I think you've detected a bug (or likely multiple bugs). I think they may be due to the recent updates to the trilead ssh library in the weekly build. Thanks for detecting them!
Passing Test Configuration
I have a Docker configuration that running Jenkins 2.46.2 with "Manually provided Key Verification Strategy". That master uses ssh agents connected to various physical machines for platform testing, including Debian 7, Debian 8, Ubuntu 14, Ubuntu 16, CentOS 6, CentOS 7, Windows 7, and Windows 10. Each of the Linux agents in that configuration includes the host key in the agent configuration and connects successfully no matter where I run that docker instance inside my network.
Failing Test Configuration
If I take that same configuration and replace Jenkins 2.46.2 with Jenkins 2.58, I see multiple failures.
- None of the ssh agents connect at startup with Jenkins 2.58. The log reports "WARNING: The SSH key for this host does not match the key required in the connection configuration" and reports "java.io.IOException: Key exchange was not finished, connection is closed" and reports "The server hostkey was not accepted by the verifier callback"
- If I reconfigure each agent to switch from "Manually provided Key Verification Strategy" to "Non verifying Verification Strategy", then the Debian 8, Ubuntu 14, Ubuntu 16, CentOS 6, and CentOS 7 ssh based agents are able to connect. The Debian 7 ssh based agent is not able to connect. It reports "IOException: There was a problem while connecting to wheezy64b.markwaite.net:22" and "IOException: Key exchange was not finished, connection is closed" and "IOException: Cannot read full block, EOF reached". Note, the "Cannot read full block" is a different failure message than the other platforms
I suspect the ssh implementation on Debian 7 is too old for the changes that were made to the trilead ssh implementation recently. That would explain the failure you (and I) are seeing with Debian 7. If that is correct, then there may be nothing to be done about the issue, since Debian 7 is rapidly approaching its end of life. The Debian project will likely stop supporting Debian 7 as soon as they release Debian 9. Your likely best solution (for now) is to stay with Jenkins 2.46.2 long term support release.
I can't explain why the "Manually provided Key Verification Strategy" no longer works.
There was a surprising stack trace in the startup of my docker instance using 2.58 which isn't there with 2.46.2. It says:
May 02, 2017 6:26:03 AM hudson.init.impl.InstallUncaughtExceptionHandler$DefaultUncaughtExceptionHandler uncaughtException
SEVERE: A thread (Thread-30/307) died unexpectedly due to an uncaught exception, this may leave your Jenkins in a bad way and is usually indicative of a bug in the code.
java.lang.NullPointerException
at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:447)
at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:790)
at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:502)
at java.lang.Thread.run(Thread.java:745)
That may have something to do with at least one of the failures.
Could you log a bug so that this can be tracked? We want some time to review the behavior before the base Jenkins version is chosen for the next long term support release.
Mark Waite