Bug 1591801

Summary: uutils.ssh.OpenSSHUtils - the key algorithm 'EC' is not supported on Fedora 28
Product: [oVirt] ovirt-engine Reporter: Sandro Bonazzola <sbonazzo>
Component: uutilsAssignee: Martin Perina <mperina>
Status: CLOSED UPSTREAM QA Contact: Lukas Svaty <lsvaty>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: bugs, gzaidman, lsvaty, pkliczew
Target Milestone: ovirt-4.3.0Flags: rule-engine: ovirt-4.3+
Target Release: 4.3.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: ovirt-engine-4.3.0_alpha Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-06 09:45:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1460625    

Description Sandro Bonazzola 2018-06-15 15:17:11 UTC
Adding an host with engine running on Fedora 28 server fails with:

2018-06-15 17:08:23,478+02 ERROR [org.ovirt.engine.core.uutils.ssh.OpenSSHUtils] (default task-2) [b9fdcbba-a577-4923-a718-c45f56aa0830] The key algorithm 'EC' is not supported, will return null.
2018-06-15 17:08:23,485+02 ERROR [org.ovirt.engine.core.bll.hostdeploy.AddVdsCommand] (default task-2) [b9fdcbba-a577-4923-a718-c45f56aa0830] Failed to establish session with host 'host': null

Involved packages:

# rpm -qav |grep ssh|sort

Not sure if related to bug #1441528

Comment 1 Sandro Bonazzola 2018-06-15 15:22:00 UTC
If it may help:

rpm -qf /etc/crypto-policies/back-ends/openssh.config

cat /etc/crypto-policies/back-ends/openssh.config
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
GSSAPIKexAlgorithms gss-gex-sha1-,gss-group14-sha1-
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

Comment 2 Sandro Bonazzola 2018-06-15 15:31:29 UTC
Also note workaround mentioned in https://www.ovirt.org/release/3.6.1/#fedora-22 is not working:

Fedora 22
on hosts you need to add following line to /etc/ssh/sshd_config

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

and then execute

  # systemctl restart sshd
before adding the host to the engine.

Comment 3 Piotr Kliczewski 2018-06-28 09:02:22 UTC
This issue could be related to this [1] jdk bug.

[1] https://bugs.openjdk.java.net/browse/JDK-8182580

Comment 4 Martin Perina 2018-07-09 10:22:04 UTC
There is no progress on JDK-8182580 for year, but the issue seems to be working on JDK9, so we will most probably need to upgrade to JDK9/10 on Fedora to resolve the issue.

Comment 5 Gal Zaidman 2018-10-07 06:22:04 UTC
for knowledge preserving, the current workaround is to comment out the line:
"HostKey /etc/ssh/ssh_host_ecdsa_key" from /etc/ssh/sshd_config on the host