I was wrong you cannot configure the ciphers for the ssh server on the Java security files. The SSH server on Jenkins uses the https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of the ssh server not read the sshd_config files so it is not posible to configure the ssh server. Apache mina has deprecated and disable those algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the sshd-module and CLI are using 1.7.0 https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I guess both should bump the dependency to remove support for weak algorithms
El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, [email protected] escribió: > I think I found the solution to this: > > > https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/ > > > On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [email protected] wrote: > >> I'm confused. It doesn't look like the ciphers the vulnerability is >> citing are allowed in the java.security file on this system. We're getting >> flagged for: >> >> hmac-md5 >> hmac-md5-96 >> hmac-sha1-96 >> >> Settings are: >> >> jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < >> 1024, \ >> EC keySize < 224, 3DES_EDE_CBC, anon, NULL >> >> Am I missing this, not a java security expert by any means... Thanks! >> On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [email protected] >> wrote: >> >>> Yes, configuring the ciphers accepted by your JDK edit the >>> file lib\security\java.security (the path will vary based on your Java >>> version) >>> >>> El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [email protected] >>> escribió: >>> >>>> Hi all! I'm getting hit by my secuity team for a vulnerability for the >>>> Jenkins CLI via ssh allowing the following weak ciphers: >>>> >>>> hmac-md5 >>>> hmac-md5-96 >>>> hmac-sha1-96 >>>> >>>> Is there a way to configure ciphers accepted for the Jenkins CLI? >>>> >>>> Thanks, >>>> Eric >>>> >>> -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5806c3c3-b686-47e6-8e8b-a29a0d9d9fbdn%40googlegroups.com.
