Page MenuHomePhabricator

Jenkins jar should ship with a more recent jsch java lib version to support hardened algorithm
Closed, InvalidPublic


Upstream bug JENKINS-25412.

Jenkins master could not connect on slaves (T100509). Moritz explanation:

The hardened sshd MAC and KEX setup not being supported by the jsch package which is embedded in the jenkins package. According to the website the current release supports aes256-ctr as the cipher and diffie-hellman-group-exchange-sha256 as the kex, which would make it
compatible again.

Hence this bug.

Event Timeline

hashar raised the priority of this task from to Medium.
hashar updated the task description. (Show Details)
hashar set Security to None.

The SSH agent plugin depends on which we are running at version 1.11.

The pom.xml lists com.jcraft jsch version 0.1.42. The lib changelog is and:

algojsch version

Both made to be defaults with 0.1.51.

The jsch version bump is already requested on JENKINS-25412. I have added a detailed comment.

hashar moved this task from Backlog to Patch proposed upstream on the Upstream board.
hashar moved this task from Reported upstream to Patch available upstream on the Jenkins board.
hashar claimed this task.

From the github pull request, jsch is an external dependency. We need to bump libjsch-java on precise-wikimedia. Abandoning this task in favor of T103342: Backport libjsch-java to Precise