Page MenuHomePhabricator
Create Task
Maniphest T100517

Jenkins jar should ship with a more recent jsch java lib version to support hardened algorithm
Closed, InvalidPublic
Actions

Description

Upstream bug JENKINS-25412.

Jenkins master could not connect on slaves (T100509). Moritz explanation:

The hardened sshd MAC and KEX setup not being supported by the jsch package which is embedded in the jenkins package. According to the website http://www.jcraft.com/jsch/ the current release supports aes256-ctr as the cipher and diffie-hellman-group-exchange-sha256 as the kex, which would make it
compatible again.

Hence this bug.

Related Objects
Search...

Event Timeline

hashar created this task.May 27 2015, 2:37 PM
hashar raised the priority of this task from to Medium.
hashar updated the task description. (Show Details)
hashar added projects: Continuous-Integration-Infrastructure, acl*sre-team.
hashar added subscribers: gerritbot, MoritzMuehlenhoff, hashar, Aklapper.
hashar added a parent task: T100518: Reenable ssh MAC/KEX hardening on beta cluster and integration labs project.May 27 2015, 2:49 PM
hashar mentioned this in T100509: Jenkins master / client ssh connection fails due to missing ssh algorithm.
hashar edited projects, added Jenkins; removed acl*sre-team.May 27 2015, 2:51 PM
hashar set Security to None.
hashar mentioned this in rOPUP0f0c1dbcc506: Turn off sshd MAC/KEX hardening for Jenkins and Beta.May 27 2015, 2:54 PM
hashar added a comment.May 27 2015, 3:06 PM

The SSH agent plugin depends on https://github.com/jenkinsci/ssh-credentials-plugin which we are running at version 1.11.

The pom.xml lists com.jcraft jsch version 0.1.42. The lib changelog is http://www.jcraft.com/jsch/ChangeLog and:

algojsch version
aes256-ctr0.1.40
diffie-hellman-group-exchange-sha250.1.49

Both made to be defaults with 0.1.51.

scfc subscribed.May 27 2015, 9:17 PM
hashar mentioned this in T100518: Reenable ssh MAC/KEX hardening on beta cluster and integration labs project.Jun 2 2015, 2:24 PM
hashar added a project: Upstream.
hashar moved this task from Untriaged to Externally Blocked on the Continuous-Integration-Infrastructure board.
hashar updated the task description. (Show Details)EditedJun 9 2015, 8:31 PM

The jsch version bump is already requested on JENKINS-25412. I have added a detailed comment.

hashar moved this task from Backlog to Reported upstream on the Jenkins board.Jun 9 2015, 8:48 PM
hashar moved this task from Backlog to Patch proposed upstream on the Upstream board.
hashar moved this task from Reported upstream to Patch available upstream on the Jenkins board.
hashar added a comment.Jun 9 2015, 8:50 PM

Totally untested: https://github.com/jenkinsci/ssh-credentials-plugin/pull/14

hashar closed this task as Invalid.Jun 22 2015, 12:39 PM
hashar claimed this task.
hashar mentioned this in T103342: Backport libjsch-java to Precise.

From the github pull request, jsch is an external dependency. We need to bump libjsch-java on precise-wikimedia. Abandoning this task in favor of T103342: Backport libjsch-java to Precise

hashar mentioned this in T103351: Jenkins trilead-ssh2 doesn't support our MAC/KEX algorithms.Jun 22 2015, 3:00 PM
hashar moved this task from Externally Blocked to Done on the Continuous-Integration-Infrastructure board.Jun 23 2015, 9:08 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL