AES256-CTR support in Publish over SSH and JSch dependency Plugins

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

AES256-CTR support in Publish over SSH and JSch dependency Plugins

chief.vitalstatix
The SSH client in the Publish over SSH plugin which uses Jsch Dependency plugin only supports the following Ciphers: Ciphers: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
OpenSSH 7.* is disabling cbc modes of the ciphers and also not offering CBC ciphers by default. 
https://www.openssh.com/releasenotes.html
 * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST
   ciphers.
 * ssh(1): do not offer CBC ciphers by default.

It now enables the following ciphers by default: aes192-ctr and aes256-ctr. 
What are the plans to support these (aes192-ctr and aes256-ctr) ciphers in these plugins?

Thanks.!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/a2cf59e2-afe7-440b-b76b-34005d542826%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: AES256-CTR support in Publish over SSH and JSch dependency Plugins

chief.vitalstatix
Just to add, all products are at their latest versions:
Jenkins: 2.121
JSch dependency plugin
Jenkins plugin that brings the JSch library as a plugin dependency, and provides an SSHAuthenticatorFactory for using JSch with the ssh-credentials plugin.
0.1.54.2

Publish Over SSH
Send build artifacts over SSH
1.19.1

There isn't an issue queue on the plugin developers github pages, so hoping someone sees it over here.

Thanks!


On Wednesday, May 9, 2018 at 7:47:21 PM UTC-7, [hidden email] wrote:
The SSH client in the Publish over SSH plugin which uses Jsch Dependency plugin only supports the following Ciphers: Ciphers: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
OpenSSH 7.* is disabling cbc modes of the ciphers and also not offering CBC ciphers by default. 
<a href="https://www.openssh.com/releasenotes.html" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.openssh.com%2Freleasenotes.html\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEt5HG9ff7fWwS-Ppp_-8jZ2wrJzg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.openssh.com%2Freleasenotes.html\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEt5HG9ff7fWwS-Ppp_-8jZ2wrJzg&#39;;return true;">https://www.openssh.com/releasenotes.html
 * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST
   ciphers.
 * ssh(1): do not offer CBC ciphers by default.

It now enables the following ciphers by default: aes192-ctr and aes256-ctr. 
What are the plans to support these (aes192-ctr and aes256-ctr) ciphers in these plugins?

Thanks.!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/d2fae78d-6aa5-4635-bb6b-ae02d7f34076%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: AES256-CTR support in Publish over SSH and JSch dependency Plugins

chief.vitalstatix
In reply to this post by chief.vitalstatix
Anyone from the "Publish over SSH" and "JSch dependency" plugins teams that can help with this?

On Wednesday, May 9, 2018 at 7:47:21 PM UTC-7, [hidden email] wrote:
The SSH client in the Publish over SSH plugin which uses Jsch Dependency plugin only supports the following Ciphers: Ciphers: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
OpenSSH 7.* is disabling cbc modes of the ciphers and also not offering CBC ciphers by default. 
<a href="https://www.openssh.com/releasenotes.html" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.openssh.com%2Freleasenotes.html\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEt5HG9ff7fWwS-Ppp_-8jZ2wrJzg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.openssh.com%2Freleasenotes.html\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEt5HG9ff7fWwS-Ppp_-8jZ2wrJzg&#39;;return true;">https://www.openssh.com/releasenotes.html
 * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST
   ciphers.
 * ssh(1): do not offer CBC ciphers by default.

It now enables the following ciphers by default: aes192-ctr and aes256-ctr. 
What are the plans to support these (aes192-ctr and aes256-ctr) ciphers in these plugins?

Thanks.!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7f9783bf-6330-4946-a53f-1a4dff767c30%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: AES256-CTR support in Publish over SSH and JSch dependency Plugins

slide
From looking at the Jsch website (http://www.jcraft.com/jsch/), they show the following in 0.15.4 which is what is used in the Jsch Plugin 0.15.4.2, which is what is used in Publish Over SSH 1.19.1

  • Cipher: blowfish-cbc,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-ctr,arcfour,arcfour128,arcfour256

So, I don't think there is an issue, unless I am missing something.

