Bug 1225531
Summary: | [FC22] Engine ssh client doesn't support any key exchange algorithm that is required by default Fedora 22 sshd | ||
---|---|---|---|
Product: | [oVirt] ovirt-engine | Reporter: | jniederm |
Component: | General | Assignee: | Moti Asayag <masayag> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | movciari |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | --- | CC: | bugs, dougsland, gklein, iheim, jniederm, lsurette, oourfali, pstehlik, rbalakri, sbonazzo, s.kieske, yeylon, ykaul |
Target Milestone: | ovirt-3.6.1 | Flags: | sbonazzo:
ovirt-3.6.z?
ylavi: planning_ack? rule-engine: devel_ack+ pstehlik: testing_ack+ |
Target Release: | 3.6.1 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | infra | ||
Fixed In Version: | Doc Type: | Known Issue | |
Doc Text: |
Cause:
Consequence:
Workaround (if any):
on Fedora 22 hosts you need to add following line to /etc/ssh/sshd_config
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
and then execute
# systemctl restart sshd
before adding the host to the engine.
Result:
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-02-02 12:26:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1186650 |
Description
jniederm
2015-05-27 15:39:36 UTC
yes, whoever made the decision to go with fc20 did not actually test it. fc22 uses dnf and not yum, setup and host-deploy cannot work. (In reply to Alon Bar-Lev from comment #1) > yes, whoever made the decision to go with fc20 did not actually test it. > > fc22 uses dnf and not yum, setup and host-deploy cannot work. fc22 still has yum API and provides yum-deprecated. Setup and host-deploy may still work with that. Does this bug reproduce if yum is installed on the host before trying to add it? Added to known issues. Summary: [RFE] support fc22 → [FC22] Engine ssh client doesn't support any key exchange algorithm that is required by default Fedo... please open tracker bug, as now the dependencies are incorrect. BTW: I have no issue with default fedora settings without any special directive. Waiting for root cause analysis before jumping to conclusions. openssh-server-6.9p1-6.fc22.1.x86_64 apache-sshd-0.11.0-3.fc22.noarch debug2: kex_parse_kexinit: curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 [preauth] debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug1: kex: client->server aes128-ctr hmac-sha2-256 none [preauth] debug1: kex: server->client aes128-ctr hmac-sha2-256 none [preauth] debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32 [preauth] My, only updated, raw Fedora 22 contains package yum-3.4.3-505.fc22.noarch (without explicit installation of yum), so the answer to
> Does this bug reproduce if yum is installed on the host before trying to add it?
is, I believe, yes it does.
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release. Oved, any chance this can be fixed in 3.6.z? See http://lists.ovirt.org/pipermail/users/2015-November/035848.html See Alon's answer on the thread, asking to check something: I think that newer than apache-sshd-0.14 altered its behavior, can you please try to downgrade to apache-sshd-0.13 and see if it helps, if it does we will enforce it. Only in apache-sshd-1.1.0 (unreleased) we will be able to migrate properly (I hope). ======================== I don't think we have anything to fix here. Solving as known issue, added to release note http://www.ovirt.org/OVirt_3.6_Release_Notes#Fedora_22 on hosts you need to add following line to /etc/ssh/sshd_config KexAlgorithms curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 and then execute # systemctl restart sshd before adding the host to the engine. This bug is marked for z-stream, yet the milestone is for a major version, therefore the milestone has been reset. Please set the correct milestone or drop the z stream flag. Fixed bug tickets must have target milestone set prior to fixing them. Please set the correct milestone and move the bugs back to the previous status after this is corrected. Closing older BZs, if still happened, please reopen. |