Thanks, guess we'll have to wait. It's not based on what we do, it's just a security scan software. It's not like anyone can get to it anyway, it's inside the wall, but it is what it is. This one will have to become a POAM. Do you have any clue when the fix is coming up? Again, THANKS for all your help!
On Wed, Feb 10, 2021 at 1:25 PM kuisathaverat <[email protected]> wrote: > I’ve re read your first message, you as for “Jenkins CLI over SSH”, there > you cannot do anything until we replace the ssh-module. The module will > support those MACs and is not posible to disable them. However, I doubt > that the Jenkins CLI use those MACs , and you can always use HTTPS. > > El El mié, 10 feb 2021 a las 18:28, Eric Fetzer <[email protected]> > escribió: > >> My MACs line says: >> >> MACs hmac-ripemd160,hmac-sha2-256,hmac-sha2-512, >> [email protected] >> >> I believe this is hardened, isn't it? >> >> Thanks, >> Eric >> >> On Wed, Feb 10, 2021 at 9:40 AM kuisathaverat <[email protected]> >> wrote: >> >>> hmac-* are Message authentication code algorithms (MACs), so you have to >>> configure your Message authentication code algorithms (MACs) supported, for >>> example >>> >>> MACs hmac-sha2-256,hmac-sha2-512 >>> >>> see >>> https://www.ssh.com/ssh/sshd_config/#common-configuration-changes-for-the-enterprise >>> >>> El mié, 10 feb 2021 a las 17:24, Eric Fetzer (<[email protected]>) >>> escribió: >>> >>>> Hmmm, I already hardened by that link: >>>> https://www.ssh.com/ssh/sshd_config >>>> >>>> My /etc/ssh/sshd_config has: >>>> >>>> Ciphers aes128-ctr,aes192-ctr,aes256-ctr >>>> >>>> This is still showing up on my security scan though. Am I missing >>>> something? >>>> >>>> Thanks, >>>> Eric >>>> >>>> On Tue, Feb 9, 2021 at 12:23 PM kuisathaverat <[email protected]> >>>> wrote: >>>> >>>>> There is work in progress to bump the version of the library and >>>>> convert the sshd-module in a plugin to resolve this kind of issues >>>>> quickly. >>>>> For the moment you can configure your sshd servers on the Agents side to >>>>> do >>>>> not allow weak ciphers, see https://www.ssh.com/ssh/sshd_config. >>>>> >>>>> https://github.com/jenkinsci/sshd-module/pull/37 >>>>> https://github.com/jenkinsci/sshd-module/pull/38 >>>>> >>>>> >>>>> El mar, 9 feb 2021 a las 17:19, [email protected] (< >>>>> [email protected]>) escribió: >>>>> >>>>>> I'm sorry, I just saw the last comment on here and, once again, this >>>>>> showed up on our vulnerability report. I don't get exactly what I need >>>>>> to >>>>>> do in order to fix this. Can someone lay it out for me please? Thanks - >>>>>> Eric >>>>>> >>>>>> On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 >>>>>> [email protected] wrote: >>>>>> >>>>>>> I was wrong you cannot configure the ciphers for the ssh server on >>>>>>> the Java security files. The SSH server on Jenkins uses the >>>>>>> https://github.com/apache/mina-sshd , IIRC the Jenkins >>>>>>> implementation of the ssh server not read the sshd_config files so it is >>>>>>> not posible to configure the ssh server. Apache mina has deprecated and >>>>>>> disable those algorithms on 2.6.0 >>>>>>> https://issues.apache.org/jira/browse/SSHD-1004, the sshd-module >>>>>>> and CLI are using 1.7.0 >>>>>>> https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 >>>>>>> and >>>>>>> https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So >>>>>>> I guess both should bump the dependency to remove support for weak >>>>>>> algorithms >>>>>>> >>>>>>> >>>>>>> El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, >>>>>>> [email protected] escribió: >>>>>>> >>>>>>>> I think I found the solution to this: >>>>>>>> >>>>>>>> >>>>>>>> https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/ >>>>>>>> >>>>>>>> >>>>>>>> On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 [email protected] >>>>>>>> wrote: >>>>>>>> >>>>>>>>> I'm confused. It doesn't look like the ciphers the vulnerability >>>>>>>>> is citing are allowed in the java.security file on this system. We're >>>>>>>>> getting flagged for: >>>>>>>>> >>>>>>>>> hmac-md5 >>>>>>>>> hmac-md5-96 >>>>>>>>> hmac-sha1-96 >>>>>>>>> >>>>>>>>> Settings are: >>>>>>>>> >>>>>>>>> jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize >>>>>>>>> < 1024, \ >>>>>>>>> EC keySize < 224, 3DES_EDE_CBC, anon, NULL >>>>>>>>> >>>>>>>>> Am I missing this, not a java security expert by any means... >>>>>>>>> Thanks! >>>>>>>>> On Monday, August 24, 2020 at 11:09:43 AM UTC-6 >>>>>>>>> [email protected] wrote: >>>>>>>>> >>>>>>>>>> Yes, configuring the ciphers accepted by your JDK edit the >>>>>>>>>> file lib\security\java.security (the path will vary based on your >>>>>>>>>> Java >>>>>>>>>> version) >>>>>>>>>> >>>>>>>>>> El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, >>>>>>>>>> [email protected] escribió: >>>>>>>>>> >>>>>>>>>>> Hi all! I'm getting hit by my secuity team for a vulnerability >>>>>>>>>>> for the Jenkins CLI via ssh allowing the following weak ciphers: >>>>>>>>>>> >>>>>>>>>>> hmac-md5 >>>>>>>>>>> hmac-md5-96 >>>>>>>>>>> hmac-sha1-96 >>>>>>>>>>> >>>>>>>>>>> Is there a way to configure ciphers accepted for the Jenkins CLI? >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Eric >>>>>>>>>>> >>>>>>>>>> -- >>>>>> You received this message because you are subscribed to a topic in >>>>>> the Google Groups "Jenkins Users" group. >>>>>> To unsubscribe from this topic, visit >>>>>> https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe >>>>>> . >>>>>> To unsubscribe from this group and all its topics, send an email to >>>>>> [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com >>>>>> <https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> >>>>> >>>>> -- >>>>> Un Saludo >>>>> Iván Fernández Calvo >>>>> https://www.linkedin.com/in/iv%C3%A1n-fern%C3%A1ndez-calvo-21425033 >>>>> >>>>> -- >>>>> You received this message because you are subscribed to a topic in the >>>>> Google Groups "Jenkins Users" group. >>>>> To unsubscribe from this topic, visit >>>>> https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe >>>>> . >>>>> To unsubscribe from this group and all its topics, send an email to >>>>> [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrruVhwNoAi_XfMoFmHf_iwg-wPVBM%2BiwyRajRuyvmrbeQ%40mail.gmail.com >>>>> <https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrruVhwNoAi_XfMoFmHf_iwg-wPVBM%2BiwyRajRuyvmrbeQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> You received this message because you are subscribed to a topic in the >>>> Google Groups "Jenkins Users" group. >>>> To unsubscribe from this topic, visit >>>> https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe >>>> . >>>> To unsubscribe from this group and all its topics, send an email to >>>> [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY8swNixDjYvy0_VkiRWZKs_wrw6QFm0jxOVFR1rEx%3DKw%40mail.gmail.com >>>> <https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY8swNixDjYvy0_VkiRWZKs_wrw6QFm0jxOVFR1rEx%3DKw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >>> >>> -- >>> Un Saludo >>> Iván Fernández Calvo >>> https://www.linkedin.com/in/iv%C3%A1n-fern%C3%A1ndez-calvo-21425033 >>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Jenkins Users" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe >>> . >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-users/CAKo5Qrr8WB8JO%3DB-1ZWiOFDi0eGA%2BDftezyF21LG9hpAHLB_0Q%40mail.gmail.com >>> <https://groups.google.com/d/msgid/jenkinsci-users/CAKo5Qrr8WB8JO%3DB-1ZWiOFDi0eGA%2BDftezyF21LG9hpAHLB_0Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Jenkins Users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/CAByBicbBQcu0aT7-L74otHM8qqSU-EAYpoV71n7hJOujqFRWqQ%40mail.gmail.com >> <https://groups.google.com/d/msgid/jenkinsci-users/CAByBicbBQcu0aT7-L74otHM8qqSU-EAYpoV71n7hJOujqFRWqQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > Un Saludo > Iván Fernández Calvo > https://www.linkedin.com/in/iv%C3%A1n-fern%C3%A1ndez-calvo-21425033 > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Jenkins Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/CAKo5Qrp2mVnJZEDPFFot3A0RB4VVjomyaxPLoLj9sDfnXGcUKA%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-users/CAKo5Qrp2mVnJZEDPFFot3A0RB4VVjomyaxPLoLj9sDfnXGcUKA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicb3-_6g7GsoFxWzkA09uVkCgLi-gX_TvWYt7JHU0z4S9g%40mail.gmail.com.
