too old sshd version for actual Jenkins LTS usage

[waffel]

The used version of the Apache sshd service 1.0.0 seems to be too old to use GitBlit with the latest Jenkins LTS version 2.60.2.

The issue is reported to Jenkins too: https://issues.jenkins-ci.org/browse/JENKINS-45769

A simple "replacement" of the sshd jar files seems to not work because of resulting ClassNotFoundExceptions.

Possible a new version of gitblit can provide a actual sshd version 1.6.0 from the apache project to solve this problem.

We have seen this problem with gitblit 1.8.0 running under a recent JDK8 in a tomcat 8 container as WAR application.

A "native" git implementation still works ... only the new trilead java implementation seems to require a more recent ssh key negotiation.

[j123b567]

Did you try to simply generate new pair of keys using e.g. rsa? You are using legacy DSA/ssh-dss algorithm which is not supported in recent SSH implementations and will not be supported in the future by much more software. This seems not to be a bug of jenkins nor gitblit but security feature of recent SSH implementations.

[rpardini]

#1272 fixes this.

[flaix]

Is this a persisting problem? I have Jenkins 1.121.2 running, and I have a freestyle project clongin with a RSA SSH key from the current Gitblit without problems.

[waffel]

Please close this issue. It seems to be fixed.

[rpardini]

@waffel fixed where? #1272 (disclosure: my patch) is the only known way to fix this. There have been no commits to this gitblit repo since 2017. Wonder where you got the idea this was fixed, I'd love to get back to pristine upstream.

[flaix]

I also think that this particular problem mentioned in the Jenkins issue would be fixed by creating a ssh-rsa key for the GitBlit server. I wonder why none was created by GitBlit.
The SSHD update is part of the next version, albeit only to 1.2.0.