[Bug 1973241] [NEW] Paramiko 2.9.0 breaks compatibility with devices only supporting ssh-rsa and not supporting server-sig-algs

Dan Streetman Thu, 12 May 2022 13:51:19 -0700

Public bug reported:

[impact]


paramiko fails to connect to some servers.

[test case]

attempt to connect to a server that does not support server-sig-algs and
also only supports ssh-rsa (specifically, does not support rsa-
sha2-512). the connection will fail:

DEBUG:paramiko.transport:Finalizing pubkey algorithm for key of type 'ssh-rsa'
DEBUG:paramiko.transport:Our pubkey algorithm list: ['rsa-sha2-512', 
'rsa-sha2-256', 'ssh-rsa']
DEBUG:paramiko.transport:Server did not send a server-sig-algs list; defaulting 
to our first preferred algo ('rsa-sha2-512')
DEBUG:paramiko.transport:NOTE: you may use the 'disabled_algorithms' 
SSHClient/Transport init kwarg to disable that or other algorithms if your 
server does not support them!
INFO:paramiko.transport:Authentication (publickey) failed.
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/paramiko/client.py", line 435, in connect
    self._auth(
  File "/usr/lib/python3/dist-packages/paramiko/client.py", line 766, in _auth
    raise saved_exception
  File "/usr/lib/python3/dist-packages/paramiko/client.py", line 736, in _auth
    key = self._key_from_filepath(
  File "/usr/lib/python3/dist-packages/paramiko/client.py", line 588, in 
_key_from_filepath
    key = klass.from_private_key_file(key_path, password)
  File "/usr/lib/python3/dist-packages/paramiko/pkey.py", line 249, in 
from_private_key_file
    key = cls(filename=filename, password=password)
  File "/usr/lib/python3/dist-packages/paramiko/rsakey.py", line 64, in __init__
    self._from_private_key_file(filename, password)
  File "/usr/lib/python3/dist-packages/paramiko/rsakey.py", line 190, in 
_from_private_key_file
    data = self._read_private_key_file("RSA", filename, password)
  File "/usr/lib/python3/dist-packages/paramiko/pkey.py", line 322, in 
_read_private_key_file
    data = self._read_private_key(tag, f, password)
  File "/usr/lib/python3/dist-packages/paramiko/pkey.py", line 351, in 
_read_private_key
    data = self._read_private_key_openssh(lines[start:end], password)
  File "/usr/lib/python3/dist-packages/paramiko/pkey.py", line 452, in 
_read_private_key_openssh
    raise PasswordRequiredException(
paramiko.ssh_exception.PasswordRequiredException: private key file is encrypted

[regression potential]

any regression would likely prevent paramiko from connecting to a remote
server.

[scope]

this needs to be fixed in jammy and later.

this problem was introduced in paramiko 2.9.0 so does not exist in
impish or earlier.

[other info]

this doesn't appear to be fixed upstream yet.
https://github.com/paramiko/paramiko/issues/2012

Note this can be worked around if direct access to the paramiko code is
possible, by using the 'disabled_algorithms' parameter to the client
connect() method, e.g.:

client.connect("<hostname>", disabled_algorithms={'pubkeys': ['rsa-
sha2-256', 'rsa-sha2-512']})

Note this can break connections to other systems however, that do
support (only) those algs, so is not a very good workaround.
Additionally, this workaround isn't even possible if paramiko is being
used internally by some other python application.

** Affects: paramiko
     Importance: Unknown
         Status: Unknown

** Affects: paramiko (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: paramiko (Ubuntu Jammy)
     Importance: Undecided
         Status: New

** Affects: paramiko (Ubuntu Kinetic)
     Importance: Undecided
         Status: New

** Also affects: paramiko (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: paramiko (Ubuntu Kinetic)
   Importance: Undecided
       Status: New

** Bug watch added: github.com/paramiko/paramiko/issues #2012
   https://github.com/paramiko/paramiko/issues/2012

** Also affects: paramiko via
   https://github.com/paramiko/paramiko/issues/2012
   Importance: Unknown
       Status: Unknown

** Description changed:

  [impact]
  
  paramiko fails to connect to some servers.
  
  [test case]
  
  attempt to connect to a server that does not support server-sig-algs and
  also only supports ssh-rsa (specifically, does not support rsa-
  sha2-512). the connection will fail:
  
  DEBUG:paramiko.transport:Finalizing pubkey algorithm for key of type 'ssh-rsa'
  DEBUG:paramiko.transport:Our pubkey algorithm list: ['rsa-sha2-512', 
'rsa-sha2-256', 'ssh-rsa']
  DEBUG:paramiko.transport:Server did not send a server-sig-algs list; 
defaulting to our first preferred algo ('rsa-sha2-512')
  DEBUG:paramiko.transport:NOTE: you may use the 'disabled_algorithms' 
SSHClient/Transport init kwarg to disable that or other algorithms if your 
server does not support them!
  INFO:paramiko.transport:Authentication (publickey) failed.
  Traceback (most recent call last):
-   File "<stdin>", line 1, in <module>
-   File "/usr/lib/python3/dist-packages/paramiko/client.py", line 435, in 
connect
-     self._auth(
-   File "/usr/lib/python3/dist-packages/paramiko/client.py", line 766, in _auth
-     raise saved_exception
-   File "/usr/lib/python3/dist-packages/paramiko/client.py", line 736, in _auth
-     key = self._key_from_filepath(
-   File "/usr/lib/python3/dist-packages/paramiko/client.py", line 588, in 
_key_from_filepath
-     key = klass.from_private_key_file(key_path, password)
-   File "/usr/lib/python3/dist-packages/paramiko/pkey.py", line 249, in 
from_private_key_file
-     key = cls(filename=filename, password=password)
-   File "/usr/lib/python3/dist-packages/paramiko/rsakey.py", line 64, in 
__init__
-     self._from_private_key_file(filename, password)
-   File "/usr/lib/python3/dist-packages/paramiko/rsakey.py", line 190, in 
_from_private_key_file
-     data = self._read_private_key_file("RSA", filename, password)
-   File "/usr/lib/python3/dist-packages/paramiko/pkey.py", line 322, in 
_read_private_key_file
-     data = self._read_private_key(tag, f, password)
-   File "/usr/lib/python3/dist-packages/paramiko/pkey.py", line 351, in 
_read_private_key
-     data = self._read_private_key_openssh(lines[start:end], password)
-   File "/usr/lib/python3/dist-packages/paramiko/pkey.py", line 452, in 
_read_private_key_openssh
-     raise PasswordRequiredException(
+   File "<stdin>", line 1, in <module>
+   File "/usr/lib/python3/dist-packages/paramiko/client.py", line 435, in 
connect
+     self._auth(
+   File "/usr/lib/python3/dist-packages/paramiko/client.py", line 766, in _auth
+     raise saved_exception
+   File "/usr/lib/python3/dist-packages/paramiko/client.py", line 736, in _auth
+     key = self._key_from_filepath(
+   File "/usr/lib/python3/dist-packages/paramiko/client.py", line 588, in 
_key_from_filepath
+     key = klass.from_private_key_file(key_path, password)
+   File "/usr/lib/python3/dist-packages/paramiko/pkey.py", line 249, in 
from_private_key_file
+     key = cls(filename=filename, password=password)
+   File "/usr/lib/python3/dist-packages/paramiko/rsakey.py", line 64, in 
__init__
+     self._from_private_key_file(filename, password)
+   File "/usr/lib/python3/dist-packages/paramiko/rsakey.py", line 190, in 
_from_private_key_file
+     data = self._read_private_key_file("RSA", filename, password)
+   File "/usr/lib/python3/dist-packages/paramiko/pkey.py", line 322, in 
_read_private_key_file
+     data = self._read_private_key(tag, f, password)
+   File "/usr/lib/python3/dist-packages/paramiko/pkey.py", line 351, in 
_read_private_key
+     data = self._read_private_key_openssh(lines[start:end], password)
+   File "/usr/lib/python3/dist-packages/paramiko/pkey.py", line 452, in 
_read_private_key_openssh
+     raise PasswordRequiredException(
  paramiko.ssh_exception.PasswordRequiredException: private key file is 
encrypted
  
  [regression potential]
  
  any regression would likely prevent paramiko from connecting to a remote
  server.
  
  [scope]
  
  this needs to be fixed in jammy and later.
  
  this problem was introduced in paramiko 2.9.0 so does not exist in
  impish or earlier.
  
  [other info]
  
  this doesn't appear to be fixed upstream yet.
  https://github.com/paramiko/paramiko/issues/2012
+ 
+ Note this can be worked around if direct access to the paramiko code is
+ possible, by using the 'disabled_algorithms' parameter to the client
+ connect() method, e.g.:
+ 
+ client.connect("<hostname>", disabled_algorithms={'pubkeys': ['rsa-
+ sha2-256', 'rsa-sha2-512']})
+ 
+ Note this can break connections to other systems however, that do
+ support (only) those algs, so is not a very good workaround.
+ Additionally, this workaround isn't even possible if paramiko is being
+ used internally by some other python application.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1973241

Title:
  Paramiko 2.9.0 breaks compatibility with devices only supporting ssh-
  rsa and not supporting server-sig-algs

To manage notifications about this bug go to:
https://bugs.launchpad.net/paramiko/+bug/1973241/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1973241] [NEW] Paramiko 2.9.0 breaks compatibility with devices only supporting ssh-rsa and not supporting server-sig-algs

Reply via email to