java.lang.IllegalStateException: Connection is not established!

Jenkins JIRA | Shea Tomsin | 1 year ago
  1. 0

    [JIRA] [ssh-credentials-plugin] (JENKINS-31549) sshcredentials via trilead-ssh2 Cannot Connect to Servers Requiring Strong MACs

    Google Groups | 1 year ago | sheatomsin@gmail.com (JIRA)
    java.lang.IllegalStateException: Connection is not established!
  2. 0

    master cannot connect to slave {code:none|title=/var/log/secure on slave reports} sshd[1978]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 {code} master reports {code:none} Key exchange was not finished, connection is closed. ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins. java.lang.IllegalStateException: Connection is not established! at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030) at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88) at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80) at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207) at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169) at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1212) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:711) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:706) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) {code} This is related to JENKINS-26379 but the comments in that ticket only hint at the issue which, to writ, is: https://github.com/jenkinsci/trilead-ssh2/blob/master/src/com/trilead/ssh2/crypto/digest/MAC.java {code:none|title=com.trilead.ssh2.crypto.digest.MAC} public final static String[] getMacList() { /* Higher Priority First */ return new String[] { "hmac-sha1-96", "hmac-sha1", "hmac-md5-96", "hmac-md5" }; } {code} See https://stribika.github.io/2015/01/04/secure-secure-shell.html {quote} Here are the available MAC choices: hmac-md5 hmac-md5-96 hmac-ripemd160 hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 umac-64 umac-128 hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-ripemd160-etm@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com The selection considerations: Security of the hash algorithm: No MD5 and SHA1. Yes, I know that HMAC-SHA1 does not need collision resistance but why wait? Disable weak crypto today. Encrypt-then-MAC: I am not aware of a security proof for CTR-and-HMAC but I also don't think CTR decryption can fail. Since there are no downgrade attacks, you can add them to the end of the list. You can also do this on a host by host basis so you know which ones are less safe. Tag size: At least 128 bits. This eliminates umac-64-etm. Key size: At least 128 bits. This doesn't eliminate anything at this point. Recommended /etc/ssh/sshd_config snippet: {code:none} MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com {code} {quote}

    Jenkins JIRA | 1 year ago | Shea Tomsin
    java.lang.IllegalStateException: Connection is not established!
  3. 0

    master cannot connect to slave {code:none|title=/var/log/secure on slave reports} sshd[1978]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 {code} master reports {code:none} Key exchange was not finished, connection is closed. ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins. java.lang.IllegalStateException: Connection is not established! at com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030) at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88) at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80) at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207) at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169) at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1212) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:711) at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:706) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) {code} This is related to JENKINS-26379 but the comments in that ticket only hint at the issue which, to writ, is: https://github.com/jenkinsci/trilead-ssh2/blob/master/src/com/trilead/ssh2/crypto/digest/MAC.java {code:none|title=com.trilead.ssh2.crypto.digest.MAC} public final static String[] getMacList() { /* Higher Priority First */ return new String[] { "hmac-sha1-96", "hmac-sha1", "hmac-md5-96", "hmac-md5" }; } {code} See https://stribika.github.io/2015/01/04/secure-secure-shell.html {quote} Here are the available MAC choices: hmac-md5 hmac-md5-96 hmac-ripemd160 hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 umac-64 umac-128 hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-ripemd160-etm@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com The selection considerations: Security of the hash algorithm: No MD5 and SHA1. Yes, I know that HMAC-SHA1 does not need collision resistance but why wait? Disable weak crypto today. Encrypt-then-MAC: I am not aware of a security proof for CTR-and-HMAC but I also don't think CTR decryption can fail. Since there are no downgrade attacks, you can add them to the end of the list. You can also do this on a host by host basis so you know which ones are less safe. Tag size: At least 128 bits. This eliminates umac-64-etm. Key size: At least 128 bits. This doesn't eliminate anything at this point. Recommended /etc/ssh/sshd_config snippet: {code:none} MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com {code} {quote}

    Jenkins JIRA | 1 year ago | Shea Tomsin
    java.lang.IllegalStateException: Connection is not established!
  4. Speed up your debug routine!

    Automated exception search integrated into your IDE

  5. 0

    Jenkins - ssh connection exception

    Stack Overflow | 2 years ago | Mohit Sharma
    java.lang.IllegalStateException: Connection is not established!
  6. 0

    Jenkins master fails to connect to the slave over SSH

    Stack Overflow | 2 years ago | Tanel Mae
    java.lang.IllegalStateException: Connection is not established!

    4 unregistered visitors
    Not finding the right solution?
    Take a tour to get the most out of Samebug.

    Tired of useless tips?

    Automated exception search integrated into your IDE

    Root Cause Analysis

    1. java.lang.IllegalStateException

      Connection is not established!

      at com.trilead.ssh2.Connection.getRemainingAuthMethods()
    2. Trilead
      Connection.getRemainingAuthMethods
      1. com.trilead.ssh2.Connection.getRemainingAuthMethods(Connection.java:1030)
      1 frame
    3. com.cloudbees.jenkins
      SSHAuthenticator.newInstance
      1. com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.getRemainingAuthMethods(TrileadSSHPublicKeyAuthenticator.java:88)
      2. com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.canAuthenticate(TrileadSSHPublicKeyAuthenticator.java:80)
      3. com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:207)
      4. com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.newInstance(SSHAuthenticator.java:169)
      4 frames
    4. hudson.plugins.sshslaves
      SSHLauncher$2.call
      1. hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1212)
      2. hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:711)
      3. hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:706)
      3 frames
    5. Java RT
      Thread.run
      1. java.util.concurrent.FutureTask.run(FutureTask.java:262)
      2. java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      3. java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      4. java.lang.Thread.run(Thread.java:745)
      4 frames