Bug 1013333 - Upgrade request: apache-sshd-0.8.0 - support ctr algorithms
Upgrade request: apache-sshd-0.8.0 - support ctr algorithms
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: apache-sshd (Show other bugs)
20
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Juan Hernández
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 1007133 1021273
  Show dependency treegraph
 
Reported: 2013-09-29 07:25 EDT by Alon Bar-Lev
Modified: 2016-01-04 00:36 EST (History)
7 users (show)

See Also:
Fixed In Version: apache-sshd-0.9.0-2.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-22 06:48:06 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alon Bar-Lev 2013-09-29 07:25:05 EDT
Hello,

apache-sshd-0.7.0 supports only cbc ciphers, attempting to connect ctr enabled host results in:
---
fatal: no matching cipher found: 
client aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc 
server aes128-ctr,aes192-ctr,aes256-ctr 
---

Please consider upgrading apache-sshd to at least 0.8.0, packaging is the same as far as I can see.

Thanks!

---

Ciphers used in Apache sshd-core 0.7.0
==
    avail.add(new AES128CBC.Factory()); 
    avail.add(new TripleDESCBC.Factory());
    avail.add(new BlowfishCBC.Factory());
    avail.add(new AES192CBC.Factory());
    avail.add(new AES256CBC.Factory());
==

Ciphers used in Apache sshd-core 0.8.0
==
    //Newly added after a security bug fix
    avail.add(new AES128CTR.Factory());
    avail.add(new AES256CTR.Factory());
    avail.add(new ARCFOUR128.Factory());
    avail.add(new ARCFOUR256.Factory());

    avail.add(new AES128CBC.Factory());
    avail.add(new TripleDESCBC.Factory());
    avail.add(new BlowfishCBC.Factory());
    avail.add(new AES192CBC.Factory());
    avail.add(new AES256CBC.Factory());
==
Comment 1 Fedora Update System 2013-09-30 11:18:09 EDT
apache-sshd-0.9.0-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/apache-sshd-0.9.0-2.fc20
Comment 2 Fedora Update System 2013-09-30 22:09:58 EDT
Package apache-sshd-0.9.0-2.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing apache-sshd-0.9.0-2.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-18027/apache-sshd-0.9.0-2.fc20
then log in and leave karma (feedback).
Comment 3 Fedora Update System 2013-10-09 10:31:42 EDT
apache-sshd-0.9.0-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Alon Bar-Lev 2013-11-01 15:26:21 EDT
Hello Guys,

There is an issue in apache-sshd-0.9.0[1], which breaks ovirt-engine[2].

Upstream is not responding and looking at the diff between 0.8.0->0.9.0 I cannot find trivial zone to investigate, so we need to downgrade to 0.8.0 for now. What is the procedure?

Thanks!

[1] https://issues.apache.org/jira/browse/SSHD-258
[2] bug#1021273.
Comment 5 Douglas Schilling Landgraf 2013-11-22 06:17:31 EST
(In reply to Alon Bar-Lev from comment #4)
> Hello Guys,
> 
> There is an issue in apache-sshd-0.9.0[1], which breaks ovirt-engine[2].
> 
> Upstream is not responding and looking at the diff between 0.8.0->0.9.0 I
> cannot find trivial zone to investigate, so we need to downgrade to 0.8.0
> for now. What is the procedure?
> 
> Thanks!
> 
> [1] https://issues.apache.org/jira/browse/SSHD-258
> [2] bug#1021273.

Hi Juan,

I had the same issue and cannot register ovirt-node-iso-3.0.2-1.0.0.vdsm.fc19.iso to ovirt-engine-3.3.1-2.fc19.noarch always receive "Unexpected connection termination".

apache-sshd-0.9.0-2.fc19.noarch
openssh-server-6.2p2-6.fc19.x86_64
openssh-clients-6.2p2-6.fc19.x86_64
openssh-6.2p2-6.fc19.x86_64

Downgrading to: apache-sshd.noarch 0:0.7.0-3.fc19 resolves the problem.
Comment 6 Juan Hernández 2013-11-22 06:39:01 EST
While upstream solves the issue you can solve this in ovirt-engine as follows:

diff --git a/ovirt-engine.spec.in b/ovirt-engine.spec.in
index f0c496e..59fb2fa 100644
--- a/ovirt-engine.spec.in
+++ b/ovirt-engine.spec.in
@@ -184,7 +184,6 @@ Requires:   yum-plugin-versionlock
 Requires:      apache-commons-compress
 Requires:      apache-commons-configuration
 Requires:      apache-commons-jxpath
-Requires:      apache-sshd
 Requires:      jakarta-commons-httpclient
 Requires:      objectweb-asm
 Requires:      openstack-java-client >= %{openstack_java_version}
@@ -597,7 +596,6 @@ org/apache/commons/configuration/main/commons-configuration.jar commons-configur
 org/apache/commons/httpclient/main/commons-httpclient.jar
 org/apache/commons/jxpath/main/commons-jxpath.jar commons-jxpath.jar
 org/apache/mina/main/mina-core.jar apache-mina/mina-core.jar
-org/apache/sshd/main/sshd-core.jar apache-sshd/sshd-core.jar
 org/apache/xmlrpc/main/xmlrpc-client.jar
 org/apache/xmlrpc/main/xmlrpc-common.jar
 org/postgresql/main/postgresql.jar postgresql-jdbc.jar
Comment 7 Juan Hernández 2013-11-22 06:48:06 EST
I'm closing this bug as it was about upgrading to the at least 0.8.0, and that is done. Open a new bug for the new issue if required.
Comment 8 Alon Bar-Lev 2013-11-27 05:34:52 EST
I am not sure I understand why fedora cannot downgrade broken package caused due to this bug within the same bug domain.

Note You need to log in before you can comment on or make changes to this bug.