Public bug reported:

python3-paramiko can't connect to Jammy hosts, likely because of the
stricter signature requirements introduced in openssh 8.8p1-1.

Reproducer:

1. Setup a passwordless keypair and add localhost to known_hosts, so
that:

paride@stramonio:~$ SSH_AUTH_SOCK= ssh -i ~/.ssh/id_rsa_insecure localhost date
2022-02-23T12:35:39 CET

2. Try the same with paramiko from python3-paramiko:

$ ipython3

In [1]: from paramiko import SSHClient
In [2]: client = SSHClient()
In [3]: client.load_system_host_keys()
In [4]: client.connect('localhost', 
key_filename='/home/paride/.ssh/id_rsa_insecure')
Unknown exception: q must be exactly 160, 224, or 256 bits long
[Full Traceback Below]

3. Try with a newer paramiko:

$ python3 -m venv /tmp/newparamiko
$ source /tmp/newparamiko/bin/activate
$ pip install -q paramiko==2.9.2
$ ipython3

In [1]: from paramiko import SSHClient
In [2]: client = SSHClient()
In [3]: client.load_system_host_keys()
In [4]: client.connect('localhost', 
key_filename='/home/paride/.ssh/id_rsa_insecure')
In [5]: # It works!

The Point 2. failure can be reproduced by installing older versions of
paramiko via pip, so the issue is not specific to Ubuntu. Likely related
upstream changes/issues:

* https://github.com/paramiko/paramiko/pull/1643
* https://github.com/paramiko/paramiko/issues/1955

--- Point 2. Traceback ---

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2109, in run
    handler(self.auth_handler, m)
  File "/usr/lib/python3/dist-packages/paramiko/auth_handler.py", line 298, in 
_parse_service_accept
    sig = self.private_key.sign_ssh_data(blob)
  File "/usr/lib/python3/dist-packages/paramiko/dsskey.py", line 109, in 
sign_ssh_data
    key = dsa.DSAPrivateNumbers(
  File 
"/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py",
 line 244, in private_key
    return backend.load_dsa_private_numbers(self)
  File 
"/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py",
 line 827, in load_dsa_private_numbers
    dsa._check_dsa_private_numbers(numbers)
  File 
"/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py",
 line 282, in _check_dsa_private_numbers
    _check_dsa_parameters(parameters)
  File 
"/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py",
 line 274, in _check_dsa_parameters
    raise ValueError("q must be exactly 160, 224, or 256 bits long")
ValueError: q must be exactly 160, 224, or 256 bits long

** Affects: paramiko (Ubuntu)
     Importance: High
         Status: New

** Changed in: paramiko (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1961979

Title:
  Can't connect to Jammy hosts (openssh >= 8.8p1-1)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to