I'm sorry, I just saw the last comment on here and, once again, this showed up on our vulnerability report. I don't get exactly what I need to do in order to fix this. Can someone lay it out for me please? Thanks - Eric
On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 [email protected] wrote: > I was wrong you cannot configure the ciphers for the ssh server on the > Java security files. The SSH server on Jenkins uses the > https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of > the ssh server not read the sshd_config files so it is not posible to > configure the ssh server. Apache mina has deprecated and disable those > algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the > sshd-module and CLI are using 1.7.0 > https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and > https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I > guess both should bump the dependency to remove support for weak algorithms > > > El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, > [email protected] escribió: > >> I think I found the solution to this: >> >> >> https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/ >> >> >> On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [email protected] wrote: >> >>> I'm confused. It doesn't look like the ciphers the vulnerability is >>> citing are allowed in the java.security file on this system. We're getting >>> flagged for: >>> >>> hmac-md5 >>> hmac-md5-96 >>> hmac-sha1-96 >>> >>> Settings are: >>> >>> jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < >>> 1024, \ >>> EC keySize < 224, 3DES_EDE_CBC, anon, NULL >>> >>> Am I missing this, not a java security expert by any means... Thanks! >>> On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [email protected] >>> wrote: >>> >>>> Yes, configuring the ciphers accepted by your JDK edit the >>>> file lib\security\java.security (the path will vary based on your Java >>>> version) >>>> >>>> El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, [email protected] >>>> escribió: >>>> >>>>> Hi all! I'm getting hit by my secuity team for a vulnerability for >>>>> the Jenkins CLI via ssh allowing the following weak ciphers: >>>>> >>>>> hmac-md5 >>>>> hmac-md5-96 >>>>> hmac-sha1-96 >>>>> >>>>> Is there a way to configure ciphers accepted for the Jenkins CLI? >>>>> >>>>> Thanks, >>>>> Eric >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com.
