Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Cas Donoghue commented on BOLT-920 Re: Bolt unable to connect with ecdsa key Moved to github issue https://github.com/puppetlabs/bolt/issues/1165 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.279767.1539207585000.62683.1566312420630%40Atlassian.JIRA.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Yasmin Rajabi updated an issue Puppet Task Runner / BOLT-920 Bolt unable to connect with ecdsa key Change By: Yasmin Rajabi Labels: ghm known-issue-added Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.279767.1539207585000.58607.1565909340738%40Atlassian.JIRA.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title David Kramer updated an issue Puppet Task Runner / BOLT-920 Bolt unable to connect with ecdsa key Change By: David Kramer Sprint: Bolt Ready for Grooming Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title David Kramer updated an issue Puppet Task Runner / BOLT-920 Bolt unable to connect with ecdsa key Change By: David Kramer Sprint: Bolt Kanban Ready for Grooming Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title David Kramer assigned an issue to Unassigned Puppet Task Runner / BOLT-920 Bolt unable to connect with ecdsa key Change By: David Kramer Assignee: Cas Donoghue Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Cas Donoghue commented on BOLT-920 Re: Bolt unable to connect with ecdsa key An issue was filed against the net-ssh project: https://github.com/net-ssh/net-ssh/issues/657 A ticket describing compatibility with rsa keys in the OpenSSH format was created in order to track that work separately. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Cas Donoghue commented on BOLT-920 Re: Bolt unable to connect with ecdsa key Update: The title of this ticket indicates that ecdsa keys do not work with bolt. If the ecdsa key is generated with a version of Openssh that is pre 7.8 (or with the non-openssh format) then the key is compatible with the version of net-ssh (5.0.2) which shipped with bolt (pre 1.11.0). As noted in the comments the root cause is the Openssh formatted key. So keys (including keypairs that use the popular rsa algorithm) that use the Openssh format were incompatible with net-ssh (pre 5.0.2) and therefor with bolt. The bolt 1.11.0 release updated to the latest net-ssh version (5.1.0) which added support for rsa keys with the openssh format. However ecdsa keys with the Openssh format are still incompatible with the latest version (see comment above showing Net::SSH::Exception). So with bolt 1.11.0 an rsa key formatted in the Openssh format will work where previously it did not but ecdsa keys with Openssh format are still incompatible. Previously an Openssh formatted rsa key with bolt < 1.11.0 would produce the following error: [root@ebo9k1qf1fpcs67 bolt]# bolt command run whoami -n rsa-openssh Started on jlmfz1sost45dup.delivery.puppetlabs.net... Failed on jlmfz1sost45dup.delivery.puppetlabs.net: Failed to connect to jlmfz1sost45dup.delivery.puppetlabs.net: expected 64-byte String, got 3 Failed on 1 node: jlmfz1sost45dup.delivery.puppetlabs.net Ran on 1 node in 0.19 seconds Ecdsa keys stored in the Openssh format still produce the following error: [root@ebo9k1qf1fpcs67 Boltdir]# bolt command run whoami -n ecdsa-openssh
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Melissa Amos updated an issue Puppet Task Runner / BOLT-920 Bolt unable to connect with ecdsa key Change By: Melissa Amos Labels: known-issue-added Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Melissa Amos commented on BOLT-920 Re: Bolt unable to connect with ecdsa key Here's the known issue. I tweaked the wording on the workaround (last paragraph) so please check my understanding. http://docs-internal.puppet.com/docs/bolt/dev/bolt_known_issues.html#ssh-keys-generated-with-ssh-keygen-from-openssh-7-8-fail Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Cas Donoghue updated an issue Puppet Task Runner / BOLT-920 Bolt unable to connect with ecdsa key Change By: Cas Donoghue Fix Version/s: BOLT Next Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Cas Donoghue commented on BOLT-920 Re: Bolt unable to connect with ecdsa key When I tested this