Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RSA key no longer accepted by OpenSSH 8.8+ #480

Open
kebugcheckex opened this issue Sep 4, 2022 · 1 comment
Open

RSA key no longer accepted by OpenSSH 8.8+ #480

kebugcheckex opened this issue Sep 4, 2022 · 1 comment
Labels
Accepted Bug Triaged

Comments

@kebugcheckex
Copy link

Brief Description

Starting from OpenSSH 8.8, it no longer accepts RSA keys by default, causing kitchen creation failure. Manually SSH into the VM using the same key works but for some reason Test Kitchen fails to do so.

Version

  • Test Kitchen version 3.2.2
  • Vagrant 2.3.0
  • VirtualBox 6.1.38 r153438
  • Image bento/ubuntu-22.04
  • OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022

Environment

N/A

Scenario

Normal test kitchen run.

Steps to Reproduce

  1. Specify ubuntu-22.04 in kitchen.yml:
platforms:
  - name: ubuntu-22.04
  1. Run kitchen create or kitchen converge
  2. Observe the output
$ kitchen create
-----> Starting Test Kitchen (v3.2.2)
-----> Creating <default-ubuntu-2204>...
       Bringing machine 'default' up with 'virtualbox' provider...
       ==> default: Checking if box 'bento/ubuntu-22.04' version '202206.13.0' is up to date...
       ==> default: Machine not provisioned because `--no-provision` is specified.
       Waiting for SSH service on 127.0.0.1:2222, retrying in 3 seconds
       Waiting for SSH service on 127.0.0.1:2222, retrying in 3 seconds
       Waiting for SSH service on 127.0.0.1:2222, retrying in 3 seconds
       ...

Expected Result

Kitchen creation succeeds.

Actual Result

Kitchen creation stuck at "Waiting for SSH service on 127.0.0.1:2222, retrying in 3 seconds"

Additional context

Verbose logging shows authentication failure

D      [SSH] opening connection to [email protected]<{:user_known_hosts_file=>"/dev/null", :port=>"2222", :compression=>false, :compression_level=>0, :keepalive=>true, :keepalive_interval=>60, :keepaliv
e_maxcount=>3, :timeout=>15, :keys_only=>true, :keys=>["/data/source/dotdotdot/cookbooks/server/.kitchen/kitchen-vagrant/default-ubuntu-2204/.vagrant/machines/default/virtualbox/private_key"], :auth_m
ethods=>["publickey"], :verify_host_key=>:never}>                                                    
D      [SSH] connection failed (#<Net::SSH::AuthenticationFailed: Authentication failed for user [email protected]>)
       Waiting for SSH service on 127.0.0.1:2222, retrying in 3 seconds

Manually SSH into the VM works

$ ssh -i .kitchen/kitchen-vagrant/default-ubuntu-2204/.vagrant/machines/default/virtualbox/private_key -p 2222 [email protected]

Auth log shows RSA key not accepted.

Sep  4 23:03:04 vagrant sshd[1441]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Sep  4 23:03:04 vagrant sshd[1441]: Connection closed by authenticating user vagrant 10.0.2.2 port 43514 [preauth]

After adding the following lines to sshd_config, the issue is resolved

HostKeyAlgorithms=ssh-rsa,[email protected]
PubkeyAcceptedAlgorithms=+ssh-rsa,[email protected]
@Stromweld
Copy link
Contributor

I believe this is related to the same issue rhel 9 systems are also having with new encryption algorithms and old ones not being supported. The proper fix is to get net-ssh v7.x integrated into the test-kitchen build which is having an issue with net-scp not allowing anything above 6.x in it's dependencies. test-kitchen/test-kitchen#1904

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Accepted Bug Triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Stromweld @kebugcheckex @vkarve-chef