There is work in progress to bump the version of the library and convert the sshd-module in a plugin to resolve this kind of issues quickly. For the moment you can configure your sshd servers on the Agents side to do not allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.
https://github.com/jenkinsci/sshd-module/pull/37 https://github.com/jenkinsci/sshd-module/pull/38 El mar, 9 feb 2021 a las 17:19, [email protected] (<[email protected]>) escribió: > I'm sorry, I just saw the last comment on here and, once again, this > showed up on our vulnerability report. I don't get exactly what I need to > do in order to fix this. Can someone lay it out for me please? Thanks - > Eric > > On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 [email protected] > wrote: > >> I was wrong you cannot configure the ciphers for the ssh server on the >> Java security files. The SSH server on Jenkins uses the >> https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of >> the ssh server not read the sshd_config files so it is not posible to >> configure the ssh server. Apache mina has deprecated and disable those >> algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the >> sshd-module and CLI are using 1.7.0 >> https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and >> https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I >> guess both should bump the dependency to remove support for weak algorithms >> >> >> El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, >> [email protected] escribió: >> >>> I think I found the solution to this: >>> >>> >>> https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/ >>> >>> >>> On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [email protected] >>> wrote: >>> >>>> I'm confused. It doesn't look like the ciphers the vulnerability is >>>> citing are allowed in the java.security file on this system. We're getting >>>> flagged for: >>>> >>>> hmac-md5 >>>> hmac-md5-96 >>>> hmac-sha1-96 >>>> >>>> Settings are: >>>> >>>> jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < >>>> 1024, \ >>>> EC keySize < 224, 3DES_EDE_CBC, anon, NULL >>>> >>>> Am I missing this, not a java security expert by any means... Thanks! >>>> On Monday, August 24, 2020 at 11:09:43 AM UTC-6 [email protected] >>>> wrote: >>>> >>>>> Yes, configuring the ciphers accepted by your JDK edit the >>>>> file lib\security\java.security (the path will vary based on your Java >>>>> version) >>>>> >>>>> El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, >>>>> [email protected] escribió: >>>>> >>>>>> Hi all! I'm getting hit by my secuity team for a vulnerability for >>>>>> the Jenkins CLI via ssh allowing the following weak ciphers: >>>>>> >>>>>> hmac-md5 >>>>>> hmac-md5-96 >>>>>> hmac-sha1-96 >>>>>> >>>>>> Is there a way to configure ciphers accepted for the Jenkins CLI? >>>>>> >>>>>> Thanks, >>>>>> Eric >>>>>> >>>>> -- > You received this message because you are subscribed to a topic in the > Google Groups "Jenkins Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com > <https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Un Saludo Iván Fernández Calvo https://www.linkedin.com/in/iv%C3%A1n-fern%C3%A1ndez-calvo-21425033 -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrruVhwNoAi_XfMoFmHf_iwg-wPVBM%2BiwyRajRuyvmrbeQ%40mail.gmail.com.
