Use different signature algorithm for SSH host key #69
Comments
|
I did some research and switching to something else (ex:Ed25519) is more difficult than anticipated, as Go doesn't support the relevant key format (golang/go#37132). See also this issue: golang/go#37278 for RFC8332 support. Related issue: hashicorp/packer#8609 |
|
I was too fast, this work and is supported by OpenSSH since release 5.7: diff --git a/provisioner/ansible/provisioner.go b/provisioner/ansible/provisioner.go
index 076f25e..21876aa 100644
--- a/provisioner/ansible/provisioner.go
+++ b/provisioner/ansible/provisioner.go
@@ -7,8 +7,9 @@ import (
"bufio"
"bytes"
"context"
+ "crypto/ecdsa"
+ "crypto/elliptic"
"crypto/rand"
- "crypto/rsa"
"crypto/x509"
"encoding/pem"
"errors"
@@ -934,7 +935,7 @@ func newUserKey(pubKeyFile string) (*userKey, error) {
return userKey, nil
}
- key, err := rsa.GenerateKey(rand.Reader, 2048)
+ key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, errors.New("Failed to generate key pair")
}
@@ -945,9 +946,12 @@ func newUserKey(pubKeyFile string) (*userKey, error) {
// To support Ansible calling back to us we need to write
// this file down
- privateKeyDer := x509.MarshalPKCS1PrivateKey(key)
+ privateKeyDer, err := x509.MarshalPKCS8PrivateKey(key)
+ if err != nil {
+ return nil, errors.New("Failed to marshal private key")
+ }
privateKeyBlock := pem.Block{
- Type: "RSA PRIVATE KEY",
+ Type: "PRIVATE KEY",
Headers: nil,
Bytes: privateKeyDer,
}
@@ -990,7 +994,7 @@ func newSigner(privKeyFile string) (*signer, error) {
return signer, nil
}
- key, err := rsa.GenerateKey(rand.Reader, 2048)
+ key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, errors.New("Failed to generate server key pair")
} |
|
Issue is also reported here #53 I am facing a similar problem with Arch Linux, I am getting around it right now by using docker to run packer, but it's pretty annoying :) |
|
x/crypto supports RSA SHA-2 (golang/crypto@b4de73f) now. So updating |
|
I am also effected by this issue. Has there been any movement on this? |
|
I reached this as I'm facing the same issue with new versions of OS, is there any plan to fix this? |
|
Not a complete solution but if you do not need a proxy adapter, toggling off use_proxy = false, avoids this issue. |
|
Another way you can get around this, which I think is rather clean is re-enabling the weak rsa-sha1 algorithm within your ssh client. E.g Add this to your packer json/hcl "ansible_ssh_extra_args": [
"-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa"
]To be fair, this is only for the ansible connection itself, as that will use your local ssh client & configuration |
- Create packer builder in FSN1 and change image to ubuntu-20.04 - Add "use_proxy: false" to provisioner config to work around [1] - Change the size of the BIOS boot partition to 1M (from 10M) [2] - Update bootstrap_version to 2022.03.01 [1] hashicorp/packer-plugin-ansible#69 [2] https://www.gnu.org/software/grub/manual/grub/html_node/BIOS-installation.html
- Create packer builder in FSN1 and change image to ubuntu-20.04 - Add "use_proxy: false" to provisioner config to work around [1] - Reduce the size of the BIOS boot partition to 1M (from 10M) [2] - Update bootstrap_version to 2022.03.01 [1] hashicorp/packer-plugin-ansible#69 [2] https://www.gnu.org/software/grub/manual/grub/html_node/BIOS-installation.html
Hey, interested to know how this workaround is used, do you have any examples? |
|
same here: could use a working example, fails here with virtualbox-iso I have this in my "debian-improved.pkr.hcl": This is Packer 1.8.0 |
|
I'm using this configuration in the |
…roxy Currently if packer's ansible communicator plugin will use an ssh proxy to connect to the image vm it will create a defunct ssh key using RSA/SHA-1 which fails on newer hosts such as jammy. See hashicorp/packer-plugin-ansible#69 for more information. Also the ssh proxy will default to false in the future regardless. See https://www.packer.io/plugins/provisioners/ansible/ansible (at the bottom) for more info. Change-Id: I37281c51f5e869353f85e0f489cc806622392d06
|
So the only option to make it work is by using the workaround??? I am having the same problem. I didn't like this option... |
|
|
|
Setting https://www.packer.io/plugins/provisioners/ansible/ansible#use_proxy |
|
For anyone else running into the error pointed out by @stefangweichinger, the solution for that is in hashicorp/packer#11783 so the total snippet that works becomes: |
