Page MenuHomePhabricator
Create Task
Maniphest T100509

Jenkins master / client ssh connection fails due to missing ssh algorithm
Closed, ResolvedPublic
Actions

Description

I restarted Jenkins a few minutes ago due to a Java upgrade. On start up, it is no more establishing SSH connections to the labs Precise/Trusty instances. The only one working are:

  • gallium (prod precise)
  • gallium (prod precise)
  • integration-slave-jessie-1001 (labs jessie)
  • puppet-compiler02.eqiad.wmflabs (labs)

integration-slave-precise-1011 auth.log reports:

fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-512,hmac-sha2-256 [preauth]
error: Could not load host key: /etc/ssh/ssh_host_ed25519_key

Details

SubjectRepoBranchLines +/-
deployment-prep/integration: stop downgrading sshd MAC and KEXoperations/puppetproduction+0 -9
Reenable sshd MAC/KEX hardening for Jenkins and Betaoperations/puppetproduction+0 -11
Turn off sshd MAC/KEX hardening for Jenkins and Betaoperations/puppetproduction+11 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

hashar created this task.May 27 2015, 1:45 PM
hashar raised the priority of this task from to Needs Triage.
hashar updated the task description. (Show Details)
hashar added projects: acl*sre-team, Continuous-Integration-Infrastructure.
hashar added subscribers: hashar, MoritzMuehlenhoff.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 27 2015, 1:45 PM
hashar triaged this task as Unbreak Now! priority.May 27 2015, 1:49 PM

Being investigated with @MoritzMuehlenhoff

hashar added a comment.May 27 2015, 1:53 PM

QChris sent a change for Gerrit which is related.

https://gerrit.wikimedia.org/r/#/c/213216/ Turn off sshd MAC and KEX hardening for gerrit replication targets

So seems java doesn't support some algorithms. That got turned off for gallium / lanthanum which explain why they pass. Need to do the same for all of CI :-}

hashar added a comment.May 27 2015, 1:58 PM

Applied on hiera page https://wikitech.wikimedia.org/wiki/Hiera:Integration

"ssh::server::disable_nist_kex": false
"ssh::server::explicit_macs": false

Puppet then change /etc/ssh/sshd_config

-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

That solves the problem. Sending it to operations/puppet.

hashar added a comment.May 27 2015, 2:00 PM

Gerrit had the same issue with T99990

gerritbot subscribed.May 27 2015, 2:03 PM

Change 214055 had a related patch set uploaded (by Hashar):
Turn off sshd MAC and KEX hardening for Jenkins slaves

https://gerrit.wikimedia.org/r/214055

gerritbot added a project: Patch-For-Review.May 27 2015, 2:03 PM
hashar lowered the priority of this task from Unbreak Now! to Medium.May 27 2015, 2:08 PM

Issue is fixed by cherry picked the puppet patch https://gerrit.wikimedia.org/r/214055 . Pending ops review to refine the patch if needed.

hashar mentioned this in T100517: Jenkins jar should ship with a more recent jsch java lib version to support hardened algorithm.May 27 2015, 2:37 PM
hashar closed this task as Resolved.May 27 2015, 2:50 PM
hashar claimed this task.

I have filled follow up tasks (T100517 and T100518). Puppet patch is already deployed on integration and beta cluster puppet masters.

All Jenkins slaves are now attached to the Jenkins master. The issue is solved.

gerritbot added a comment.May 27 2015, 2:54 PM

Change 214055 merged by Muehlenhoff:
Turn off sshd MAC/KEX hardening for Jenkins and Beta

https://gerrit.wikimedia.org/r/214055

hashar mentioned this in rOPUP0f0c1dbcc506: Turn off sshd MAC/KEX hardening for Jenkins and Beta.May 27 2015, 2:54 PM
hashar mentioned this in T103342: Backport libjsch-java to Precise.Jun 22 2015, 12:39 PM
hashar closed subtask T100517: Jenkins jar should ship with a more recent jsch java lib version to support hardened algorithm as Invalid.
gerritbot added a comment.Jun 22 2015, 2:21 PM

Change 219828 had a related patch set uploaded (by Hashar):
Reenable sshd MAC/KEX hardening for Jenkins and Beta

https://gerrit.wikimedia.org/r/219828

hashar closed subtask T103342: Backport libjsch-java to Precise as Resolved.Jun 22 2015, 2:56 PM
hashar added a subtask: T103351: Jenkins trilead-ssh2 doesn't support our MAC/KEX algorithms.Jun 22 2015, 3:01 PM
gerritbot added a comment.Jun 22 2015, 3:18 PM

Change 219828 abandoned by Hashar:
Reenable sshd MAC/KEX hardening for Jenkins and Beta

Reason:
Broken for now because of java trilead-ssh2 T103351

https://gerrit.wikimedia.org/r/219828

hashar mentioned this in T112025: Wikimedia Gerrit doesn't work if OpenSSH version is higher than 7.0.Sep 10 2015, 7:53 AM
greg added a project: Essential-Work.Sep 21 2015, 8:53 PM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptSep 21 2015, 8:53 PM
Dzahn subscribed.Oct 27 2016, 1:12 AM

@hashar do you think this will change on contint1001 with openjdk-7-jdk:amd64 7u111-2.6.7-1~deb8u1 ?

gerritbot added a comment.Oct 27 2016, 1:19 AM

Change 318248 had a related patch set uploaded (by Dzahn):
deployment-prep/integration: stop downgrading sshd MAC and KEX

https://gerrit.wikimedia.org/r/318248

gerritbot added a comment.Oct 27 2016, 6:10 AM

Change 318248 abandoned by Hashar:
deployment-prep/integration: stop downgrading sshd MAC and KEX

Reason:
The issue is in Jenkins itself, not Java :D T100509

https://gerrit.wikimedia.org/r/318248

gerritbot mentioned this in T95757: Phase out gallium.wikimedia.org.Oct 27 2016, 6:10 AM
hashar added a comment.Oct 27 2016, 6:11 AM

@Dzahn the issue is in Jenkins itself which uses an old / apparently unmaintained ssh library: trilead-ssh2 T103351. So we need to keep the rule around.

hashar changed the status of subtask T103351: Jenkins trilead-ssh2 doesn't support our MAC/KEX algorithms from Open to Stalled.Dec 19 2016, 4:08 PM
Paladox changed the status of subtask T103351: Jenkins trilead-ssh2 doesn't support our MAC/KEX algorithms from Stalled to Open.Jan 10 2017, 10:05 PM
Paladox subscribed.
Paladox changed the status of subtask T103351: Jenkins trilead-ssh2 doesn't support our MAC/KEX algorithms from Open to Stalled.Jan 11 2017, 12:54 AM
Paladox changed the status of subtask T103351: Jenkins trilead-ssh2 doesn't support our MAC/KEX algorithms from Stalled to Open.Jan 11 2017, 1:43 AM
hashar closed subtask T103351: Jenkins trilead-ssh2 doesn't support our MAC/KEX algorithms as Resolved.Oct 11 2017, 7:48 AM
Phabricator_maintenance added a project: RelEng-Archive-FY201718-Q2.Dec 21 2017, 6:57 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits