Better compatibility with SSH clients (eg, Jenkins/BlueOcean) and add EdDSA key support by upgrading sshd #1272
Conversation
|
There's a Jenkins issue that would be resolved with this. JENKINS-45769 -- I did not dare try to fix this on Jenkins side. |
|
Some proof of EdDSA support... Via SSH "keys which"... |
|
Though I do not use ED25519, I have merged your commits to our Gitblit server and it works. I have been missing this merge work for a long time. You made my day. Good work. Thank you. |
|
I'm reopening this pull request since only one commit was merged and the support for eddsa is still pending. |
| groovy.version : 2.4.4 | ||
| bouncycastle.version : 1.52 | ||
| selenium.version : 2.28.0 | ||
| wikitext.version : 1.4 | ||
| sshd.version: 1.0.0 | ||
| mina.version: 2.0.9 | ||
| sshd.version: 1.6.0 |
There was a problem hiding this comment.
Apache SSHD 1.6.0 is still extremely old (tagged June, 2017) and has publicly documented security issues. The current release is 2.8.0.
It may be an upgrade you want to tackle separately, but it's likely worthwhile to do so. In particular, going to SSHD 2.8 will have built-in support for rsa-sha2-256 and rsa-sha2-512 which is enabled by default. Since OpenSSH 8.8 disables ssh-rsa by default, this will save your end users a lot of hassle.
There was a problem hiding this comment.
Yeah when I sent this PR (in 2018) life was different. I tried to close this PR but failed. Good luck!
Hello! Two commits here.
First one is the minimum needed to make Gitblit work with Jenkins/BlueOcean (resolves the "MAC corrupt" exception). It upgrades sshd to 1.2.0 with no further changes.
Second one upgrades sshd to 1.6.0, and adds a dependency on eddsa, and adds code to register this provider, which in fact (tested) adds support for my new ED25519 ssh key. It also upgrades JGit to a newer point release which is supposed to fix bugs only.
I'm running two production instances of Gitblit with these patches, and finally enjoying Gitblit + Jenkins/Blueocean pipelines.