Environment:Jenkins 1.638; SSH Credentials Plugin 1.11; CentOS 7.1.1503; openjdk 1.8
master cannot connect to slave
This is related to
JENKINS-26379 but the comments in that ticket only hint at the issue which, to writ, is:
Here are the available MAC choices:
The selection considerations:
Security of the hash algorithm: No MD5 and SHA1. Yes, I know that HMAC-SHA1 does not need collision resistance but why wait? Disable weak crypto today.
Encrypt-then-MAC: I am not aware of a security proof for CTR-and-HMAC but I also don't think CTR decryption can fail. Since there are no downgrade attacks, you can add them to the end of the list. You can also do this on a host by host basis so you know which ones are less safe.
Tag size: At least 128 bits. This eliminates umac-64-etm.
Key size: At least 128 bits. This doesn't eliminate anything at this point.
Recommended /etc/ssh/sshd_config snippet: