Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58910

[security] ssh slave hardening - ssh slave weak Key Exchange Algorithms/Message Authentication Codes

    Details

    • Type: Improvement
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: ssh-slaves-plugin
    • Labels:
      None
    • Environment:
      linux/centos7
    • Similar Issues:

      Description

      I am trying to do ssh hardening on jenkins server and slave following https://www.sshaudit.com/ recommendations (https://www.sshaudit.com/hardening_guides.html#rhel7)

      But as soon as the ssh hardening is enabled on the slave, jenkins can no longer connect to the slave.

      {{[05/02/18 15:26:59] [SSH] Opening SSH connection to <IP>
      Key exchange was not finished, connection is closed.
      java.io.IOException: There was a problem while connecting to <IP>:22
      at com.trilead.ssh2.Connection.connect(Connection.java:818)
      at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1324)
      at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:831)
      at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:820)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:748)
      Caused by: java.io.IOException: Key exchange was not finished, connection is closed.
      at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:93)
      at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:230)
      at com.trilead.ssh2.Connection.connect(Connection.java:770)
      ... 7 more
      Caused by: java.io.IOException: Cannot negotiate, proposals do not match.
      at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:405)
      at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:777)
      at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:489)
      ... 1 more
      [05/02/18 15:26:59] Launch failed - cleaning up connection}}

      the error and the "workaround" is describe here:

      I am able to keep the hardening "on" only if I change the plugin to use ssh command line, but now I need to maintain manually the remoting.jar
      'cd /var/lib/jenkins && java -jar remoting.jar -workDir /var/lib/jenkins'

      I am not sure if this a limitation in the library used to do ssh or if this can simply be fix via java security configuration on the main jenkins server?

      Have you guys tried hardening of server/slave?

      Any recommendations?

        Attachments

          Activity

          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          please read How to report an issue, for questions you should use the google groups, also you do not provide Jenkins core version or ssh-slaves version number you are using nor the encryption settings you are using, however, I guess you are using ed25519 that it is supported in the latest versions of the Jenkins core (trilead-ssh2 module on jenkins-2.189) see https://issues.jenkins-ci.org/browse/JENKINS-55133 and https://github.com/jenkinsci/jenkins/pull/3827

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - please read How to report an issue , for questions you should use the google groups, also you do not provide Jenkins core version or ssh-slaves version number you are using nor the encryption settings you are using, however, I guess you are using ed25519 that it is supported in the latest versions of the Jenkins core (trilead-ssh2 module on jenkins-2.189) see https://issues.jenkins-ci.org/browse/JENKINS-55133 and https://github.com/jenkinsci/jenkins/pull/3827

            People

            • Assignee:
              ifernandezcalvo Ivan Fernandez Calvo
              Reporter:
              dany dany alain
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: