[JIRA] (JENKINS-62195) ec2-1.50.2 doesn't work with SSH <7.5

Issue Type:	Bug
Assignee:	FABRIZIO MANFREDI
Components:	ec2-plugin
Created:	2020-05-07 06:12
Priority:	Critical
Reporter:	Jonathan Ballet

Version 1.50.2 introduces security mitigations by proposing new options for SSH.

2 of the 3 options have been introduced by [SSH version 7.6](https://www.openssh.com/txt/release-7.6):

ssh(1): expand the StrictHostKeyChecking option with two new
settings. The first "accept-new" will automatically accept
hitherto-unseen keys but will refuse connections for changed or
invalid hostkeys. This is a safer subset of the current behaviour
of StrictHostKeyChecking=no. The second setting "off", is a synonym
for the current behaviour of StrictHostKeyChecking=no: accept new
host keys, and continue connection for hosts with incorrect
hostkeys. A future release will change the meaning of
StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400

Although it was released almost 3 years ago, this seriously breaks compatibility with non-recent Jenkins installations.

For instance, the current default Docker image for Jenkins is currently based off Debian Stretch which provides SSH 7.4 and doesn't support these new options:
{{
$ docker run --rm -ti jenkins/jenkins:2.235 ssh -o StrictHostKeyChecking=off
command-line line 0: unsupported option "off".
$ docker run --rm -ti jenkins/jenkins:2.235 ssh -o StrictHostKeyChecking=accept-new
command-line line 0: unsupported option "accept-new".
$ docker run --rm -ti jenkins/jenkins:lts ssh -o StrictHostKeyChecking=accept-new
command-line line 0: unsupported option "accept-new".
}}

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

dtroup@hotmail.com (JIRA)

unread,

May 7, 2020, 6:43:03 AM5/7/20

to jenkinsc...@googlegroups.com

David Troup commented on

You can change the strategy in the config

Host Key Verification Strategy in cloud config

dtroup@hotmail.com (JIRA)

unread,

May 7, 2020, 6:43:04 AM5/7/20

to jenkinsc...@googlegroups.com

David Troup updated an issue

Jenkins /

Comment:
Change By:	David Troup

You can change the strategy in the config

Host Key Verification Strategy in cloud config

dbeck@cloudbees.com (JIRA)

unread,

May 7, 2020, 4:08:03 PM5/7/20

to jenkinsc...@googlegroups.com

Daniel Beck commented on

Oleg Nenashev FYA (platform SIG)

john@jeffers.cc (JIRA)

unread,

May 7, 2020, 11:26:03 PM5/7/20

to jenkinsc...@googlegroups.com

John Jeffers commented on

Confirmed, happening here as well. We are using the latest LTS image, jenkins/jenkins:2.222.3

root@jenkins-master-fb7584fbb-s6nnl:/# ssh -V
OpenSSH_7.4p1 Debian-10+deb9u7, OpenSSL 1.0.2u 20 Dec 2019

Also worth noting that when I attempted to downgrade the plugin, it did not downgrade properly and instead seemed to uninstall the plugin, taking all of its config with it. I had to manually downgrade and restore config.xml from a backup. I believe this has something to do with the ec2.xml file it drops into $JENKINS_HOME, because I could not get 1.50.1 working again until I removed that file.

o.v.nenashev@gmail.com (JIRA)

unread,

May 8, 2020, 9:06:03 AM5/8/20

to jenkinsc...@googlegroups.com

Oleg Nenashev assigned an issue to Unassigned

Jenkins /

Change By:	Oleg Nenashev
Assignee:	FABRIZIO MANFREDI

o.v.nenashev@gmail.com (JIRA)

unread,

May 8, 2020, 9:06:05 AM5/8/20

to jenkinsc...@googlegroups.com

Oleg Nenashev updated an issue

Jenkins /

Change By:	Oleg Nenashev
Labels:	regression

o.v.nenashev@gmail.com (JIRA)

unread,

May 8, 2020, 9:10:02 AM5/8/20

to jenkinsc...@googlegroups.com

Oleg Nenashev commented on

We also hit the issues after upgrading the plugin on ci.jenkins.io which currently uses the plugin to provision agents in AWS. https://groups.google.com/forum/#!topic/jenkinsci-dev/2_WmJWSjtuc for a general discussion about agents stability, CC Mark Waite.

