Welcome to the Linux Foundation Forum!

Ssh pipeline seem not compatible with OPENSSH 8.8


Issue description and hints

Trying to implement this Jenkins plugin, to connect to my local VM from Jenkins (installed through docker / DIND)

The local VM is running under Fedora 36 Linux, and here is the ssh / ssl versions there :

ssh -v localhost
OpenSSH_8.8p1, OpenSSL 3.0.5 5 Jul 2022

It systematically returns an exception like this one :

Started by user 
Replayed #9
[Pipeline] Start of Pipeline
[Pipeline] node
Running on Jenkins in /var/jenkins_home/workspace/ssh smoke test
[Pipeline] {
[Pipeline] withCredentials
Masking supported pattern matches of $identity
[Pipeline] {
[Pipeline] echo
using userroot
[Pipeline] stage
[Pipeline] { (SSH Steps Rocks!)
[Pipeline] writeFile
[Pipeline] sshCommand
Executing command on localhost[]: for i in {1..5}; do echo -n "Loop $i "; date ; sleep 1; done sudo: false
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
com.jcraft.jsch.JSchException: Auth fail
    at com.jcraft.jsch.Session.connect(Session.java:519)
    at com.jcraft.jsch.Session.connect(Session.java:183)
    at com.jcraft.jsch.Session$connect$1.call(Unknown Source)
    at org.hidetake.groovy.ssh.connection.ConnectionManager.connectInternal(ConnectionManager.groovy:107)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
    at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98)
    at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)

The SSHD server logs this error in output :

oct. 31 16:23:31 fedora sshd[35506]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
oct. 31 16:23:31 fedora sshd[35506]: error: Received disconnect from port 35440:3: com.jcraft.jsch.JSchException: Auth fail [preauth]

more info on this topic:

As explained in the https://www.openssh.com/txt/release-8.8 note, the PubkeyAcceptedAlgorithms ssh-rsa is now deprecated, and it matchs with the error log above.

I also found a ticket issue https://github.com/int128/groovy-ssh/issues/292 which explains that the Jenkins plugins relies on groovy-ssh solution, which in turn relies on https://sourceforge.net/projects/jsch/ which is not maintained, and propose the developpers to use an alternative solution that has been developped to comply with OpenSSH 8.8

By the way https://github.com/int128/groovy-ssh has not commit since march 2019, so I am afraid that is it not maintained neither

There are some more details about this Open SSH SHA 1 RSA scheme deprecation here.

Proposed workaround

It is possible to run ssh commands directly, the drawback being that it is required to specify explicitly the command to run :

def remote = [:]
remote.name = "localhost"
remote.host = ""
remote.allowAnyHosts = true

node {
    withCredentials([sshUserPrivateKey(credentialsId: 'sshUser', keyFileVariable: 'identity', passphraseVariable: '', usernameVariable: 'userName')]) {
        remote.user = userName
        remote.identityFile = identity
        stage("Scan with InSpec") {
            sh ('''
                ssh -i ${identity} ${userName}@${HOST_IP} 'inspec exec /home/laurent/lfs262_formation/linux-baseline'


Upcoming Training