Since OpenSSH version 8.8+ ssh-rsa key algorithm is disabled by default, which right now causes builds to fail for builders which use OpenSSH version 8.8+. The problematic keys are generated by Ansible plugin for Packer and the problem is currently being discussed in issue hashicorp/packer-plugin-ansible#69. An alternative would be to consider using `use_proxy=false` option in plugin, however we are not sure what could be the implications of this. Given that building machine should be a rather short process, the workaround seem acceptable and actually allows being able to succesfully build images out of the box on more distributions. In implementation, 'PubkeyAcceptedKeyTypes' is used instead of 'PubkeyAcceptedAlgorithms', as it provides better backward compatibility, since 'PubkeyAcceptedAlgorithms' is only available since OpenSSH version 8.4. See issue kubernetes-sigs#905 for more details. Co-authored-by: Jeremi Piotrowski <[email protected]>
Since OpenSSH version 8.8+ ssh-rsa key algorithm is disabled by default, which right now causes builds to fail for builders which use OpenSSH version 8.8+. The problematic keys are generated by Ansible plugin for Packer and the problem is currently being discussed in issue hashicorp/packer-plugin-ansible#69. An alternative would be to consider using `use_proxy=false` option in plugin, however we are not sure what could be the implications of this. Given that building machine should be a rather short process, the workaround seem acceptable and actually allows being able to succesfully build images out of the box on more distributions. In implementation, 'PubkeyAcceptedKeyTypes' is used instead of 'PubkeyAcceptedAlgorithms', as it provides better backward compatibility, since 'PubkeyAcceptedAlgorithms' is only available since OpenSSH version 8.4. See issue kubernetes-sigs#905 for more details. Co-authored-by: Jeremi Piotrowski <[email protected]>
Below commit messages from squashed commits: images/capi/packer: extract ansible common SSH args to a single place This is done to remove repetition of '-o IdentitiesOnly=yes' to make sure it is consistent across all platforms and to reduce amount of churn when adding new default arguments like we plan as part of mitigating issue with ssh-rsa keys (kubernetes-sigs#905). images/capi/packer: allow specifying extra scp arguments for Ansible This allows a workaround for issue kubernetes-sigs#859 when building host uses OpenSSH version 9.0+, which uses SFTP protocol for SCP instead of a legacy SCP protocol, which right now causes builds to fail with error message as below when Ansible is trying to copy files over to remote host. bash: line 1: /usr/lib/sftp-server: No such file or directory\nscp: Connection closed\r\n" This commit allows users with new OpenSSH version to specify ANSIBLE_SCP_EXTRA_ARGS="-O" to fix their builds. I plan to automate this in another commit, as it should be relatively simple and harmless. Refs kubernetes-sigs#859. images/capi/packer: allow using ssh-rsa keys with OpenSSH 8.8+ Since OpenSSH version 8.8+ ssh-rsa key algorithm is disabled by default, which right now causes builds to fail for builders which use OpenSSH version 8.8+. The problematic keys are generated by Ansible plugin for Packer and the problem is currently being discussed in issue hashicorp/packer-plugin-ansible#69. An alternative would be to consider using `use_proxy=false` option in plugin, however we are not sure what could be the implications of this. Given that building machine should be a rather short process, the workaround seem acceptable and actually allows being able to succesfully build images out of the box on more distributions. In implementation, 'PubkeyAcceptedKeyTypes' is used instead of 'PubkeyAcceptedAlgorithms', as it provides better backward compatibility, since 'PubkeyAcceptedAlgorithms' is only available since OpenSSH version 8.4. See issue kubernetes-sigs#905 for more details. Co-authored-by: Jeremi Piotrowski <[email protected]> images/capi/Makefile: set ANSIBLE_SCP_EXTRA_ARGS="-O" when needed Since OpenSSH 9.0+ 'scp' uses SFTP protocol instead of legacy SCP protocol, which causes building errors like: bash: line 1: /usr/lib/sftp-server: No such file or directory\nscp: Connection closed\r\n"" However, -O option is not available in older OpenSSH version, so we cannot always set it as an option to use. To provide better out-of-the-box experience for users with newer versions of OpenSSH, we conditionally ensure -O is used when used OpenSSH version requires it. See kubernetes-sigs#859 and hashicorp/packer-plugin-ansible#100 for more details. Signed-off-by: Mateusz Gozdek <[email protected]> Co-authored-by: Jeremi Piotrowski <[email protected]>