originally I did not have my test case quite right. I went to do a final verification on a clean install and found that net-ssh 5.1.0 does not resolve the issue. Replication: [root@ebo9k1qf1fpcs67 gems]# ssh -V OpenSSH_7.8p1, OpenSSL 1.1.1 FIPS 11 Sep 2018 [root@ebo9k1qf1fpcs67 ~]# ssh-keygen -t ecdsa [root@ebo9k1qf1fpcs67 ~]# ssh -i id_ecdsa root@localhost [root@ebo9k1qf1fpcs67 Boltdir]# bolt command run whoami -n ecdsa Started on localhost... Failed on localhost: Failed to connect to localhost: the given identity is known, but the private key could not be loaded: Net::SSH::Exception (Cannot decode private key of type ecdsa-sha2-nistp256) Failed on 1 node: localhost Ran on 1 node in 0.16 seconds inventory.yaml
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Melissa Amos commented on BOLT-920 Re: Bolt unable to connect with ecdsa key To clarify, the known issue documented in pre-docs for this ticket is being FIXED in 1.11.0? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Cas Donoghue updated an issue Puppet Task Runner / BOLT-920 Bolt unable to connect with ecdsa key Change By: Cas Donoghue Release Notes Summary: Bolt can now use keys in an {{ecdsa}} key updated OpenSSH format to authenticate {{ssh}} connections. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Cas Donoghue updated an issue Puppet Task Runner / BOLT-920 Bolt unable to connect with ecdsa key Change By: Cas Donoghue Release Notes Summary: Bolt can now use an {{ecdsa}} key to authenticate {{ssh}} connections. Release Notes: Bug Fix Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Cas Donoghue updated an issue Puppet Task Runner / BOLT-920 Bolt unable to connect with ecdsa key Change By: Cas Donoghue Fix Version/s: BOLT Next Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Cas Donoghue commented on BOLT-920 Re: Bolt unable to connect with ecdsa key Verified ecdsa key works with 5.1.0 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Cas Donoghue assigned an issue to Cas Donoghue Puppet Task Runner / BOLT-920 Bolt unable to connect with ecdsa key Change By: Cas Donoghue Assignee: Cas Donoghue Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Michael Smith commented on BOLT-920 Re: Bolt unable to connect with ecdsa key Looks like we can address this with net-ssh 5.1.0. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Cas Donoghue updated an issue Puppet Task Runner / BOLT-920 Bolt unable to connect with ecdsa key Change By: Cas Donoghue Sprint: Bolt Kanban Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Duncan X Simpson commented on BOLT-920 Re: Bolt unable to connect with ecdsa key This appears to be fixed now: https://github.com/net-ssh/net-ssh/pull/646 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Michael Smith updated an issue Puppet Task Runner / BOLT-920 Bolt unable to connect with ecdsa key Change By: Michael Smith Sprint: Bolt Ready for Grooming Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Michael Smith commented on BOLT-920 Re: Bolt unable to connect with ecdsa key SSH 7.8 switched ssh-keygen to outputting keys in the OpenSSH format (rather than OpenSSL's PEM format). This breaks net-ssh for everything except ed25519 keys due to https://github.com/net-ssh/net-ssh/blob/v5.0.2/lib/net/ssh/key_factory.rb#L112. Issue at https://github.com/net-ssh/net-ssh/issues/633. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Michael Smith updated an issue Puppet Task Runner / BOLT-920 Bolt unable to connect with ecdsa key Change By: Michael Smith Sprint: Bolt Ready for Grooming Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-920) Bolt unable to connect with ecdsa key
Title: Message Title Michael Smith created an issue Puppet Task Runner / BOLT-920 Bolt unable to connect with ecdsa key Issue Type: Bug Affects Versions: BOLT 1.0.0 Assignee: Unassigned Created: 2018/10/10 2:39 PM Priority: Normal Reporter: Michael Smith Using a ecdsa-sha2-nistp256 key generated by ssh-keygen -t ecdsa, Bolt quietly fails to connect. See https://github.com/puppetlabs/bolt/issues/700 for original issue and debugging. This doesn't appear to be resolved yet in net-ssh#master, or by including ed25519 and bcrypt_pbkdf (with net-ssh 5.0.2). Add Comment