Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58910

[security] ssh slave hardening - ssh slave weak Key Exchange Algorithms/Message Authentication Codes

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Major Major
    • ssh-slaves-plugin
    • None
    • linux/centos7

      I am trying to do ssh hardening on jenkins server and slave following https://www.sshaudit.com/ recommendations (https://www.sshaudit.com/hardening_guides.html#rhel7)

      But as soon as the ssh hardening is enabled on the slave, jenkins can no longer connect to the slave.

      {{[05/02/18 15:26:59] [SSH] Opening SSH connection to <IP>
      Key exchange was not finished, connection is closed.
      java.io.IOException: There was a problem while connecting to <IP>:22
      at com.trilead.ssh2.Connection.connect(Connection.java:818)
      at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1324)
      at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:831)
      at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:820)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:748)
      Caused by: java.io.IOException: Key exchange was not finished, connection is closed.
      at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:93)
      at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:230)
      at com.trilead.ssh2.Connection.connect(Connection.java:770)
      ... 7 more
      Caused by: java.io.IOException: Cannot negotiate, proposals do not match.
      at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:405)
      at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:777)
      at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:489)
      ... 1 more
      [05/02/18 15:26:59] Launch failed - cleaning up connection}}

      the error and the "workaround" is describe here:

      I am able to keep the hardening "on" only if I change the plugin to use ssh command line, but now I need to maintain manually the remoting.jar
      'cd /var/lib/jenkins && java -jar remoting.jar -workDir /var/lib/jenkins'

      I am not sure if this a limitation in the library used to do ssh or if this can simply be fix via java security configuration on the main jenkins server?

      Have you guys tried hardening of server/slave?

      Any recommendations?

            ifernandezcalvo Ivan Fernandez Calvo
            dany dany alain
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: