Bug 2190476
| Summary: | paramiko 2.4.3 cannot auth with RSA keypairs to RHEL 9 servers | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Ken Dreyer (Red Hat) <kdreyer> |
| Component: | python-paramiko | Assignee: | Othman Madjoudj <athmanem> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel8 | CC: | agrimm, athmanem, gwync, igor.raits, orion, paul, rebus, sgallagh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | python-paramiko-2.12.0-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-06-06 03:07:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
https://src.fedoraproject.org/rpms/python-paramiko/pull-request/2 merges the epel9 branch into epel8, resolving this bug. I've built this newer version for epel8 at https://copr.fedorainfracloud.org/coprs/ktdreyer/paramiko/ FYI: Paramiko 2.4 can do RSA pubkey auth to RHEL 6 hosts fine, but with 2.9+ you will need to set disabled_algorithms or connect() will raise AuthenticationException. Here's the code I'm using:
try:
ssh.connect('192.168.122.10', username='cloud-user')
except paramiko.ssh_exception.AuthenticationException:
# This host could be RHEL 6, so disable rsa-sha2:
ssh.connect('192.168.122.10', username='cloud-user',
disabled_algorithms={'pubkeys': ['rsa-sha2-512',
'rsa-sha2-256']})
FEDORA-EPEL-2023-294cf22ce7 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-294cf22ce7 FEDORA-EPEL-2023-294cf22ce7 has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-294cf22ce7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-EPEL-2023-294cf22ce7 has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: python3-paramiko-2.4.3-2.el8 cannot authenticate with RSA keypairs to RHEL 9 servers. Version-Release number of selected component (if applicable): python3-paramiko-2.4.3-2.el8 How reproducible: always Steps to Reproduce: 1. Set up an el8 SSH client and el9 SSH server with an RSA SSH key pair (id_rsa, id_rsa.pub). 2. On the el8 system, yum install python3-paramiko 2.4.3 from EPEL 8. 3. Run the test.py script that connects with pubkey auth and copies a file: import paramiko import logging paramiko.util.get_logger("paramiko.transport").setLevel(logging.DEBUG) paramiko.util.get_logger("paramiko").setLevel(logging.DEBUG) ssh = paramiko.SSHClient() ssh.load_system_host_keys() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect('192.168.122.10', username='cloud-user') sftp = ssh.open_sftp() sftp.put('/etc/issue', 'issue.txt') sftp.close() ssh.close() Actual results: ssh.connect() fails with paramiko.ssh_exception.AuthenticationException: Authentication failed. The RHEL 9 /var/log/secure shows: Apr 28 09:51:11 localhost sshd[18154]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth] Apr 28 09:51:11 localhost sshd[18154]: Connection closed by authenticating user cloud-user 192.168.122.148 port 54648 [preauth] Expected results: The test.py script succeeds, and the el8 client can copy a file to el9. RHEL 9 /var/log/secure shows: Apr 28 09:51:25 localhost sshd[18156]: Accepted publickey for cloud-user from 192.168.122.148 port 55688 ssh2: RSA SHA256:ChUHxaJ82BRLvPdm7q44Sj/njKZ6k0d8WoOotPBPrj0 Apr 28 09:51:25 localhost sshd[18156]: pam_unix(sshd:session): session opened for user cloud-user(uid=1000) by (uid=0) Apr 28 09:51:25 localhost sshd[18156]: pam_unix(sshd:session): session closed for user cloud-user Additional info: Updating el8 to the version in epel9 (2.12.0) works perfectly, so I propose that we update epel8 to that version.