Ssh pipeline seem not compatible with OPENSSH 8.8

laurent.roffe

Issue description and hints

Trying to implement this Jenkins plugin, to connect to my local VM from Jenkins (installed through docker / DIND)

The local VM is running under Fedora 36 Linux, and here is the ssh / ssl versions there :

ssh -v localhost
OpenSSH_8.8p1, OpenSSL 3.0.5 5 Jul 2022

It systematically returns an exception like this one :

Started by user 
Replayed #9
[Pipeline] Start of Pipeline
[Pipeline] node
Running on Jenkins in /var/jenkins_home/workspace/ssh smoke test
[Pipeline] {
[Pipeline] withCredentials
Masking supported pattern matches of $identity
[Pipeline] {
[Pipeline] echo
using userroot
[Pipeline] stage
[Pipeline] { (SSH Steps Rocks!)
[Pipeline] writeFile
[Pipeline] sshCommand
Executing command on localhost[10.0.2.15]: for i in {1..5}; do echo -n "Loop $i "; date ; sleep 1; done sudo: false
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
com.jcraft.jsch.JSchException: Auth fail
    at com.jcraft.jsch.Session.connect(Session.java:519)
    at com.jcraft.jsch.Session.connect(Session.java:183)
    at com.jcraft.jsch.Session$connect$1.call(Unknown Source)
    at org.hidetake.groovy.ssh.connection.ConnectionManager.connectInternal(ConnectionManager.groovy:107)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
    at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98)
    at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)

The SSHD server logs this error in output :

oct. 31 16:23:31 fedora sshd[35506]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
oct. 31 16:23:31 fedora sshd[35506]: error: Received disconnect from 172.18.0.2 port 35440:3: com.jcraft.jsch.JSchException: Auth fail [preauth]

more info on this topic:

As explained in the https://www.openssh.com/txt/release-8.8 note, the PubkeyAcceptedAlgorithms ssh-rsa is now deprecated, and it matchs with the error log above.

I also found a ticket issue https://github.com/int128/groovy-ssh/issues/292 which explains that the Jenkins plugins relies on groovy-ssh solution, which in turn relies on https://sourceforge.net/projects/jsch/ which is not maintained, and propose the developpers to use an alternative solution that has been developped to comply with OpenSSH 8.8

By the way https://github.com/int128/groovy-ssh has not commit since march 2019, so I am afraid that is it not maintained neither

There are some more details about this Open SSH SHA 1 RSA scheme deprecation here.

• https://github.com/jenkinsci/ssh-steps-plugin

Proposed workaround

It is possible to run ssh commands directly, the drawback being that it is required to specify explicitly the command to run :

def remote = [:]
remote.name = "localhost"
remote.host = "10.0.2.15"
remote.allowAnyHosts = true
 
node {
    withCredentials([sshUserPrivateKey(credentialsId: 'sshUser', keyFileVariable: 'identity', passphraseVariable: '', usernameVariable: 'userName')]) {
        remote.user = userName
        remote.identityFile = identity
        stage("Scan with InSpec") {
            sh ('''
                HOST_IP="10.0.2.15"
                ssh -i ${identity} ${userName}@${HOST_IP} 'inspec exec /home/laurent/lfs262_formation/linux-baseline'
            ''')
        }
    }
}