Bug 1747748

Summary: Remote execution job hangs indefinitely when using unsupported ssh key algorithm
Product: Red Hat Satellite Reporter: Hao Chang Yu <hyu>
Component: Remote ExecutionAssignee: Peter Koprda <pkoprda>
Status: CLOSED ERRATA QA Contact: Peter Ondrejka <pondrejk>
Severity: medium Docs Contact:
Priority: high    
Version: 6.5.0CC: ahumbe, aruzicka, inecas, michelis.tobias, osousa, pcreech, saydas, smeyer
Target Milestone: 6.10.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tfm-rubygem-foreman_remote_execution_core-1.4.7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-16 14:08:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ssh ruby test script none

Description Hao Chang Yu 2019-09-01 07:54:46 UTC 
Description of problem:
If an user generates a ssh key with ed25519 algorithm and uses this key to perform a remote execution via the Satellite, the Dynflow flow task will fail silently and hang indefinitely.

Version-Release number of selected component (if applicable):
6.5

How reproducible:
When using a key type not supported by the ruby net/ssh.


Steps to Reproduce:
1. Generate a ed25519 ssh key

su - -s /bin/bash foreman-proxy
ssh-keygen -t ed25519 -C "test_key"
cd .ssh
mv id_ed25519.pub id_rsa_foreman_proxy.pub
mv id_ed25519 id_rsa_foreman_proxy

2. Copy the public key to the target machine.

3. Trigger a remote execution job via Satellite web UI.

Actual results:
Task hang indefinitely or until the job timeout

Expected results:
Catch the error and the task should fail with proper error message.

Additional info:

The reason that the job hang is the 'NoImplementError' is not inheriting the 'StandardError' so no exception is caught.

irb(main):014:0* begin
irb(main):015:1*    raise NotImplementedError, "Testing"
irb(main):016:1>  rescue Exception
irb(main):017:1>    p "Caught you!"
irb(main):018:1> end
"Caught you!"
=> "Caught you!"


irb(main):019:0> begin
irb(main):020:1*    raise NotImplementedError, "Testing"
irb(main):021:1>  rescue
irb(main):022:1>    p "Caught you!"
irb(main):023:1> end
NotImplementedError: Testing
	from (irb):20
	from /usr/bin/irb:12:in `<main>'


I attached a script to test run the ssh command directly which helped to reproduce the error.


su - -s /bin/bash foreman-proxy
scl enable tfm "ruby /tmp/ssh_cmd.rb my-target.example.com root 'sudo sh -c uptime'"
<snip>
D, [2019-09-01T17:30:15.600578 #25120] DEBUG -- net.ssh.authentication.session[a6c020]: trying publickey
Traceback (most recent call last):
	14: from /tmp/ssh_cmd.rb:28:in `<main>'
	13: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh.rb:237:in `start'
	12: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/session.rb:66:in `authenticate'
	11: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/session.rb:66:in `each'
	10: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/session.rb:80:in `block in authenticate'
	 9: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/methods/publickey.rb:19:in `authenticate'
	 8: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/key_manager.rb:101:in `each_identity'
	 7: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/key_manager.rb:217:in `load_identities'
	 6: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/key_manager.rb:217:in `map'
	 5: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/key_manager.rb:221:in `block in load_identities'
	 4: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/key_factory.rb:84:in `load_public_key'
	 3: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/key_factory.rb:103:in `load_data_public_key'
	 2: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/buffer.rb:242:in `read_key'
	 1: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/buffer.rb:275:in `read_keyblob'
/opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/ed25519_loader.rb:19:in `raiseUnlessLoaded': unsupported key type `ssh-ed25519' (NotImplementedError)
net-ssh requires the following gems for ed25519 support:
 * rbnacl (>= 3.2, < 5.0)
 * rbnacl-libsodium, if your system doesn't have libsodium installed.
 * bcrypt_pbkdf (>= 1.0, < 2.0)
See https://github.com/net-ssh/net-ssh/issues/478 for more information
Gem::MissingSpecError : "Could not find 'rbnacl' (< 5.0, >= 3.2.0) among 202 total gem(s)
Comment 3 Hao Chang Yu 2019-09-01 08:15:24 UTC 
Also raised a RFE bug 1747751 to support ed25519 key
Comment 4 Hao Chang Yu 2019-09-01 08:17:51 UTC 
Created attachment 1610472 [details]
ssh ruby test script
Comment 5 Adam Ruzicka 2019-09-03 12:55:16 UTC 
Created redmine issue https://projects.theforeman.org/issues/27769 from this bug
Comment 8 Adam Ruzicka 2021-07-14 12:17:49 UTC 
Fix for this was just merged upstream, proposing for 6.10.
Comment 10 Peter Ondrejka 2021-08-17 11:02:36 UTC 
Verified on Satellite 6.10 snap 13, using ed25519 as an unsupported key (as 1747751 didn't get in yet). Rex job no longer hangs, it exits with the following message

Error initializing command: NotImplementedError - unsupported key type `ssh-ed25519'
net-ssh requires the following gems for ed25519 support:
 * rbnacl (>= 3.2, < 5.0)
 * rbnacl-libsodium, if your system doesn't have libsodium installed.
 * bcrypt_pbkdf (>= 1.0, < 2.0)
See https://github.com/net-ssh/net-ssh/issues/478 for more information
Gem::MissingSpecError : "Could not find 'rbnacl' (>= 3.2.0, < 5.0) among 258 total gem(s)
Checked in 'GEM_PATH=/opt/theforeman/tfm/root/usr/share/gems:/usr/share/foreman-proxy/.gem/ruby:/opt/rh/rh-ruby27/root/usr/share/gems:/opt/rh/rh-ruby27/root/usr/local/share/gems', execute `gem env` for more information"
Exit status: EXCEPTION
Comment 13 errata-xmlrpc 2021-11-16 14:08:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702