[JIRA] (JENKINS-36873) ssh credentials does not support newer MAC/KEX also due to outdated trilead-ssh2

2 views
Skip to first unread message

hashar@free.fr (JIRA)

unread,
Jul 22, 2016, 6:57:02 AM7/22/16
to jenkinsc...@googlegroups.com
Antoine Musso created an issue
 
Jenkins / Bug JENKINS-36873
ssh credentials does not support newer MAC/KEX also due to outdated trilead-ssh2
Issue Type: Bug Bug
Assignee: stephenconnolly
Components: core, credentials-plugin
Created: 2016/Jul/22 10:56 AM
Environment: Jenkins 1.651
Priority: Major Major
Reporter: Antoine Musso

The ssh credentials plugin is unable to connect to slaves that have newer algorithms

The keys from Jenkins (client) and slave (server below) have:
{{
fatal: no matching mac found:
client: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
server: hmac-sha...@openssh.com,hmac-sha...@openssh.com,umac-1...@openssh.com,hmac-sha2-512,hmac-sha2-256,umac...@openssh.com [preauth]
}}

Jenkins yields a trace:
{{
[06/22/15 14:49:05] [SSH] Opening SSH connection to 10.68.16.150:22.
Key exchange was not finished, connection is closed.
ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
java.lang.IllegalStateException: Connection is not established!
at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[06/22/15 14:49:06] Launch failed - cleaning up connection
[06/22/15 14:49:06] [SSH] Connection closed.
}}

On our slaves we would like to have hmac-sha2-512 / hmac-sha2-256 but that is not supported by Trilead SSH. As I understand it that Java installation is stall/no more updated by upstream and Jenkins core provides its own fork.

Looks like the proper way to fix it would be to remove Trilead entirely and switch to another SSH implementation. Maybe Bouncy Castle.

The workaround is to configure the slaves with some outdated algorithms supported by Trilead

Our bug https://phabricator.wikimedia.org/T103351
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
Atlassian logo

hashar@free.fr (JIRA)

unread,
Jul 22, 2016, 7:00:01 AM7/22/16
to jenkinsc...@googlegroups.com
Antoine Musso updated an issue
Change By: Antoine Musso
The ssh credentials plugin is unable to connect to slaves that have newer algorithms

The keys from Jenkins (client) and slave (server below) have:
{{ noformat}}
fatal: no matching mac found:
client: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
server: hmac-sha...@openssh.com,hmac-sha...@openssh.com,umac-1...@openssh.com,hmac-sha2-512,hmac-sha2-256,umac...@openssh.com [preauth]
{{noformat }}

Jenkins yields a trace:
{{ noformat}}
[06/22/15 14:49:05] [SSH] Opening SSH connection to 10.68.16.150:22.
Key exchange was not finished, connection is closed.
ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
java.lang.IllegalStateException: Connection is not established!
at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[06/22/15 14:49:06] Launch failed - cleaning up connection
[06/22/15 14:49:06] [SSH] Connection closed.
{{noformat }}


On our slaves we would like to have hmac-sha2-512 / hmac-sha2-256 but that is not supported by Trilead  SSH. As I understand it that Java installation is stall/no more updated by upstream and Jenkins core provides its own fork.

Looks like the proper way to fix it would be to remove Trilead entirely and switch to another SSH implementation. Maybe Bouncy Castle.

The workaround is to configure the slaves with some outdated algorithms supported by Trilead :(

Our bug https://phabricator.wikimedia.org/T103351

hashar@free.fr (JIRA)

unread,
Jul 22, 2016, 7:00:01 AM7/22/16
to jenkinsc...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages