[JENKINS-39805] - Update SSHD module to 1.8 #2641
Conversation
`the fix disables some obsolete protocols as per [JENKINS-39805](https://issues.jenkins-ci.org/browse/JENKINS-39805): AES128CBC, TripleDESCBC.Factory(), and BlowfishCBC All changes: jenkinsci/sshd-plugin@sshd-1.7...sshd-1.8
|
👍 assuming sshd-core doesn't offer better ciphers as further alternatives. |
|
@daniel-beck It does. Many Ciphers have been introduced since 0.8.0 we use: https://github.com/apache/mina-sshd/tree/master/sshd-core/src/main/java/org/apache/sshd/common/cipher |
|
So the latest versions are incompatible. We could update to 0.14.0 and get several "new" ciphers: https://github.com/apache/mina-sshd/tree/sshd-0.14.0/sshd-core/src/main/java/org/apache/sshd/common/cipher . Upgrade to the latest version will be much more painful |
|
I would say, there are no valuable ciphers in 0.14.0. That is: I see only EC-DSA ones, they're also considered insecure and not included into latest OpenSSH. CMIIW. That is: a modern SSH implementation should support two ciphers: AES-CTR and ChaCha-Poly. I don't see the latter in the latest mina-sshd though. Other things we could improve with time in Jenkins SSH support however are:
|
daniel-beck
changed the title
|
Yes, 0.14.0 is 2 years old. So it is definitely not a state of the art. But Upgrade to mina-ssh 2.x or migration to other lib will break the core's On Nov 20, 2016 11:28, "Vasily Korytov" [email protected] wrote:
|
|
Merging the current PR. I hope to try updating to 0.14.0 and adding "new" Ciphers from there later |
The fix disables some obsolete Ciphers as per JENKINS-39805: AES128CBC, TripleDESCBC, and BlowfishCBC
All changes: jenkinsci/sshd-plugin@sshd-1.7...sshd-1.8
@jenkinsci/code-reviewers, @chillum, @ydubreuil, @aheritier