vandy
July 30, 2019, 5:31am
#1
I currently have the following key exchange algorithms configured in openssh:
KexAlgorithms curve25519-sha256@libssh.org ,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256
When attempting to run a remote job, the plugin is unable to settle on a KEX algorithms. Unless I’m mistaken, the plugin uses net-ssh provided by tfm-rubygem-net-ssh. This is deployed on CentOS with tfm-rubygem-net-ssh 4.2, which I believe supports ED25519, but is only offering diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521.
Can the KEX/MAC/ciphers be configured?
Hello,
I do see net-ssh accept kex as valid option, see in below link,
# Net::SSH.start("host", "user", password: "password") do |ssh|
# ssh.forward.remote(80, "www.google.com", 1234)
# ssh.loop { true }
# end
module SSH
# This is the set of options that Net::SSH.start recognizes. See
# Net::SSH.start for a description of each option.
VALID_OPTIONS = %i[
auth_methods bind_address compression compression_level config
encryption forward_agent hmac host_key remote_user
keepalive keepalive_interval keepalive_maxcount kex keys key_data
languages logger paranoid password port proxy
rekey_blocks_limit rekey_limit rekey_packet_limit timeout verbose
known_hosts global_known_hosts_file user_known_hosts_file host_key_alias
host_name user properties passphrase keys_only max_pkt_size
max_win_size send_env use_agent number_of_password_prompts
append_all_supported_algorithms non_interactive password_prompt
agent_socket_factory minimum_dh_bits verify_host_key
fingerprint_hash check_host_ip
]
From plugin side, I dont see we are passing kex option while starting connection,
super(data.force_encoding('UTF-8'), type)
end
private
def should_cleanup?
@session && !@session.closed? && @cleanup_working_dirs
end
def session
@session ||= begin
@logger.debug("opening session to #{@ssh_user}@#{@host}")
Net::SSH.start(@host, @ssh_user, ssh_options)
end
end
def ssh_options
ssh_options = {}
ssh_options[:port] = @ssh_port if @ssh_port
ssh_options[:keys] = [@client_private_key_file] if @client_private_key_file
ssh_options[:password] = @ssh_password if @ssh_password
def ssh_options
ssh_options = {}
ssh_options[:port] = @ssh_port if @ssh_port
ssh_options[:keys] = [@client_private_key_file] if @client_private_key_file
ssh_options[:password] = @ssh_password if @ssh_password
ssh_options[:passphrase] = @key_passphrase if @key_passphrase
ssh_options[:keys_only] = true
# if the host public key is contained in the known_hosts_file,
# verify it, otherwise, if missing, import it and continue
ssh_options[:paranoid] = true
ssh_options[:auth_methods] = available_authentication_methods
ssh_options[:user_known_hosts_file] = prepare_known_hosts if @host_public_key
ssh_options[:number_of_password_prompts] = 1
ssh_options[:verbose] = settings[:ssh_log_level]
ssh_options[:logger] = ForemanRemoteExecutionCore::LogFilter.new(SmartProxyDynflowCore::Log.instance)
return ssh_options
end
This seems valid feature request, request to file.
Alternatively, you could try configuring the KexAlgorithms in a Host * block in ~foreman-proxy/.ssh/config which should be read before opening the connection.
Also please note that for ed25519 support you need ed25519 and bcrypt_pbkdf gems.
1 Like
vandy
July 31, 2019, 1:30am
#4
Thank y’all, happy that I wasn’t just overlooking something. I’ve raised the following issue:
https://projects.theforeman.org/issues/27477