Inspired by hashicorp/packer-plugin-ansible#69 (comment), except our version of packer doesn't seem to yet support the `ansible_ssh_extra_args` parameter (at least, it fails when I use it). The first two args are for rsa hostkeys, and the "identities only" is what the default value is. We should probably upgrade packer and use the ssh_extra_args instead. Someday. https://developer.hashicorp.com/packer/plugins/provisioners/ansible/ansible#ansible_ssh_extra_args
* Remove tensorflow 2.4 recipes * Publish using image cimg/python:3.8 to avoid deprecation in Ansible * Add ssh-rsa hostkey workaround Inspired by hashicorp/packer-plugin-ansible#69 (comment), except our version of packer doesn't seem to yet support the `ansible_ssh_extra_args` parameter (at least, it fails when I use it). The first two args are for rsa hostkeys, and the "identities only" is what the default value is. We should probably upgrade packer and use the ssh_extra_args instead. Someday. https://developer.hashicorp.com/packer/plugins/provisioners/ansible/ansible#ansible_ssh_extra_args * Move ssh args for Ansible to ansible.cfg Remove extra ssh args from packer config and insert into Ansible config, since it appears that the packer config fails to pick up the host key support on the environments image. Essentially reverts 14cc08e Co-authored-by: Danny Sauer <[email protected]>
after adding the above snippet I am getting the following error. Any help on this |
|
The problem with this solution (+ssh-rsa) is that it ignores the fact that some people actually use the much more secure ed25519 (which should already be standard by now). And that doesn't work in my case in Ubuntu 22.04, but it has been working on Ubuntu 20.04 for some reason. So that's great. Disabling proxy does work though. |
|
Any plans to fix (with a real fix, and not using rsa) this issue? For ansible control environments on systems using a modern crypto policy (no sha1), just adding +rsa to the ansible config will not work. |
|
Hey there, I've started taking a look at this config, I was reluctant replacing RSA for this code, but from what I understand the keys generated are temporary for the proxy/adapter that we automatically start when provisioning with Ansible (unless I'm still a bit confused as to why we always end-up accepting To help developments on this, can I ask someone to provide a template that I can test the changes upon? Ideally something local like Qemu so I don't need extra infrastructure to test while developing this. Thanks in advance, let's get this fixed ASAP! |
|
Update: PR is open, I didn't go for I'll probably iterate on the PR before we can merge it, as much as ECDSA should be well-supported, I would like to introduce an option to fallback on RSA-SHA1 for users that desire to do so (if they run Packer/Ansible on an old distribution with OpenSSH that doesn't support ECDSA at all). I'll amend this PR, but in the meantime, I encourage you all to test out this change by locally compiling the plugin and testing it on your configurations. Hope that fixes this problem! Sorry for letting that linger for this long. |
for some reason apparently by no seen reason (none that I could find, one minute it works and then I get this same error) ansible sometimes wraps ansible_ssh_extra_args with '', so the ssh command fails. But if you use extra_arguments": [ "--ssh-extra-args", "-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa" ] with ansible_ssh_extra_args the parameters appear like this: ssh ... '-o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa' and without: ssh ... -o IdentitiesOnly=yes -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa |
Setup a workaround[1] for this ansible error:
```
==> amazon-ebs: failed to handshake
amazon-ebs: fatal: [default]: UNREACHABLE! =>
{"changed": false, "msg": "Failed to connect to the host via ssh:
Unable to negotiate with 127.0.0.1 port 44539: no matching host key type found.
Their offer: ssh-rsa", "unreachable": true}
```
[1] hashicorp/packer-plugin-ansible#69
Setup a workaround[1] for this ansible error:
```
==> amazon-ebs: failed to handshake
amazon-ebs: fatal: [default]: UNREACHABLE! =>
{"changed": false, "msg": "Failed to connect to the host via ssh:
Unable to negotiate with 127.0.0.1 port 44539: no matching host key type found.
