Algorithm negotiation fail SSH in Jenkins
TL;DR edit your sshd_config and enable support for diffie-hellman-group-exchange-sha1 and diffie-hellman-group1-sha1 in KexAlgorithms:
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1I suspect that the problem appeared after the following change in OpenSSH 6.7: "The default set of ciphers and MACs has been altered to remove unsafe algorithms.". (see changelog). This version was released on Oct, 6, and made it on Oct, 21 to Debian testing (see Debian changelog).
OpenSSH enables only the following key exchange algorithms by default:
- curve25519-sha256@libssh.org
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group14-sha1
Whereas JSch claims to support these algorithms (see under "features") for key exchange:
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group1-sha1
So indeed, they cannot agree on a common key exchange algorithm. Updating sshd_config (and restarting the SSH server) does the trick. Apparently JSch is supposed to support the "diffie-hellman-group-exchange-sha256" method since version 0.1.50 (see changelog).
As outlined here: http://sourceforge.net/p/jsch/mailman/message/32975616/, in JSch 0.1.51 diffie-hellman-group-exchange-sha256 is implemented, but not enabled. You can enable it using the setConfig function like so:
JSch jsch = new JSch();java.util.Properties configuration = new java.util.Properties();configuration.put("kex", "diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256");configuration.put("StrictHostKeyChecking", "no");Session session = jsch.getSession("username", "hostname", 22);session.setPassword("password");session.setConfig(configuration);session.connect();
We had the same problem with our jenkins (2.21) and the SSH plugin (2.4)
Our solution is to use the nativ shell execution. It seems that the jenkins plugins does not use the same ssh connection settings than the nativ shell.
So you could make the ssh connect like this (without the ssh-plugin):
ssh user@host <<'ENDSSH' echo your remote command hereENDSSH If you wrap your remote commands with the code above the connection works fine.
With this solution you dont need the ssh-plugin anymore.
For your information: We got the problem on our mittwald servers since they upgraded the openssh on there servers.