[Bug 1961979] Re: Can't connect to Jammy hosts (openssh >= 8.8p1-1)

Benjamin Drung 1961979 at bugs.launchpad.net
Tue Apr 12 11:12:22 UTC 2022 

I checked the upstream changes between 2.8.1 (jammy version) and 2.9.3:
https://github.com/paramiko/paramiko/compare/2.8.1...2.9.3

There are only a few commits:

* Weird typos introduced 2 years ago, bah (only change to test cases)
* Longterm TODOs (adds only comments)
* Enhance kex DEBUG logging to be more readable
* Add support for RSA SHA2 host and public keys (we want this one)
* Add agent RSA-SHA2 support, also tweak changelog w/ more tickets (we want this one too)
* Changelog format tweak (only doc update)
* Cut 2.9.0
* Changelog and test re #1955 (we want this one)
* Fix #1955 (we want this one)
* Cut 2.9.1
* Add more visible backwards compat warning re 2.9 RSA2 changes (only doc update)
* Fix up logging and exception handling re: pubkey auth and presence/lack of server-sig-algs (we want this one)
* Cut 2.9.2
* Clarify disabled algorithms keys vs pubkeys in changelog (only doc update)
* Fix publickey authentication with signed RSA key (we want this one)
* Changelog closes #1963, closes #1977 (only doc update)
* util: store thread assigned id in thread-local storage, fixes #2002 (we want this one)
* Changelog re #2002, re #2003, closes #2002 (only doc update)
* Cut 2.9.3

Result: The difference between 2.8 and 2.9 is basically the RSA2 support
that we want/need. Only the commit "Enhance kex DEBUG logging to be more
readable" is not needed. So I say let's update the paramiko package to
2.9.3 instead of "backporting" the change.

For the SRUs we might only backport the client side support which is a
smaller patch.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to paramiko in Ubuntu.
https://bugs.launchpad.net/bugs/1961979

Title:
  Can't connect to Jammy hosts (openssh >= 8.8p1-1)

Status in paramiko package in Ubuntu:
  New
Status in paramiko source package in Bionic:
  New
Status in paramiko source package in Focal:
  New
Status in paramiko source package in Impish:
  New
Status in paramiko source package in Jammy:
  New

Bug description:
  python3-paramiko can't connect to Jammy hosts, likely because of the
  stricter signature requirements introduced in openssh 8.8p1-1.

  Reproducer:

  1. Setup a passwordless keypair and add localhost to known_hosts:

  $ sudo apt install -y openssh-server openssh-client ipython3 python3-paramiko
  $ ssh-keygen -f ~/.ssh/id_rsa_insecure
  $ SSH_AUTH_SOCK= ssh-copy-id -i ~/.ssh/id_rsa_insecure localhost

  2. Verify setup:

  paride at stramonio:~$ SSH_AUTH_SOCK= ssh -i ~/.ssh/id_rsa_insecure localhost date
  2022-02-23T12:35:39 CET

  3. Try the same with paramiko from python3-paramiko:

  $ ipython3

  In [1]: import paramiko, os
  In [2]: client = paramiko.SSHClient()
  In [3]: client.load_system_host_keys()
  In [4]: client.connect('localhost', key_filename=os.path.expanduser('~/.ssh/id_rsa_insecure'))
  Unknown exception: q must be exactly 160, 224, or 256 bits long
  [Full Traceback Below]

  4. Try with a newer paramiko:

  $ python3 -m venv /tmp/newparamiko
  $ source /tmp/newparamiko/bin/activate
  $ pip install -q paramiko==2.9.2
  $ ipython3

  In [1]: import paramiko, os
  In [2]: client = paramiko.SSHClient()
  In [3]: client.load_system_host_keys()
  In [4]: client.connect('localhost', key_filename=os.path.expanduser('~/.ssh/id_rsa_insecure'))
  In [5]: # It works!

  The Point 3. failure can be reproduced by installing older versions of
  paramiko via pip, so the issue is not specific to Ubuntu. Likely
  related upstream changes/issues:

  * https://github.com/paramiko/paramiko/pull/1643
  * https://github.com/paramiko/paramiko/issues/1955

  --- Point 3. Traceback ---

  Traceback (most recent call last):
    File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2109, in run
      handler(self.auth_handler, m)
    File "/usr/lib/python3/dist-packages/paramiko/auth_handler.py", line 298, in _parse_service_accept
      sig = self.private_key.sign_ssh_data(blob)
    File "/usr/lib/python3/dist-packages/paramiko/dsskey.py", line 109, in sign_ssh_data
      key = dsa.DSAPrivateNumbers(
    File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 244, in private_key
      return backend.load_dsa_private_numbers(self)
    File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 827, in load_dsa_private_numbers
      dsa._check_dsa_private_numbers(numbers)
    File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 282, in _check_dsa_private_numbers
      _check_dsa_parameters(parameters)
    File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 274, in _check_dsa_parameters
      raise ValueError("q must be exactly 160, 224, or 256 bits long")
  ValueError: q must be exactly 160, 224, or 256 bits long

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/1961979/+subscriptions

More information about the foundations-bugs mailing list