On Thu, Jul 12, 2018 at 4:09 PM <[hidden email]> wrote:
Anyone from the "Publish over SSH" and "JSch dependency" plugins teams that can help with this?


On Wednesday, May 9, 2018 at 7:47:21 PM UTC-7, [hidden email] wrote:
The SSH client in the Publish over SSH plugin which uses Jsch Dependency plugin only supports the following Ciphers: Ciphers: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
OpenSSH 7.* is disabling cbc modes of the ciphers and also not offering CBC ciphers by default. 
 * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST
   ciphers.
 * ssh(1): do not offer CBC ciphers by default.

It now enables the following ciphers by default: aes192-ctr and aes256-ctr. 
What are the plans to support these (aes192-ctr and aes256-ctr) ciphers in these plugins?

Thanks.!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7f9783bf-6330-4946-a53f-1a4dff767c30%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAPiUgVdHSf2GNm%2BR4v8xkUNsp%2B5uNYSJ8dY63M0KJrMjkK7pRQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: AES256-CTR support in Publish over SSH and JSch dependency Plugins

chief.vitalstatix
The website says it supports it, but when the Publish Over SSH plugin connects, the sshd log throws the following error:
"fatal: no matching cipher found: client aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc server aes256-ctr"
and the corresponding error on Jenkins is:
"jenkins.plugins.publish_over.BapPublisherException: Failed to connect and initialize SSH connection. Message: [Failed to connect session for config [Config-Name]. Message [Algorithm negotiation fail]]"

If the Jsch plugin supports the new Ciphers, then the config file that the Jsch client uses to exchange Cipher info with the server doesn't seem to be updated.

The native ssh client on the Jenkins (client) works well with the remote server. Not the Jsch ssh client that the Publish Over plugin uses.

On Thu, Jul 12, 2018 at 4:15 PM Slide <[hidden email]> wrote:
From looking at the Jsch website (http://www.jcraft.com/jsch/), they show the following in 0.15.4 which is what is used in the Jsch Plugin 0.15.4.2, which is what is used in Publish Over SSH 1.19.1

  • Cipher: blowfish-cbc,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-ctr,arcfour,arcfour128,arcfour256

So, I don't think there is an issue, unless I am missing something.

On Thu, Jul 12, 2018 at 4:09 PM <[hidden email]> wrote:
Anyone from the "Publish over SSH" and "JSch dependency" plugins teams that can help with this?


On Wednesday, May 9, 2018 at 7:47:21 PM UTC-7, [hidden email] wrote:
The SSH client in the Publish over SSH plugin which uses Jsch Dependency plugin only supports the following Ciphers: Ciphers: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
OpenSSH 7.* is disabling cbc modes of the ciphers and also not offering CBC ciphers by default. 
 * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST
   ciphers.
 * ssh(1): do not offer CBC ciphers by default.

It now enables the following ciphers by default: aes192-ctr and aes256-ctr. 
What are the plans to support these (aes192-ctr and aes256-ctr) ciphers in these plugins?

Thanks.!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7f9783bf-6330-4946-a53f-1a4dff767c30%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAPiUgVdHSf2GNm%2BR4v8xkUNsp%2B5uNYSJ8dY63M0KJrMjkK7pRQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAODjEEMfFxee2t9NiMucegagDpeXygPPt%2BpGG-5G1%2BYQS_%3Dn0g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: AES256-CTR support in Publish over SSH and JSch dependency Plugins

kuisathaverat
Check that your JDK supports the cipher and it is not disabled. On this page https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider said the following

Cipher suites that use AES_256 require installation of the JCE Unlimited Strength Jurisdiction Policy Files. See Import Limits on Cryptographic Algorithms.

https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#importlimits

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/48eb396a-27f5-4e85-a1d5-f97813216fd1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.