SSH-Runner: Update golang.org/x/crypto/ssh to support more secure MACs (hmac-sha2-256)

The SHA1 hashing algorithm is no longer considered to be the most secure. Therefore server admins tend to disable rather old and less secure algorithms on their (SSH) servers. (see Secure Secure Shell or cipherli.st)

Using the ssh runner I get this error when trying to connect to my server: ERROR: Build failed with: ssh: handshake failed: ssh: no common algorithms

The server log (/var/log/auth.log) shows this error: …fatal: no matching mac found: client hmac-sha1,hmac-sha1-96 server …,hmac-sha2-256,… [preauth] (list of server MACs truncated)

I know that adding hmac-sha1 or hmac-sha1-96 to the list of allowed MACs in my sshd_config solves the problem. But I'd rather have the ssh runner to be able to use hmac-sha2-256 or other more secure algorithms.

The bundled version of the dependency golang.org/x/crypto/ssh is somewhat outdated (bundled crypto/ssh vs latest crypto/ssh on github)

tl;dr: Could you please update the crypto/ssh dependency to a recent version? (See commit e3f150b on github)

/cc @aneumann91

@p-schneider Could you create MR with an update?

I currently don't have an environment setup to compile and test the code. But i think simply updating the folder contents of /Godeps/_workspace/src/golang.org/x/crypto/ssh/ with those from https://github.com/golang/crypto/tree/master/ssh should work. I'm not sure if you want to trust me, a stranger from the internet, to update crypto/security related code. If you want I can make a MR for updating the contents in /Godeps/_workspace/src/golang.org/x/crypto/ssh/ but I did't compile and test if it breaks anything else. If simply copying the folder content from https://github.com/golang/crypto/tree/master/ssh over to /Godeps/_workspace/src/golang.org/x/crypto/ssh/ is all we need, you might as well do it yourself and not risk me sneaking in evil code.

Edit: here is the commit I would create a MR with: p-schneider/gitlab-ci-multi-runner@bd528480

Any idea when the MR will be accepted, or when this issue will be fixed? This is currently preventing me from setting up Gitlab-CI.

Milestone changed to v1.1

Reassigned to @ayufan

Added improvement label

mentioned in merge request !97 (merged)

Fixed in https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/merge_requests/97

I can confirm Build #717053 gitlab-ci-multi-runner 1.1.0~beta.100.g2cb4f0b (2cb4f0b) is running fine for me.

Status changed to closed by merge request !97 (merged)