 2.27 ) | | | | | |... javax-activation-api ( 1.2.0-6 ) | | | | | |... javax-mail-api ( 1.6.2-9 ) | | | | | | |... javax-activation-api ( 1.2.0-6 ) | | |... configuration-as-code ( 1625.v27444588cc3d ) | | | |... caffeine-api ( 3.1.6-115.vb_8b_b_328e59d8 ) | | | |... commons-text-api ( 1.10.0-36.vc008c8fcda_7b_ ) | | | | |... commons-lang3-api ( 3.12.0-36.vd97de6465d5b_ ) | | | | | |... javax-activation-api ( 1.2.0-6 ) | | | | | |... javax-mail-api ( 1.6.2-9 ) | | | | | | |... javax-activation-api ( 1.2.0-6 ) | | | | | |... instance-identity ( 142.v04572ca_5b_265 ) | | | | | | |... bouncycastle-api ( 2.27 ) | | | | | | | |... javax-activation-api ( 1.2.0-6 ) | | | | | | | |... javax-mail-api ( 1.6.2-9 ) | | | | | | | | |... javax-activation-api ( 1.2.0-6 ) | | | |... snakeyaml-api ( 1.33-95.va_b_a_e3e47b_fa_4 ) | |... trilead-api ( 2.84.v72119de229b_7 ) | |... instance-identity ( 142.v04572ca_5b_265 ) | | |... bouncycastle-api ( 2.27 ) | | | |... javax-activation-api ( 1.2.0-6 ) | | | |... javax-mail-api ( 1.6.2-9 ) | | | | |... javax-activation-api ( 1.2.0-6 ) |... trilead-api ( 2.84.v72119de229b_7 ) |... javax-activation-api ( 1.2.0-6 ) |... javax-mail-api ( 1.6.2-9 ) | |... javax-activation-api ( 1.2.0-6 ) |... instance-identity ( 142.v04572ca_5b_265 ) | |... bouncycastle-api ( 2.27 ) | | |... javax-activation-api ( 1.2.0-6 ) | | |... javax-mail-api ( 1.6.2-9 ) | | | |... javax-activation-api ( 1.2.0-6 )
Upendra kumar
added a comment - Adding 'JAVA_OPT' is not working for me. Do we have any other workaround.
Upendra kumar
added a comment - Adding 'JAVA_OPT' is not working for me. Do we have any other workaround. Hi upendrajnks ,
for me at least, the Gerrit trigger plugin requires the JAVA_OPT and Git Host Key Verification Configuration ( Manage Jenkins -> Security ) is necessary. i.e.:
$ ssh-keyscan -H github.com # or $ ssh-keyscan -t ed25519 -H github.com
for git plugin, you have to setup ~/.ssh/config in JENKINS_HOME, sample as below:
HOST *
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
Seems to be a problem with old, deprecated HOST key signing algorithms. Workaround might be to recreate the host keys of the remote.
Anyway: This needs to fixed here, too, by providing a method to still accept host keys signed with deprecated signing algorithms, just like OpenSSH does it.