Their offer: ssh-rsa", "unreachable": true}
```
[1] hashicorp/packer-plugin-ansible#69
* Update to build on top of a ubuntu 22.04 (jammy jellyfish) image * Update packer amazon-ebs builder to get AWS env vars for credentials * Update to fix ansible SSH handshake issue hashicorp/packer-plugin-ansible#69 * Update to run installation of packages from CRAN repo in parallel * Update rstudio with the latest version for ubuntu 22.04
* Update to build on top of a ubuntu 22.04 (jammy jellyfish) image * Update packer amazon-ebs builder to get AWS env vars for credentials * Update to fix ansible SSH handshake issue hashicorp/packer-plugin-ansible#69 * Update to run installation of packages from CRAN repo in parallel * Update rstudio with the latest version for ubuntu 22.04
Addendum for documentatio purposes: |
RSA/SHA-1 was deprecated since the OpenSSH release 8.8. This causes builds with latest version of packer to fail with the below error: Error: Data could not be sent to remote host "127.0.0.1". Make sure this host can be reached over ssh: command-line: line 0: Bad configuration option: pubkeyacceptedalgorithms. Add workaroud and pass required HostKeyAlgorithms through ssh extra argumements. Testing with cloud builds and since we are using multiple flavors the only options required are "IdentitiesOnly=yes" and "HostKeyAlgorithms=+ssh-rsa". Issue: RELENG-4764 Ref: hashicorp/packer-plugin-ansible#69 Change-Id: I80ff152d5153d739d6586c217fbc392e8be80f2a Signed-off-by: Anil Belur <[email protected]>
|
The latest version of the ansible plugin fixes this. Add to your config file and run |
This should no longer be needed with the latest version of packer ansible plugin: hashicorp/packer-plugin-ansible#69 (comment) Signed-off-by: Mateusz Gozdek <[email protected]>
This should no longer be needed with the latest version of packer ansible plugin: hashicorp/packer-plugin-ansible#69 (comment) Signed-off-by: Mateusz Gozdek <[email protected]>
In commit 76671ca we added a workaround for packer-plugin-ansible not supporting keys other than ssh-rsa, which broke building images for clients using newer versions of OpenSSH. This should no longer be needed with the latest version of packer ansible plugin: hashicorp/packer-plugin-ansible#69 (comment) Signed-off-by: Mateusz Gozdek <[email protected]>
In commit 76671ca we added a workaround for packer-plugin-ansible not supporting keys other than ssh-rsa, which broke building images for clients using newer versions of OpenSSH. This should no longer be needed with the latest version of packer ansible plugin: hashicorp/packer-plugin-ansible#69 (comment) Signed-off-by: Mateusz Gozdek <[email protected]>
|
Facing the same issue "msg": "Failed to connect to the host via ssh: command-line line 0: keyword hostkeyalgorithms extra arguments at end of line" - any solution? |
|
Hi @msandu62, Regarding the SSH problem, as mentioned above, this problem has been fixed with version 1.1.0 of the plugin, please consider updating to this version or above if you are experiencing the RSA-key issue. If you do need to specify extra SSH arguments even on the latest version of the plugin, the "extra arguments at end of line" is described by issue #158, a PR is in the pipeline for this, which I'll review today. |
|
Not really sure how to proceed... I have an RHEL 8 JSON template I've previously succesfully used against 8.3, 8.5 and 8.8, now trying to build against 8.9, I am running head first into this very issue. My template is JSON and while my 9 template is HCL, I'd really rather not have to spend the time converting the old 8 JSON template to HCL and tidying it all up just so that I could use "packer init" to enforce requiring a newer Ansible plugin version. I tried the 'use_proxy = false' workaround suggested here, but somehow, in that mode, packer seemingly isn't even trying to use password authentication and fails all authentication methods. |
|
Hi @dnv, Without updating to HCL2 for $ packer plugins install "github.com/hashicorp/ansible" "v1.1.0"Assuming it's not already installed, this will get v1.1.0 of the plugin, and unless some other version takes precedence over it, Packer will start using it for all your builds that use Ansible. If you want to make sure you're using it, I encourage you to run packer with the |
|
@lbajolet-hashicorp thank you so much! This almost got me there, after manually updating the Ansible plugin, I faced another error complaining about a missing /usr/lib/sftp-server, but this was in turn solved by adding the following to ansible provisioner configuration: "extra_arguments": [ "--scp-extra-args", "'-O'" ] |
and others
Currently this plugin generates RSA keys:
packer-plugin-ansible/provisioner/ansible/provisioner.go
Line 993 in 97b6b77
However, RSA/SHA-1 was deprecated in the latest OpenSSH release (changelog) and my builds fail with the following error:
Please, consider changing the algorithm to something newer.
The text was updated successfully, but these errors were encountered: