AES256-CTR support in Publish over SSH and JSch dependency Plugins

[chief.vi...@gmail.com]

The SSH client in the Publish over SSH plugin which uses Jsch Dependency plugin only supports the following Ciphers: Ciphers: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc

OpenSSH 7.* is disabling cbc modes of the ciphers and also not offering CBC ciphers by default. 

https://www.openssh.com/releasenotes.html

 * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST
   ciphers.

 * ssh(1): do not offer CBC ciphers by default.

It now enables the following ciphers by default: aes192-ctr and aes256-ctr. 

What are the plans to support these (aes192-ctr and aes256-ctr) ciphers in these plugins?

Thanks.!

[chief.vi...@gmail.com]

Just to add, all products are at their latest versions:

Jenkins: 2.121

JSch dependency plugin

Jenkins plugin that brings the JSch library as a plugin dependency, and provides an SSHAuthenticatorFactory for using JSch with the ssh-credentials plugin.

0.1.54.2

Publish Over SSH

Send build artifacts over SSH

1.19.1

There isn't an issue queue on the plugin developers github pages, so hoping someone sees it over here.

Thanks!

[chief.vi...@gmail.com]

Anyone from the "Publish over SSH" and "JSch dependency" plugins teams that can help with this?

On Wednesday, May 9, 2018 at 7:47:21 PM UTC-7, chief.vi...@gmail.com wrote:

[Slide]

From looking at the Jsch website (http://www.jcraft.com/jsch/), they show the following in 0.15.4 which is what is used in the Jsch Plugin 0.15.4.2, which is what is used in Publish Over SSH 1.19.1

• Cipher: blowfish-cbc,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-ctr,arcfour,arcfour128,arcfour256

So, I don't think there is an issue, unless I am missing something.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7f9783bf-6330-4946-a53f-1a4dff767c30%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Chief Vitalstatix]

The website says it supports it, but when the Publish Over SSH plugin connects, the sshd log throws the following error:

"fatal: no matching cipher found: client aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc server aes256-ctr"

and the corresponding error on Jenkins is:

"jenkins.plugins.publish_over.BapPublisherException: Failed to connect and initialize SSH connection. Message: [Failed to connect session for config [Config-Name]. Message [Algorithm negotiation fail]]"

If the Jsch plugin supports the new Ciphers, then the config file that the Jsch client uses to exchange Cipher info with the server doesn't seem to be updated.

The native ssh client on the Jenkins (client) works well with the remote server. Not the Jsch ssh client that the Publish Over plugin uses.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAPiUgVdHSf2GNm%2BR4v8xkUNsp%2B5uNYSJ8dY63M0KJrMjkK7pRQ%40mail.gmail.com.

[Ivan Fernandez Calvo]

Check that your JDK supports the cipher and it is not disabled. On this page https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider said the following

Cipher suites that use AES_256 require installation of the JCE Unlimited Strength Jurisdiction Policy Files. See Import Limits on Cryptographic Algorithms.

https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#importlimits