Welcome to the Linux Foundation Forum!

Ssh pipeline seem not compatible with OPENSSH 8.8

Issue description and hints

Trying to implement this Jenkins plugin, to connect to my local VM from Jenkins (installed through docker / DIND)

The local VM is running under Fedora 36 Linux, and here is the ssh / ssl versions there :

  1. ssh -v localhost
  2. OpenSSH_8.8p1, OpenSSL 3.0.5 5 Jul 2022

It systematically returns an exception like this one :

  1. Started by user
  2. Replayed #9
  3. [Pipeline] Start of Pipeline
  4. [Pipeline] node
  5. Running on Jenkins in /var/jenkins_home/workspace/ssh smoke test
  6. [Pipeline] {
  7. [Pipeline] withCredentials
  8. Masking supported pattern matches of $identity
  9. [Pipeline] {
  10. [Pipeline] echo
  11. using userroot
  12. [Pipeline] stage
  13. [Pipeline] { (SSH Steps Rocks!)
  14. [Pipeline] writeFile
  15. [Pipeline] sshCommand
  16. Executing command on localhost[10.0.2.15]: for i in {1..5}; do echo -n "Loop $i "; date ; sleep 1; done sudo: false
  17. [Pipeline] }
  18. [Pipeline] // stage
  19. [Pipeline] }
  20. [Pipeline] // withCredentials
  21. [Pipeline] }
  22. [Pipeline] // node
  23. [Pipeline] End of Pipeline
  24. com.jcraft.jsch.JSchException: Auth fail
  25. at com.jcraft.jsch.Session.connect(Session.java:519)
  26. at com.jcraft.jsch.Session.connect(Session.java:183)
  27. at com.jcraft.jsch.Session$connect$1.call(Unknown Source)
  28. at org.hidetake.groovy.ssh.connection.ConnectionManager.connectInternal(ConnectionManager.groovy:107)
  29. at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  30. at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
  31. at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  32. at java.base/java.lang.reflect.Method.invoke(Unknown Source)
  33. at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98)
  34. at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)

The SSHD server logs this error in output :

  1. oct. 31 16:23:31 fedora sshd[35506]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
  2. oct. 31 16:23:31 fedora sshd[35506]: error: Received disconnect from 172.18.0.2 port 35440:3: com.jcraft.jsch.JSchException: Auth fail [preauth]

more info on this topic:

As explained in the https://www.openssh.com/txt/release-8.8 note, the PubkeyAcceptedAlgorithms ssh-rsa is now deprecated, and it matchs with the error log above.

I also found a ticket issue https://github.com/int128/groovy-ssh/issues/292 which explains that the Jenkins plugins relies on groovy-ssh solution, which in turn relies on https://sourceforge.net/projects/jsch/ which is not maintained, and propose the developpers to use an alternative solution that has been developped to comply with OpenSSH 8.8

By the way https://github.com/int128/groovy-ssh has not commit since march 2019, so I am afraid that is it not maintained neither

There are some more details about this Open SSH SHA 1 RSA scheme deprecation here.

Proposed workaround

It is possible to run ssh commands directly, the drawback being that it is required to specify explicitly the command to run :

  1. def remote = [:]
  2. remote.name = "localhost"
  3. remote.host = "10.0.2.15"
  4. remote.allowAnyHosts = true
  5.  
  6. node {
  7. withCredentials([sshUserPrivateKey(credentialsId: 'sshUser', keyFileVariable: 'identity', passphraseVariable: '', usernameVariable: 'userName')]) {
  8. remote.user = userName
  9. remote.identityFile = identity
  10. stage("Scan with InSpec") {
  11. sh ('''
  12. HOST_IP="10.0.2.15"
  13. ssh -i ${identity} ${userName}@${HOST_IP} 'inspec exec /home/laurent/lfs262_formation/linux-baseline'
  14. ''')
  15. }
  16. }
  17. }

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training