Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[JENKINS-43979] Fix OpenSSH dropping connections with SHA512 enabled #20

Merged
merged 1 commit into from May 4, 2017

Conversation

Projects
None yet
4 participants
@mc1arke
Copy link
Member

commented May 2, 2017

Older versions of OpenSSH (verified against OpenSSH_5.9) do not correctly expand the key so drop the connection with a message similar to fatal: dh_gen_key: group too small: 1024 (2*need 1024) [preauth]. This change forces Trilead to generate a key at least 2048 bits in length to overcome this key expansion issue.

@paladox

This comment has been minimized.

Copy link
Contributor

commented May 2, 2017

Tested and approving by that i mean doesn't break debian jessie.

@paladox

paladox approved these changes May 2, 2017

@mc1arke mc1arke changed the title [JENKINS-43979] Fix OpenSSH 5 dropping connections with SHA512 enabled [JENKINS-43979] Fix OpenSSH dropping connections with SHA512 enabled May 3, 2017

@mc1arke

This comment has been minimized.

Copy link
Member Author

commented May 3, 2017

@MarkEWaite are you able to test if this fixes your issue with your Debian7 connection? This fixed Ubuntu 12 and RHEL 5 for me, but I'd like someone else to check against their setup. This doesn't fix any previously working verifiers that now detect a missmatch with no exception (this requires a different change in ssh-slaves-plugin), only the verifiers that throw an exception somewhere in Cipher*Stream about not being able to read a full block.

@jenkinsci/code-reviewers I'd also be interested in as many other people as possible who can review/test this as possible please, as it's caused issues for people who have upgraded to the latest Jenkins core and who seem to have SSH agents running older versions of SSH which don't perform key expansion correctly.

@oleg-nenashev
Copy link
Member

left a comment

Looks good to me after some googling. Will try to do some testing today.

@paladox

This comment has been minimized.

Copy link
Contributor

commented May 4, 2017

@daniel-beck

This comment has been minimized.

Copy link
Member

commented May 4, 2017

@mc1arke Could we try to get this and #21 into 2.59?

@oleg-nenashev

This comment has been minimized.

Copy link
Member

commented May 4, 2017

@mc1arke

This comment has been minimized.

Copy link
Member Author

commented May 4, 2017

@daniel-beck I'll merge these, release Trilead and raise a PR against core tonight. I'll also need to raise a separate PR against ssh-slaves to force it to specify the key type to use when wanting to verify the remote host, although this can obviously be done independently of the core release schedule.

@mc1arke mc1arke merged commit 63b2b85 into jenkinsci:master May 4, 2017

1 check passed

Jenkins This pull request looks good
Details

RobberPhex pushed a commit to RobberPhex/trilead-ssh2 that referenced this pull request Feb 22, 2019

Merge pull request jenkinsci#20 from kruton/upstream-eddsa
Use the upstream EdDSAKey representation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.