Details
-
Bug
-
Resolution: Won't Do
-
Major
-
jboss-fuse-6.2
-
None
-
%
Description
It seems that Fedora 23 has deprecated ssh-dss security in its default configuration for ssh client.
That encoding is the one used by default by Karaf.
This is the error a user sees when he tries to connect;
ssh -l admin -p 8101 localhost Unable to negotiate with 127.0.0.1: no matching host key type found. Their offer: ssh-dss
And this is the exception logged:
15:32:08,119 | INFO | 5]-nio2-thread-1 | ServerSession | 124 - org.apache.sshd.core - 0.14.0 | Server session created from /127.0.0.1:58832 15:32:08,123 | INFO | 5]-nio2-thread-1 | SimpleGeneratorHostKeyProvider | 124 - org.apache.sshd.core - 0.14.0 | Generating host key... 15:32:08,703 | WARN | 5]-nio2-thread-1 | ServerSession | 124 - org.apache.sshd.core - 0.14.0 | Exception caught java.lang.IllegalStateException: Unable to negotiate key exchange for server host key algorithms (client: ssh-rsa-cert-v01@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 / server: ssh-dss) at org.apache.sshd.common.session.AbstractSession.negotiate(AbstractSession.java:1159)[124:org.apache.sshd.core:0.14.0] at org.apache.sshd.common.session.AbstractSession.doHandleMessage(AbstractSession.java:388)[124:org.apache.sshd.core:0.14.0] at org.apache.sshd.common.session.AbstractSession.handleMessage(AbstractSession.java:326)[124:org.apache.sshd.core:0.14.0] at org.apache.sshd.common.session.AbstractSession.decode(AbstractSession.java:780)[124:org.apache.sshd.core:0.14.0] at org.apache.sshd.common.session.AbstractSession.messageReceived(AbstractSession.java:308)[124:org.apache.sshd.core:0.14.0] at org.apache.sshd.common.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:54) at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:184) at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:170) at org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:32) at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_76] at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:30)[124:org.apache.sshd.core:0.14.0] at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)[:1.7.0_76] at sun.nio.ch.Invoker.invokeDirect(Invoker.java:157)[:1.7.0_76] at sun.nio.ch.UnixAsynchronousSocketChannelImpl.implRead(UnixAsynchronousSocketChannelImpl.java:553)[:1.7.0_76] at sun.nio.ch.AsynchronousSocketChannelImpl.read(AsynchronousSocketChannelImpl.java:275)[:1.7.0_76] at sun.nio.ch.AsynchronousSocketChannelImpl.read(AsynchronousSocketChannelImpl.java:296)[:1.7.0_76] at java.nio.channels.AsynchronousSocketChannel.read(AsynchronousSocketChannel.java:407)[:1.7.0_76] at org.apache.sshd.common.io.nio2.Nio2Session.startReading(Nio2Session.java:170)[124:org.apache.sshd.core:0.14.0] at org.apache.sshd.common.io.nio2.Nio2Acceptor$AcceptCompletionHandler.onCompleted(Nio2Acceptor.java:135)[124:org.apache.sshd.core:0.14.0] at org.apache.sshd.common.io.nio2.Nio2Acceptor$AcceptCompletionHandler.onCompleted(Nio2Acceptor.java:120)[124:org.apache.sshd.core:0.14.0] at org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:32) at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_76] at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:30)[124:org.apache.sshd.core:0.14.0] at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)[:1.7.0_76] at sun.nio.ch.Invoker$2.run(Invoker.java:218)[:1.7.0_76] at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)[:1.7.0_76] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)[:1.7.0_76] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)[:1.7.0_76] at java.lang.Thread.run(Thread.java:745)[:1.7.0_76]
An immediate workaround is to alter the configuration of ssh client to accept that security configuration:
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PreferredAuthentications=password -oHostKeyAlgorithms=+ssh-dss -l admin -p 8101 localhost
As a longer term solution we shuold start considering moving away from ssh-dss since according to http://www.openssh.com/legacy.html it's considered insecure, thus deprecated:
> OpenSSH 7.0 and greater similarly disables the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.
Attachments
Issue Links
- duplicates
-
ENTESB-4762 default settings of ssh client in Fedora 23 doesn't work with Fuse
- Closed
- relates to
-
ENTESB-4458 bin\client.bat doesn't work on windows
- Closed
-
ENTESB-5642 Move Away From ssh-dss (DSA) Public Key Cipher
- Closed