Page MenuHomePhabricator
Create Task
Maniphest T100518

Reenable ssh MAC/KEX hardening on beta cluster and integration labs project
Closed, ResolvedPublic
Actions

Description

Whenever Jenkins supports the new SSH algorithms (TT100517), we want to remove the hiera configuration that disable it. Essentially just revert https://gerrit.wikimedia.org/r/#/c/214055/

Details

SubjectRepoBranchLines +/-
Jenkins now supports our MAC/KEXY algorithms [prod]operations/puppetproduction+0 -6
Reenable sshd MAC/KEX hardening for Jenkins and Betaoperations/puppetproduction+0 -11
Customize query in gerrit

Related Objects
Search...

Event Timeline

hashar created this task.May 27 2015, 2:48 PM
hashar raised the priority of this task from to Needs Triage.
hashar updated the task description. (Show Details)
hashar added projects: Beta-Cluster-Infrastructure, Continuous-Integration-Infrastructure.
hashar subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 27 2015, 2:48 PM
hashar added a subtask: T100517: Jenkins jar should ship with a more recent jsch java lib version to support hardened algorithm.May 27 2015, 2:49 PM
hashar mentioned this in T100509: Jenkins master / client ssh connection fails due to missing ssh algorithm.
hashar triaged this task as Medium priority.Jun 2 2015, 2:23 PM
hashar moved this task from Untriaged to Backlog on the Continuous-Integration-Infrastructure board.

Blocked on T100517

hashar moved this task from To Triage to Backlog on the Beta-Cluster-Infrastructure board.Jun 15 2015, 7:30 PM
hashar closed subtask T100517: Jenkins jar should ship with a more recent jsch java lib version to support hardened algorithm as Invalid.Jun 22 2015, 12:40 PM
hashar added a subtask: T103342: Backport libjsch-java to Precise.

Blocked on T103342: Backport libjsch-java to Precise

gerritbot subscribed.Jun 22 2015, 2:21 PM

Change 219828 had a related patch set uploaded (by Hashar):
Reenable sshd MAC/KEX hardening for Jenkins and Beta

https://gerrit.wikimedia.org/r/219828

gerritbot added a project: Patch-For-Review.Jun 22 2015, 2:21 PM
hashar closed subtask T103342: Backport libjsch-java to Precise as Resolved.Jun 22 2015, 2:56 PM
gerritbot added a comment.Jun 22 2015, 3:18 PM

Change 219828 abandoned by Hashar:
Reenable sshd MAC/KEX hardening for Jenkins and Beta

Reason:
Broken for now because of java trilead-ssh2 T103351

https://gerrit.wikimedia.org/r/219828

hashar moved this task from Backlog to Externally Blocked on the Continuous-Integration-Infrastructure board.Oct 6 2015, 11:35 AM
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptOct 6 2015, 11:35 AM
hashar changed the task status from Open to Stalled.Oct 6 2015, 11:36 AM
hashar removed a project: Patch-For-Review.
hashar set Security to None.
hashar changed the status of subtask T103351: Jenkins trilead-ssh2 doesn't support our MAC/KEX algorithms from Open to Stalled.Dec 19 2016, 4:08 PM
Paladox changed the status of subtask T103351: Jenkins trilead-ssh2 doesn't support our MAC/KEX algorithms from Stalled to Open.Jan 10 2017, 10:05 PM
Paladox changed the status of subtask T103351: Jenkins trilead-ssh2 doesn't support our MAC/KEX algorithms from Open to Stalled.Jan 11 2017, 12:54 AM
Paladox changed the status of subtask T103351: Jenkins trilead-ssh2 doesn't support our MAC/KEX algorithms from Stalled to Open.Jan 11 2017, 1:43 AM
Paladox changed the task status from Stalled to Open.EditedApr 15 2017, 12:11 PM
Paladox subscribed.

This can now be moved along as trilead has been updated to support this now.

Just need to wait for https://github.com/mc1arke/trilead-api-plugin to be released and for all plugins to be updated.

Paladox added a comment.Apr 29 2017, 11:58 AM

Actually jenkins core has been updated with the new trilead version so this is blocked on T144106

Paladox added a subtask: T168644: Upgrade jenkins to 2.73.1 (new lts release).Jun 22 2017, 3:07 PM
hashar closed subtask T168644: Upgrade jenkins to 2.73.1 (new lts release) as Resolved.Oct 9 2017, 11:49 AM
hashar closed subtask T103351: Jenkins trilead-ssh2 doesn't support our MAC/KEX algorithms as Resolved.Oct 11 2017, 7:48 AM

Done for labs via https://gerrit.wikimedia.org/r/#/c/383120/

And for production: https://gerrit.wikimedia.org/r/#/c/383122/

gerritbot added a comment.Oct 11 2017, 7:50 AM

Change 383122 had a related patch set uploaded (by Hashar; owner: Hashar):
[operations/puppet@production] Jenkins now supports our MAC/KEXY algorithms [prod]

https://gerrit.wikimedia.org/r/383122

gerritbot added a project: Patch-For-Review.Oct 11 2017, 7:50 AM
hashar closed this task as Resolved.Oct 11 2017, 7:50 AM
hashar claimed this task.
gerritbot added a comment.Oct 11 2017, 8:01 AM

Change 383122 merged by Muehlenhoff:
[operations/puppet@production] Jenkins now supports our MAC/KEXY algorithms [prod]

https://gerrit.wikimedia.org/r/383122

Phabricator_maintenance added a project: RelEng-Archive-FY201718-Q2.Dec 21 2017, 6:57 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL