Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cant connect to legacy host using ssh-rsa /ssh-dss hostkey algorithm #15181

Open
4 of 11 tasks
dberardo-com opened this issue May 13, 2024 · 7 comments
Open
4 of 11 tasks

cant connect to legacy host using ssh-rsa /ssh-dss hostkey algorithm #15181

dberardo-com opened this issue May 13, 2024 · 7 comments
Labels
community type:bug

Comments

@dberardo-com
Copy link

Please confirm the following

  • I agree to follow this project's code of conduct.
  • I have checked the current issues for duplicates.
  • I understand that AWX is open source software provided for free and that I might not receive a timely response.
  • I am NOT reporting a (potential) security vulnerability. (These should be emailed to [email protected] instead.)

Bug Summary

adding to ansible_ssh_common_args -oHostKeyAlgorithms=ssh-rsa results in this error:

[ssh_dispatch_run_fatal: Connection to UNKNOWN port 65535: error in libcrypto](kex: host key algorithm: (no match))

AWX version

24.3.1

Select the relevant components

  • UI
  • UI (tech preview)
  • API
  • Docs
  • Collection
  • CLI
  • Other

Installation method

kubernetes

Modifications

no

Ansible version

No response

Operating system

No response

Web browser

No response

Steps to reproduce

add the run var ansible_ssh_common_args -oHostKeyAlgorithms=ssh-rsa

Expected results

smooth connection

Actual results

it does not get a key match

Additional information

No response
@TheRealHaoLiu
Copy link
Member

does this work with any of our previous awx-ee images? can you help pin point when this stop working.

@dberardo-com
Copy link
Author

dberardo-com commented May 16, 2024
edited
Loading

i didnt play around the versions , but i am sure it works with an older one. check this out : https://www.reddit.com/r/ansible/comments/1443kd8/comment/l3vkq11/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

u/Technical-Tax1578 avatar
Technical-Tax1578

3d ago
seems an openssl issue, perhaps too high of a version. try to use another execution environment, 21.11.0 worked for me, perhaps you can try higher ones and let me know which is the last one to work. https://quay.io/repository/ansible/awx-ee?tab=tags&tag=latest

@rchaud
Copy link
Contributor

rchaud commented Jun 4, 2024
edited
Loading

@TheRealHaoLiu @dberardo-com I found this same issue with older Keys. We had the following in our Inventory and it was still failing to connect.
ansible_ssh_common_args: '-o PubkeyAcceptedKeyTypes=+ssh-dss'

After further investigation, this was caused by the crypto policies in the EE image. This used to work with older AWX versions that ran in CentOS 7 and 8, but turns out the EE images are using CentOS Stream 9 which has SHA1 disabled. I added this to our custom EE images to run update-crypto-policies and it fixed the issue.

  append_final:
    - COPY --from=quay.io/ansible/receptor:devel /usr/bin/receptor /usr/bin/receptor
    - RUN mkdir -p /var/run/receptor
    - RUN update-crypto-policies --set DEFAULT:SHA1
    - RUN git lfs install --system

For more details refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#proc_re-enabling-sha-1_using-the-system-wide-cryptographic-policies

This error indicates the issue is with the crypto policies, specially the error in libcrypto
sign_and_send_pubkey: signing failed for DSA "pem.key": error in libcrypto

I created this PR ansible/awx-ee#248

@rchaud rchaud mentioned this issue Jun 4, 2024
Open
@dberardo-com
Copy link
Author

great catch !

ist this setting any sort of defaults ? update-crypto-policies --set DEFAULT:SHA1

is it possible to avoid setting sha1 as the default ? or no need to bother ?

@rchaud
Copy link
Contributor

rchaud commented Jun 5, 2024
edited
Loading

@dberardo-com DEFAULT is the default setting. DEFAULT:SHA1 is just appending SHA1 to the default. Do not need to worry. Redhat docs recommends it, there is another setting called LEGACY which will also enable SHA1 but that is the one is not recommended by Redhat.

This is how it looks

[root@a2a14a2e54a5 runner]# update-crypto-policies --show
DEFAULT
[root@a2a14a2e54a5 runner]# update-crypto-policies --set DEFAULT:SHA1
Setting system policy to DEFAULT:SHA1
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[root@a2a14a2e54a5 runner]# update-crypto-policies --show
DEFAULT:SHA1

@cafe24-kipark
Copy link

@rchaud hi

Do you know when this PR is expected to be merged? The changes included are really important for me.

ansible/awx-ee#248

@bkkoli
Copy link

bkkoli commented Jan 9, 2025
edited
Loading

@rchaud

I failed continously with rsa key created by command "ssh-keygen".
After I saw your solution, I create new key with new encryption Algorithms "ed25519". But My task is still failed.
How Can I solve this problem?
I know you're busy, but any advice would be appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community type:bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rchaud @bkkoli @TheRealHaoLiu @dberardo-com @cafe24-kipark