[JIRA] [ssh-slaves-plugin] (JENKINS-33021) trilead ssh MAC and key exchange algorithms severely outdated

90 views
Skip to first unread message

emma@talwyn.nl (JIRA)

unread,
Feb 18, 2016, 3:52:02 PM2/18/16
to jenkinsc...@googlegroups.com
Emma Laurijssens created an issue
 
Jenkins / Improvement JENKINS-33021
trilead ssh MAC and key exchange algorithms severely outdated
Issue Type: Improvement Improvement
Assignee: Kohsuke Kawaguchi
Components: ssh-slaves-plugin
Created: 18/Feb/16 8:51 PM
Environment: Jenkins 1.647, ssh-slaves-plugin 1.10
Priority: Minor Minor
Reporter: Emma Laurijssens

The supported macs and kex methods in trilead are severely outdated, resulting in connection issues with properly secured ssh daemons on target machines. For instance:

{{sshd[9800]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-256,hmac-sha2-512,uma...@openssh.com,hmac-ripemd160 [preauth]
}}

In JENKINS-14709 a suggestion is made to replace trilead with orion, but Orion is not being maintained either. Orion refers to Ganymed, but even that hasn't been looked at for almost 2 years: Ganymed commits. It does seem to support hmac-sha2 macs though.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

olli.rajala@wapice.com (JIRA)

unread,
Mar 4, 2016, 5:22:01 AM3/4/16
to jenkinsc...@googlegroups.com
Olli Rajala commented on Improvement JENKINS-33021
 
Re: trilead ssh MAC and key exchange algorithms severely outdated

This is a critical issue for us, because our security policy dictates that we must have quite strict ssh cipher settings configured to all our ssh servers.

olli.rajala@wapice.com (JIRA)

unread,
Mar 4, 2016, 5:23:01 AM3/4/16
to jenkinsc...@googlegroups.com
Olli Rajala updated an issue
 
Change By: Olli Rajala
Priority: Minor Major

o.v.nenashev@gmail.com (JIRA)

unread,
Apr 11, 2016, 3:49:01 PM4/11/16
to jenkinsc...@googlegroups.com
Oleg Nenashev commented on Improvement JENKINS-33021
 
Re: trilead ssh MAC and key exchange algorithms severely outdated

I see the same issue when I connect the clean Ubuntu Server 14.04 LTS with the latest openssh-server from the update center

o.v.nenashev@gmail.com (JIRA)

unread,
Apr 11, 2016, 3:50:01 PM4/11/16
to jenkinsc...@googlegroups.com
Oleg Nenashev updated an issue
 
Change By: Oleg Nenashev
Priority: Major Critical

o.v.nenashev@gmail.com (JIRA)

unread,
Apr 12, 2016, 2:40:01 PM4/12/16
to jenkinsc...@googlegroups.com
 
Re: trilead ssh MAC and key exchange algorithms severely outdated

In my case I had to weaken the security settings and to use the common RSA algorithm

o.v.nenashev@gmail.com (JIRA)

unread,
Apr 12, 2016, 2:41:01 PM4/12/16
to jenkinsc...@googlegroups.com
Oleg Nenashev edited a comment on Improvement JENKINS-33021
I see the same issue when I connect the clean Ubuntu Server 14.04 .4  LTS with the latest openssh-server from the update center

biogerm@gmail.com (JIRA)

unread,
Jul 6, 2016, 9:29:01 AM7/6/16
to jenkinsc...@googlegroups.com
Ryan An commented on Improvement JENKINS-33021

I used another fork of Trilead ssh2 instead which has sha256 implemented.

it's called ConnectBot sshlib. available on GitHub. https://github.com/connectbot/sshlib
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
Atlassian logo

hashar@free.fr (JIRA)

unread,
Jul 22, 2016, 7:02:02 AM7/22/16
to jenkinsc...@googlegroups.com
Antoine Musso updated an issue
 
Change By: Antoine Musso
The supported macs and kex methods in trilead are severely outdated, resulting in connection issues with properly secured ssh daemons on target machines. For instance:

{ { noformat}
sshd[9800]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-256,hmac-sha2-512,uma...@openssh.com,hmac-ripemd160 [preauth]
{noformat } }

In [JENKINS-14709|http://jenkins-ci.org/issue/14709] a suggestion is made to replace trilead with orion, but Orion is not being maintained either. Orion refers to Ganymed, but even that hasn't been looked at for almost 2 years: [Ganymed commits|https://code.google.com/archive/p/ganymed-ssh-2/source/default/commits]. It does seem to support hmac-sha2 macs though.

hashar@free.fr (JIRA)

unread,
Jul 22, 2016, 7:05:04 AM7/22/16
to jenkinsc...@googlegroups.com
Antoine Musso updated an issue
The supported macs and kex methods in trilead are severely outdated, resulting in connection issues with properly secured ssh daemons on target machines. For instance:

{noformat}
sshd[9800]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-256,hmac-sha2-512,uma...@openssh.com,hmac-ripemd160 [preauth]
{noformat}

In [JENKINS-14709|http://jenkins-ci.org/issue/14709] a suggestion is made to replace trilead with orion, but Orion is not being maintained either. Orion refers to Ganymed, but even that hasn't been looked at for almost 2 years: [Ganymed commits|https://code.google.com/archive/p/ganymed-ssh-2/source/default/commits]. It does seem to support hmac-sha2 macs though.


From JENKINS-36873 (dupe)

The ssh credentials plugin is unable to connect to slaves that have newer algorithms

The keys from Jenkins (client) and slave (server below) have:
{noformat}

fatal: no matching mac found:
client: hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5
server: hmac-sha...@openssh.com,hmac-sha...@openssh.com,umac-1...@openssh.com,hmac-sha2-512,hmac-sha2-256,umac...@openssh.com [preauth]
{noformat}

Jenkins yields a trace:
{noformat}
[06/22/15 14:49:05] [SSH] Opening SSH connection to 10.68.16.150:22.
Key exchange was not finished, connection is closed.
ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
java.lang.IllegalStateException: Connection is not established!
at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[06/22/15 14:49:06] Launch failed - cleaning up connection
[06/22/15 14:49:06] [SSH] Connection closed.
{noformat}

On our slaves we would like to have hmac-sha2-512 / hmac-sha2-256 but that is not supported by Trilead  SSH.

hashar@free.fr (JIRA)

unread,
Jul 22, 2016, 7:06:02 AM7/22/16
to jenkinsc...@googlegroups.com
Antoine Musso commented on Improvement JENKINS-33021
 
Re: trilead ssh MAC and key exchange algorithms severely outdated

I have added a trace / some details from the duplicate task I have filled JENKINS-36873. As I understand it that Java installation is stall/no more updated by upstream and Jenkins core provides its own fork. Looks like the proper way to fix it would be to remove Trilead entirely and switch to another SSH implementation. Maybe Bouncy Castle?

The workaround is to configure the slaves with some outdated algorithms supported by Trilead

Our bug for my own reference https://phabricator.wikimedia.org/T103351

hashar@free.fr (JIRA)

unread,
Jul 22, 2016, 7:07:01 AM7/22/16
to jenkinsc...@googlegroups.com
Antoine Musso updated an issue
Change By: Antoine Musso
Component/s: credentials-plugin

emma@talwyn.nl (JIRA)

unread,
Jul 22, 2016, 7:24:02 AM7/22/16
to jenkinsc...@googlegroups.com
Emma Laurijssens commented on Improvement JENKINS-33021
 
Re: trilead ssh MAC and key exchange algorithms severely outdated

Couldn't find a similar issue when I created this one, but apparently it did exist.

jjm@usebox.net (JIRA)

unread,
Aug 25, 2016, 10:17:02 AM8/25/16
to jenkinsc...@googlegroups.com

Having this same issue in Jenkins 2.x and SSH plugin 1.11.

Our problem is the key exchange when checking out SVN repos.

yanick@darkmail.me (JIRA)

unread,
Sep 27, 2016, 2:33:06 PM9/27/16
to jenkinsc...@googlegroups.com

Has anyone found a working solution to this issue that doesn't involve changing accepted ciphers on the slaves?

o.v.nenashev@gmail.com (JIRA)

unread,
Sep 27, 2016, 2:44:04 PM9/27/16
to jenkinsc...@googlegroups.com
Oleg Nenashev assigned an issue to Unassigned
 
Change By: Oleg Nenashev
Assignee: Kohsuke Kawaguchi

o.v.nenashev@gmail.com (JIRA)

unread,
Sep 27, 2016, 2:45:03 PM9/27/16
to jenkinsc...@googlegroups.com
Oleg Nenashev commented on Improvement JENKINS-33021
 
Re: trilead ssh MAC and key exchange algorithms severely outdated

From what I see "no". Kohsuke was just a default assignee, but he rarely works on plugins now. Removed the assignee

stephenconnolly@java.net (JIRA)

unread,
Oct 3, 2016, 12:09:03 PM10/3/16
to jenkinsc...@googlegroups.com
stephenconnolly updated an issue
 
Change By: stephenconnolly
Component/s: credentials-plugin

rsandell@cloudbees.com (JIRA)

unread,
Feb 16, 2017, 6:17:02 AM2/16/17
to jenkinsc...@googlegroups.com
rsandell assigned an issue to rsandell
Change By: rsandell
Assignee: rsandell
Reply all
Reply to author
Forward
0 new messages