[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
This bug was fixed in the package paramiko - 2.9.3-0ubuntu1 --- paramiko (2.9.3-0ubuntu1) jammy; urgency=medium * New upstream release (LP: #1968730). - Add support for SHA-2 variants of RSA key verification algorithms to support openssh >= 8.8p1-1 (Closes: #1007168, LP: #1961979) * Refresh patches. -- Benjamin Drung Tue, 12 Apr 2022 16:26:58 +0200 ** Changed in: paramiko (Ubuntu Jammy) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
I filed bug #1968730 as feature freeze exception request to fix this bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
I checked the upstream changes between 2.8.1 (jammy version) and 2.9.3: https://github.com/paramiko/paramiko/compare/2.8.1...2.9.3 There are only a few commits: * Weird typos introduced 2 years ago, bah (only change to test cases) * Longterm TODOs (adds only comments) * Enhance kex DEBUG logging to be more readable * Add support for RSA SHA2 host and public keys (we want this one) * Add agent RSA-SHA2 support, also tweak changelog w/ more tickets (we want this one too) * Changelog format tweak (only doc update) * Cut 2.9.0 * Changelog and test re #1955 (we want this one) * Fix #1955 (we want this one) * Cut 2.9.1 * Add more visible backwards compat warning re 2.9 RSA2 changes (only doc update) * Fix up logging and exception handling re: pubkey auth and presence/lack of server-sig-algs (we want this one) * Cut 2.9.2 * Clarify disabled algorithms keys vs pubkeys in changelog (only doc update) * Fix publickey authentication with signed RSA key (we want this one) * Changelog closes #1963, closes #1977 (only doc update) * util: store thread assigned id in thread-local storage, fixes #2002 (we want this one) * Changelog re #2002, re #2003, closes #2002 (only doc update) * Cut 2.9.3 Result: The difference between 2.8 and 2.9 is basically the RSA2 support that we want/need. Only the commit "Enhance kex DEBUG logging to be more readable" is not needed. So I say let's update the paramiko package to 2.9.3 instead of "backporting" the change. For the SRUs we might only backport the client side support which is a smaller patch. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
** Description changed:
python3-paramiko can't connect to Jammy hosts, likely because of the
stricter signature requirements introduced in openssh 8.8p1-1.
Reproducer:
- 1. Setup a passwordless keypair and add localhost to known_hosts, so
- that:
+ 1. Setup a passwordless keypair and add localhost to known_hosts:
+
+ $ sudo apt install -y openssh-server openssh-client ipython3 python3-paramiko
+ $ ssh-keygen -f ~/.ssh/id_rsa_insecure
+ $ SSH_AUTH_SOCK= ssh-copy-id -i ~/.ssh/id_rsa_insecure localhost
+
+ 2. Verify setup:
paride@stramonio:~$ SSH_AUTH_SOCK= ssh -i ~/.ssh/id_rsa_insecure localhost
date
2022-02-23T12:35:39 CET
- 2. Try the same with paramiko from python3-paramiko:
+ 3. Try the same with paramiko from python3-paramiko:
$ ipython3
- In [1]: from paramiko import SSHClient
- In [2]: client = SSHClient()
+ In [1]: import paramiko, os
+ In [2]: client = paramiko.SSHClient()
In [3]: client.load_system_host_keys()
- In [4]: client.connect('localhost',
key_filename='/home/paride/.ssh/id_rsa_insecure')
+ In [4]: client.connect('localhost',
key_filename=os.path.expanduser('~/.ssh/id_rsa_insecure'))
Unknown exception: q must be exactly 160, 224, or 256 bits long
[Full Traceback Below]
- 3. Try with a newer paramiko:
+ 4. Try with a newer paramiko:
$ python3 -m venv /tmp/newparamiko
$ source /tmp/newparamiko/bin/activate
$ pip install -q paramiko==2.9.2
$ ipython3
- In [1]: from paramiko import SSHClient
- In [2]: client = SSHClient()
+ In [1]: import paramiko, os
+ In [2]: client = paramiko.SSHClient()
In [3]: client.load_system_host_keys()
- In [4]: client.connect('localhost',
key_filename='/home/paride/.ssh/id_rsa_insecure')
+ In [4]: client.connect('localhost',
key_filename=os.path.expanduser('~/.ssh/id_rsa_insecure'))
In [5]: # It works!
- The Point 2. failure can be reproduced by installing older versions of
+ The Point 3. failure can be reproduced by installing older versions of
paramiko via pip, so the issue is not specific to Ubuntu. Likely related
upstream changes/issues:
* https://github.com/paramiko/paramiko/pull/1643
* https://github.com/paramiko/paramiko/issues/1955
- --- Point 2. Traceback ---
+ --- Point 3. Traceback ---
Traceback (most recent call last):
- File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2109, in
run
- handler(self.auth_handler, m)
- File "/usr/lib/python3/dist-packages/paramiko/auth_handler.py", line 298,
in _parse_service_accept
- sig = self.private_key.sign_ssh_data(blob)
- File "/usr/lib/python3/dist-packages/paramiko/dsskey.py", line 109, in
sign_ssh_data
- key = dsa.DSAPrivateNumbers(
- File
"/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py",
line 244, in private_key
- return backend.load_dsa_private_numbers(self)
- File
"/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py",
line 827, in load_dsa_private_numbers
- dsa._check_dsa_private_numbers(numbers)
- File
"/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py",
line 282, in _check_dsa_private_numbers
- _check_dsa_parameters(parameters)
- File
"/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py",
line 274, in _check_dsa_parameters
- raise ValueError("q must be exactly 160, 224, or 256 bits long")
+ File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2109, in
run
+ handler(self.auth_handler, m)
+ File "/usr/lib/python3/dist-packages/paramiko/auth_handler.py", line 298,
in _parse_service_accept
+ sig = self.private_key.sign_ssh_data(blob)
+ File "/usr/lib/python3/dist-packages/paramiko/dsskey.py", line 109, in
sign_ssh_data
+ key = dsa.DSAPrivateNumbers(
+ File
"/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py",
line 244, in private_key
+ return backend.load_dsa_private_numbers(self)
+ File
"/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py",
line 827, in load_dsa_private_numbers
+ dsa._check_dsa_private_numbers(numbers)
+ File
"/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py",
line 282, in _check_dsa_private_numbers
+ _check_dsa_parameters(parameters)
+ File
"/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py",
line 274, in _check_dsa_parameters
+ raise ValueError("q must be exactly 160, 224, or 256 bits long")
ValueError: q must be exactly 160, 224, or 256 bits long
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1961979
Title:
Can't connect to Jammy hosts (openssh >= 8.8p1-1)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
** Tags removed: rls-jj-incoming ** Also affects: paramiko (Ubuntu Jammy) Importance: High Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
I added tasks for existing stable releases. I think we need to assess how badly this is going to impact users of stable releases, and evaluate if SRUs are an option. I had a first look and I don't think this is SRU material (too many changes, not limited to src:paramiko), but let's decide deliberately. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
** Also affects: paramiko (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: paramiko (Ubuntu Impish) Importance: Undecided Status: New ** Also affects: paramiko (Ubuntu Focal) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
** Tags added: fr-2082 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
** Tags added: rls-jj-incoming -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
