SSH Server Port 33786 - How can we configure it with customized kexalgorithms/hmac/ciphers

Using Jenkins Ask a question
1

Hey experts, We are using Jenkins 2.462.3 with Java 17.

The SSH Server running on Port 33786 which is the built-in SSH server for Jenkins reported few outdated and weak algorithms being used.

ssh-server
ssh-server2592×434 7.64 KB

We want to customize the algorithms based on standard security policies. I went through the Advanced Configuration for SSH Server (We are currently using version 3.237.v883d165a_c1d3) which has few system properties that can be used - excludedKeyExchanges & excludedMacs.

1). Are the System properties still valid?
2). Is there a way to modify ciphers and host algorithms as well?
3). How can I not allow SHA-1 based key algorithms and cbc* based ciphers from the built in SSH-Server?
4). Does upgrading the plugin take care of the allowed algorithms?

P.S - We do plan to upgrade Jenkins core to 2.504.x soon.

Any sort of assistance is appreciated! Thank you!

2

Other SSH related plugins in-use

mina-sshd-api-common:2.13.2-125.v200281b_61d59
mina-sshd-api-core:2.13.2-125.v200281b_61d59
ssh-agent:295.v9ca_a_1c7cc3a_a_
ssh-credentials:308.ve4497b_ccd8f4
ssh:158.ve2a_e90fb_7319
ssh-slaves:2.968.v6f8823c91de4
3

I was able to skip SHA-1 based MAC algorithms by org.jenkinsci.main.modules.sshd.SSHD.excludedMacs

:red_question_mark: I used a script to get the host algorithms

import org.jenkinsci.main.modules.sshd.SSHD
import org.apache.sshd.server.SshServer

def sshdInstance = SSHD.get()

def serverField = sshdInstance.getClass().getDeclaredField("sshd")
serverField.setAccessible(true)
SshServer server = serverField.get(sshdInstance)

if (server == null) {
    println "\nSSHD Server is currently disabled or not fully initialized."
    return
}

println "\n Enabled Host Key Algorithms"
try {
    def keyPairProvider = server.getKeyPairProvider()
    if (keyPairProvider != null) {
        keyPairProvider.getKeyTypes().each { 
            println "  - ${it}" 
        }
    } else {
        println "  - Host Key Provider is not configured or not accessible."
    }
} catch (Exception e) {
    println "  - ERROR retrieving Host Keys: ${e.getMessage()}"
}

return

which returns

 Enabled Host Key Algorithms
  - ssh-rsa

Does Jenkins support ECDSA/ED25519 algorithms. Can we configure Jenkins to use any one of this?