Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-4427

ssh issues with ssh-dss on Fedora 23 and newer

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Major
    • jboss-fuse-6.3
    • jboss-fuse-6.2
    • Karaf
    • None
    • % %

    Description

      It seems that Fedora 23 has deprecated ssh-dss security in its default configuration for ssh client.

      That encoding is the one used by default by Karaf.

      This is the error a user sees when he tries to connect;

      ssh -l admin -p 8101 localhost
Unable to negotiate with 127.0.0.1: no matching host key type found. Their offer: ssh-dss

      And this is the exception logged:

      15:32:08,119 | INFO  | 5]-nio2-thread-1 | ServerSession                    | 124 - org.apache.sshd.core - 0.14.0 | Server session created from /127.0.0.1:58832
15:32:08,123 | INFO  | 5]-nio2-thread-1 | SimpleGeneratorHostKeyProvider   | 124 - org.apache.sshd.core - 0.14.0 | Generating host key...
15:32:08,703 | WARN  | 5]-nio2-thread-1 | ServerSession                    | 124 - org.apache.sshd.core - 0.14.0 | Exception caught
java.lang.IllegalStateException: Unable to negotiate key exchange for server host key algorithms (client: ssh-rsa-cert-v01@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 / server: ssh-dss)
	at org.apache.sshd.common.session.AbstractSession.negotiate(AbstractSession.java:1159)[124:org.apache.sshd.core:0.14.0]
	at org.apache.sshd.common.session.AbstractSession.doHandleMessage(AbstractSession.java:388)[124:org.apache.sshd.core:0.14.0]
	at org.apache.sshd.common.session.AbstractSession.handleMessage(AbstractSession.java:326)[124:org.apache.sshd.core:0.14.0]
	at org.apache.sshd.common.session.AbstractSession.decode(AbstractSession.java:780)[124:org.apache.sshd.core:0.14.0]
	at org.apache.sshd.common.session.AbstractSession.messageReceived(AbstractSession.java:308)[124:org.apache.sshd.core:0.14.0]
	at org.apache.sshd.common.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:54)
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:184)
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:170)
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:32)
	at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_76]
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:30)[124:org.apache.sshd.core:0.14.0]
	at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)[:1.7.0_76]
	at sun.nio.ch.Invoker.invokeDirect(Invoker.java:157)[:1.7.0_76]
	at sun.nio.ch.UnixAsynchronousSocketChannelImpl.implRead(UnixAsynchronousSocketChannelImpl.java:553)[:1.7.0_76]
	at sun.nio.ch.AsynchronousSocketChannelImpl.read(AsynchronousSocketChannelImpl.java:275)[:1.7.0_76]
	at sun.nio.ch.AsynchronousSocketChannelImpl.read(AsynchronousSocketChannelImpl.java:296)[:1.7.0_76]
	at java.nio.channels.AsynchronousSocketChannel.read(AsynchronousSocketChannel.java:407)[:1.7.0_76]
	at org.apache.sshd.common.io.nio2.Nio2Session.startReading(Nio2Session.java:170)[124:org.apache.sshd.core:0.14.0]
	at org.apache.sshd.common.io.nio2.Nio2Acceptor$AcceptCompletionHandler.onCompleted(Nio2Acceptor.java:135)[124:org.apache.sshd.core:0.14.0]
	at org.apache.sshd.common.io.nio2.Nio2Acceptor$AcceptCompletionHandler.onCompleted(Nio2Acceptor.java:120)[124:org.apache.sshd.core:0.14.0]
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:32)
	at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_76]
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:30)[124:org.apache.sshd.core:0.14.0]
	at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)[:1.7.0_76]
	at sun.nio.ch.Invoker$2.run(Invoker.java:218)[:1.7.0_76]
	at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)[:1.7.0_76]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)[:1.7.0_76]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)[:1.7.0_76]
	at java.lang.Thread.run(Thread.java:745)[:1.7.0_76]

      An immediate workaround is to alter the configuration of ssh client to accept that security configuration:

      ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PreferredAuthentications=password -oHostKeyAlgorithms=+ssh-dss  -l admin -p 8101 localhost

      As a longer term solution we shuold start considering moving away from ssh-dss since according to http://www.openssh.com/legacy.html it's considered insecure, thus deprecated:

      > OpenSSH 7.0 and greater similarly disables the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.

      Attachments

        Issue Links

          duplicates

          Bug - A problem that impairs or prevents the functions of the product. ENTESB-4762 default settings of ssh client in Fedora 23 doesn't work with Fuse

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. ENTESB-4458 bin\client.bat doesn't work on windows

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) ENTESB-5642 Move Away From ssh-dss (DSA) Public Key Cipher

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              pantinor@redhat.com Paolo Antinori
              pantinor@redhat.com Paolo Antinori
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: