[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
This bug was fixed in the package paramiko - 2.9.3-0ubuntu1 --- paramiko (2.9.3-0ubuntu1) jammy; urgency=medium * New upstream release (LP: #1968730). - Add support for SHA-2 variants of RSA key verification algorithms to support openssh >= 8.8p1-1 (Closes: #1007168, LP: #1961979) * Refresh patches. -- Benjamin Drung Tue, 12 Apr 2022 16:26:58 +0200 ** Changed in: paramiko (Ubuntu Jammy) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
I filed bug #1968730 as feature freeze exception request to fix this bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
I checked the upstream changes between 2.8.1 (jammy version) and 2.9.3: https://github.com/paramiko/paramiko/compare/2.8.1...2.9.3 There are only a few commits: * Weird typos introduced 2 years ago, bah (only change to test cases) * Longterm TODOs (adds only comments) * Enhance kex DEBUG logging to be more readable * Add support for RSA SHA2 host and public keys (we want this one) * Add agent RSA-SHA2 support, also tweak changelog w/ more tickets (we want this one too) * Changelog format tweak (only doc update) * Cut 2.9.0 * Changelog and test re #1955 (we want this one) * Fix #1955 (we want this one) * Cut 2.9.1 * Add more visible backwards compat warning re 2.9 RSA2 changes (only doc update) * Fix up logging and exception handling re: pubkey auth and presence/lack of server-sig-algs (we want this one) * Cut 2.9.2 * Clarify disabled algorithms keys vs pubkeys in changelog (only doc update) * Fix publickey authentication with signed RSA key (we want this one) * Changelog closes #1963, closes #1977 (only doc update) * util: store thread assigned id in thread-local storage, fixes #2002 (we want this one) * Changelog re #2002, re #2003, closes #2002 (only doc update) * Cut 2.9.3 Result: The difference between 2.8 and 2.9 is basically the RSA2 support that we want/need. Only the commit "Enhance kex DEBUG logging to be more readable" is not needed. So I say let's update the paramiko package to 2.9.3 instead of "backporting" the change. For the SRUs we might only backport the client side support which is a smaller patch. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
** Description changed: python3-paramiko can't connect to Jammy hosts, likely because of the stricter signature requirements introduced in openssh 8.8p1-1. Reproducer: - 1. Setup a passwordless keypair and add localhost to known_hosts, so - that: + 1. Setup a passwordless keypair and add localhost to known_hosts: + + $ sudo apt install -y openssh-server openssh-client ipython3 python3-paramiko + $ ssh-keygen -f ~/.ssh/id_rsa_insecure + $ SSH_AUTH_SOCK= ssh-copy-id -i ~/.ssh/id_rsa_insecure localhost + + 2. Verify setup: paride@stramonio:~$ SSH_AUTH_SOCK= ssh -i ~/.ssh/id_rsa_insecure localhost date 2022-02-23T12:35:39 CET - 2. Try the same with paramiko from python3-paramiko: + 3. Try the same with paramiko from python3-paramiko: $ ipython3 - In [1]: from paramiko import SSHClient - In [2]: client = SSHClient() + In [1]: import paramiko, os + In [2]: client = paramiko.SSHClient() In [3]: client.load_system_host_keys() - In [4]: client.connect('localhost', key_filename='/home/paride/.ssh/id_rsa_insecure') + In [4]: client.connect('localhost', key_filename=os.path.expanduser('~/.ssh/id_rsa_insecure')) Unknown exception: q must be exactly 160, 224, or 256 bits long [Full Traceback Below] - 3. Try with a newer paramiko: + 4. Try with a newer paramiko: $ python3 -m venv /tmp/newparamiko $ source /tmp/newparamiko/bin/activate $ pip install -q paramiko==2.9.2 $ ipython3 - In [1]: from paramiko import SSHClient - In [2]: client = SSHClient() + In [1]: import paramiko, os + In [2]: client = paramiko.SSHClient() In [3]: client.load_system_host_keys() - In [4]: client.connect('localhost', key_filename='/home/paride/.ssh/id_rsa_insecure') + In [4]: client.connect('localhost', key_filename=os.path.expanduser('~/.ssh/id_rsa_insecure')) In [5]: # It works! - The Point 2. failure can be reproduced by installing older versions of + The Point 3. failure can be reproduced by installing older versions of paramiko via pip, so the issue is not specific to Ubuntu. Likely related upstream changes/issues: * https://github.com/paramiko/paramiko/pull/1643 * https://github.com/paramiko/paramiko/issues/1955 - --- Point 2. Traceback --- + --- Point 3. Traceback --- Traceback (most recent call last): - File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2109, in run - handler(self.auth_handler, m) - File "/usr/lib/python3/dist-packages/paramiko/auth_handler.py", line 298, in _parse_service_accept - sig = self.private_key.sign_ssh_data(blob) - File "/usr/lib/python3/dist-packages/paramiko/dsskey.py", line 109, in sign_ssh_data - key = dsa.DSAPrivateNumbers( - File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 244, in private_key - return backend.load_dsa_private_numbers(self) - File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 827, in load_dsa_private_numbers - dsa._check_dsa_private_numbers(numbers) - File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 282, in _check_dsa_private_numbers - _check_dsa_parameters(parameters) - File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 274, in _check_dsa_parameters - raise ValueError("q must be exactly 160, 224, or 256 bits long") + File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2109, in run + handler(self.auth_handler, m) + File "/usr/lib/python3/dist-packages/paramiko/auth_handler.py", line 298, in _parse_service_accept + sig = self.private_key.sign_ssh_data(blob) + File "/usr/lib/python3/dist-packages/paramiko/dsskey.py", line 109, in sign_ssh_data + key = dsa.DSAPrivateNumbers( + File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 244, in private_key + return backend.load_dsa_private_numbers(self) + File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 827, in load_dsa_private_numbers + dsa._check_dsa_private_numbers(numbers) + File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 282, in _check_dsa_private_numbers + _check_dsa_parameters(parameters) + File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 274, in _check_dsa_parameters + raise ValueError("q must be exactly 160, 224, or 256 bits long") ValueError: q must be exactly 160, 224, or 256 bits long -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
** Tags removed: rls-jj-incoming ** Also affects: paramiko (Ubuntu Jammy) Importance: High Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
I added tasks for existing stable releases. I think we need to assess how badly this is going to impact users of stable releases, and evaluate if SRUs are an option. I had a first look and I don't think this is SRU material (too many changes, not limited to src:paramiko), but let's decide deliberately. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
** Also affects: paramiko (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: paramiko (Ubuntu Impish) Importance: Undecided Status: New ** Also affects: paramiko (Ubuntu Focal) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
** Tags added: fr-2082 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)
** Tags added: rls-jj-incoming -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961979 Title: Can't connect to Jammy hosts (openssh >= 8.8p1-1) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs