Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[JENKINS-43979] Fix OpenSSH dropping connections with SHA512 enabled #20

Merged
merged 1 commit into from May 4, 2017
Merged

[JENKINS-43979] Fix OpenSSH dropping connections with SHA512 enabled #20

merged 1 commit into from May 4, 2017

Conversation

@mc1arke
Copy link
Member

@mc1arke mc1arke commented May 2, 2017

Older versions of OpenSSH (verified against OpenSSH_5.9) do not correctly expand the key so drop the connection with a message similar to fatal: dh_gen_key: group too small: 1024 (2*need 1024) [preauth]. This change forces Trilead to generate a key at least 2048 bits in length to overcome this key expansion issue.

@paladox
Copy link
Contributor

@paladox paladox commented May 2, 2017

Tested and approving by that i mean doesn't break debian jessie.

Loading

paladox
paladox approved these changes May 2, 2017
@mc1arke mc1arke changed the title [JENKINS-43979] Fix OpenSSH 5 dropping connections with SHA512 enabled [JENKINS-43979] Fix OpenSSH dropping connections with SHA512 enabled May 3, 2017
@mc1arke
Copy link
Member Author

@mc1arke mc1arke commented May 3, 2017

@MarkEWaite are you able to test if this fixes your issue with your Debian7 connection? This fixed Ubuntu 12 and RHEL 5 for me, but I'd like someone else to check against their setup. This doesn't fix any previously working verifiers that now detect a missmatch with no exception (this requires a different change in ssh-slaves-plugin), only the verifiers that throw an exception somewhere in Cipher*Stream about not being able to read a full block.

@jenkinsci/code-reviewers I'd also be interested in as many other people as possible who can review/test this as possible please, as it's caused issues for people who have upgraded to the latest Jenkins core and who seem to have SSH agents running older versions of SSH which don't perform key expansion correctly.

Loading

Copy link
Member

@oleg-nenashev oleg-nenashev left a comment

Looks good to me after some googling. Will try to do some testing today.

Loading

@paladox
Copy link
Contributor

@paladox paladox commented May 4, 2017

Loading

@daniel-beck
Copy link
Member

@daniel-beck daniel-beck commented May 4, 2017

@mc1arke Could we try to get this and #21 into 2.59?

Loading

@oleg-nenashev
Copy link
Member

@oleg-nenashev oleg-nenashev commented May 4, 2017

Loading

@mc1arke
Copy link
Member Author

@mc1arke mc1arke commented May 4, 2017

@daniel-beck I'll merge these, release Trilead and raise a PR against core tonight. I'll also need to raise a separate PR against ssh-slaves to force it to specify the key type to use when wanting to verify the remote host, although this can obviously be done independently of the core release schedule.

Loading

@mc1arke mc1arke merged commit 63b2b85 into jenkinsci:master May 4, 2017
1 check passed
Loading
robberphex pushed a commit to robberphex/trilead-ssh2 that referenced this issue Feb 22, 2019
Use the upstream EdDSAKey representation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
4 participants