1

This question has been annoying me for a couple of years now! What key needs to change to solve this ?

Background: ssh rsa keys of size 2048 can begin with leading 1 or 0. Leading 0 results in the key being seen as length 2047 to some software. These keys would appear to not conform to the standard so they are not accepted by the latest software libraries.

Older java versions and default crypto library used to allow the 2047 size rsa keys. Newer java does not. """java.security.InvalidAlgorithmParameterException: DH key size must be multiple of 64, and can only range from 512 to 8192 (inclusive). The specific key size 2047 is not supported""" is seen.

What we see is that when jenkins is upgraded then jobs where CVS access was working now do not work :-(

Without rebuilding jenkins to use different security libraries is it possible to solve this issue ?

Regenerating the CVS user key as RSA size 4096 was tried. Without success. Is it the CVS server host key which the error is about or is it the CVS user key ?

https://www.ssh.com/ssh/keygen/

ssh-keygen -t rsa -b 4096

Error can be solved by using different crypto libraries: DH key size must be multiple of 64, and can only range from 512 to 2048 (inclusive)

2047 and 2048 RSA key length: https://security.stackexchange.com/questions/90169/rsa-public-key-and-private-key-lengths

DHGEX failing with 2048-bit key under Java 8, but succeeding with 1024-bit key

Building in workspace /var/lib/jenkins/workspace/cvs_status_xxxxx
cvs checkout -P -D 15 Mar 2019 12:30:42 +0000 -d xxxxx xxxxx 
ERROR: CVS Authentication failed: null
org.netbeans.lib.cvsclient.connection.AuthenticationException: SSH connection failed.
    at org.netbeans.lib.cvsclient.connection.SSHConnection.open(SSHConnection.java:141)
    at org.netbeans.lib.cvsclient.Client$1.run(Client.java:374)
    at java.lang.Thread.run(Thread.java:748)
Caused by: com.jcraft.jsch.JSchException: Session.connect: java.security.InvalidAlgorithmParameterException: DH key size must be multiple of 64, and can only range from 512 to 8192 (inclusive). The specific key size 2047 is not supported
    at com.jcraft.jsch.Session.connect(Session.java:565)
    at com.jcraft.jsch.Session.connect(Session.java:183)
    at org.netbeans.lib.cvsclient.connection.SSHConnection.open(SSHConnection.java:139)
    ... 2 more
ERROR: Cvs task failed
ERROR: Step ‘Archive the artifacts’ failed: No artifacts are configured for archiving.
You probably forgot to set the file pattern, so please go back to the configuration and specify it.
If you really did mean to archive all the files in the workspace, please specify "**"
[BFA] Scanning build for known causes...
[BFA] No failure causes found
[BFA] Done. 0s
Started calculate disk usage of build
Finished Calculation of disk usage of build in 0 seconds
Started calculate disk usage of workspace
Finished Calculation of disk usage of workspace in 0 seconds
Finished: FAILURE

https://bugs.openjdk.java.net/browse/JDK-8164963 In RFC 2631 and FIPS 186-3/4 p can't have leading zeros. The JDK enforces this. https://www.ietf.org/rfc/rfc2631.txt It's outlined in this section of the RFC : "2.2.1.1. Generation of p, q"

gaoithe
  • 4,218
  • 3
  • 30
  • 38
  • Did you ever figure out a solution? – Mort Apr 05 '19 at 13:09
  • Well the proper solution would be to update ssh keys on the cvs server. Make sure the new keys are not 2047 in length but 2048 (or greater). But we still have a cvs server whose keys we do not want to touch :-7 Working around that by running cvs command-line commands from script running in jenkins job. – gaoithe Apr 08 '19 at 09:53

0 Answers0