Daniel Beck FYI this plugin is not really within the scope of the platform SIG. I am working to get the issue reviewed by the maintainers, but it is unlikely to happen immediately due to bank holidays, etc.

manuelramonleonjimenez@gmail.com (JIRA)

unread,

May 8, 2020, 9:30:02 AM5/8/20

to jenkinsc...@googlegroups.com

Ramon Leon assigned an issue to Ramon Leon

Jenkins /

Change By:	Ramon Leon
Assignee:	Ramon Leon

rcampbell@cloudbees.com (JIRA)

unread,

May 8, 2020, 9:36:02 AM5/8/20

to jenkinsc...@googlegroups.com

Ryan Campbell commented on

Noting in case it isn't clear, that a valid workaround is to update the ssh client to a more recent version which supports these more secure options.

dbeck@cloudbees.com (JIRA)

unread,

May 8, 2020, 9:39:04 AM5/8/20

to jenkinsc...@googlegroups.com

Daniel Beck commented on

Oleg Nenashev As this problem seems to occur because of very outdated base images, it's reasonable to inform the SIG about the consequences of that.

mark.earl.waite@gmail.com (JIRA)

unread,

May 8, 2020, 10:02:03 AM5/8/20

to jenkinsc...@googlegroups.com

Mark Waite commented on

Yes, Debian Stretch is the current Debian "oldstable" release and is delivering OpenSSH 7.4p1. It is a distribution which the Debian project continues to patch and will continue to patch until the release of Debian next-stable ("Bullseye"). No release date has been set for Bullseye. After Bullseye releases, Debian Stretch will stop receiving patches.

Red Hat 7 and CentOS 7 are also still actively being patched by their maintainers and are delivering OpenSSH 7.4p1. Red Hat Enterprise Linux 7 is slated to be supported through 2024.

mark.earl.waite@gmail.com (JIRA)

unread,

May 8, 2020, 10:22:03 AM5/8/20

to jenkinsc...@googlegroups.com

Mark Waite edited a comment on

Yes, Debian Stretch is the current Debian "[oldstable|https://wiki.debian.org/DebianOldStable]" release and is delivering OpenSSH 7.4p1.  It is a distribution which the Debian project continues to patch and will continue to patch until the release of [Debian next-stable|https://wiki.debian.org/DebianReleases] ("Bullseye").  No release date has been set for Bullseye.  After Bullseye releases, Debian Stretch will stop receiving patches.

[~danielbeck] is correct that we'll need to update the Docker base images.  That seems like a good topic for the Platform SIG and a good place to reach consensus on labeling patterns and practices.

Red Hat 7 and CentOS 7 are also still actively being patched by their maintainers and are delivering OpenSSH 7.4p1.  Red Hat Enterprise Linux 7 is slated to be [supported through 2024|https://en.wikipedia.org/wiki/Red_Hat_Enterprise_Linux#Product_life_cycle].

manuelramonleonjimenez@gmail.com (JIRA)

unread,

May 8, 2020, 10:35:03 AM5/8/20

to jenkinsc...@googlegroups.com

Ramon Leon commented on

Another workaround is to set the strategy to Check New Hard which will set the option to yes which is supported by all versions. This strategy requires the key is added to the known_hosts file

Another workaround is to use avoid using the ssh command and the plugin will use a pure-java ssh command to do that.

manuelramonleonjimenez@gmail.com (JIRA)

unread,

May 8, 2020, 10:35:05 AM5/8/20

to jenkinsc...@googlegroups.com

Ramon Leon edited a comment on

Another workaround is to set the strategy to Check New Hard which will set the option to yes which is supported by all versions. This strategy requires the key is added to the known_hosts file

Another workaround is to avoid using the ssh command and the plugin will use a pure-java ssh command client to do that the connection .

manuelramonleonjimenez@gmail.com (JIRA)

unread,

May 8, 2020, 10:35:05 AM5/8/20

to jenkinsc...@googlegroups.com

Ramon Leon edited a comment on

Another workaround is to set the strategy to Check New Hard which will set the option to yes which is supported by all versions. This strategy requires the key is added to the known_hosts file

Another workaround is to use avoid using the ssh command and the plugin will use a pure-java ssh command to do that.

manuelramonleonjimenez@gmail.com (JIRA)

unread,

May 8, 2020, 11:03:09 AM5/8/20

to jenkinsc...@googlegroups.com

Ramon Leon commented on