1013333 – Upgrade request: apache-sshd-0.8.0 - support ctr algorithms

Bug 1013333 - Upgrade request: apache-sshd-0.8.0 - support ctr algorithms

Summary: Upgrade request: apache-sshd-0.8.0 - support ctr algorithms

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	apache-sshd
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Juan Hernández
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1007133 1021273
TreeView+	depends on / blocked

Reported:	2013-09-29 11:25 UTC by Alon Bar-Lev
Modified:	2016-01-04 05:36 UTC (History)
CC List:	7 users (show)
Fixed In Version:	apache-sshd-0.9.0-2.fc20
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-22 11:48:06 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alon Bar-Lev 2013-09-29 11:25:05 UTC

Hello,

apache-sshd-0.7.0 supports only cbc ciphers, attempting to connect ctr enabled host results in:
---
fatal: no matching cipher found: 
client aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc 
server aes128-ctr,aes192-ctr,aes256-ctr 
---

Please consider upgrading apache-sshd to at least 0.8.0, packaging is the same as far as I can see.

Thanks!

---

Ciphers used in Apache sshd-core 0.7.0
==
    avail.add(new AES128CBC.Factory()); 
    avail.add(new TripleDESCBC.Factory());
    avail.add(new BlowfishCBC.Factory());
    avail.add(new AES192CBC.Factory());
    avail.add(new AES256CBC.Factory());
==

Ciphers used in Apache sshd-core 0.8.0
==
    //Newly added after a security bug fix
    avail.add(new AES128CTR.Factory());
    avail.add(new AES256CTR.Factory());
    avail.add(new ARCFOUR128.Factory());
    avail.add(new ARCFOUR256.Factory());

    avail.add(new AES128CBC.Factory());
    avail.add(new TripleDESCBC.Factory());
    avail.add(new BlowfishCBC.Factory());
    avail.add(new AES192CBC.Factory());
    avail.add(new AES256CBC.Factory());
==

Comment 1 Fedora Update System 2013-09-30 15:18:09 UTC

apache-sshd-0.9.0-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/apache-sshd-0.9.0-2.fc20

Comment 2 Fedora Update System 2013-10-01 02:09:58 UTC

Package apache-sshd-0.9.0-2.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing apache-sshd-0.9.0-2.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-18027/apache-sshd-0.9.0-2.fc20
then log in and leave karma (feedback).

Comment 3 Fedora Update System 2013-10-09 14:31:42 UTC

apache-sshd-0.9.0-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Alon Bar-Lev 2013-11-01 19:26:21 UTC

Hello Guys,

There is an issue in apache-sshd-0.9.0[1], which breaks ovirt-engine[2].

Upstream is not responding and looking at the diff between 0.8.0->0.9.0 I cannot find trivial zone to investigate, so we need to downgrade to 0.8.0 for now. What is the procedure?

Thanks!

[1] https://issues.apache.org/jira/browse/SSHD-258
[2] bug#1021273.

Comment 5 Douglas Schilling Landgraf 2013-11-22 11:17:31 UTC

(In reply to Alon Bar-Lev from comment #4)
> Hello Guys,
> 
> There is an issue in apache-sshd-0.9.0[1], which breaks ovirt-engine[2].
> 
> Upstream is not responding and looking at the diff between 0.8.0->0.9.0 I
> cannot find trivial zone to investigate, so we need to downgrade to 0.8.0
> for now. What is the procedure?
> 
> Thanks!
> 
> [1] https://issues.apache.org/jira/browse/SSHD-258
> [2] bug#1021273.

Hi Juan,

I had the same issue and cannot register ovirt-node-iso-3.0.2-1.0.0.vdsm.fc19.iso to ovirt-engine-3.3.1-2.fc19.noarch always receive "Unexpected connection termination".

apache-sshd-0.9.0-2.fc19.noarch
openssh-server-6.2p2-6.fc19.x86_64
openssh-clients-6.2p2-6.fc19.x86_64
openssh-6.2p2-6.fc19.x86_64

Downgrading to: apache-sshd.noarch 0:0.7.0-3.fc19 resolves the problem.

Comment 6 Juan Hernández 2013-11-22 11:39:01 UTC

While upstream solves the issue you can solve this in ovirt-engine as follows:

diff --git a/ovirt-engine.spec.in b/ovirt-engine.spec.in
index f0c496e..59fb2fa 100644
--- a/ovirt-engine.spec.in
+++ b/ovirt-engine.spec.in
@@ -184,7 +184,6 @@ Requires:   yum-plugin-versionlock
 Requires:      apache-commons-compress
 Requires:      apache-commons-configuration
 Requires:      apache-commons-jxpath
-Requires:      apache-sshd
 Requires:      jakarta-commons-httpclient
 Requires:      objectweb-asm
 Requires:      openstack-java-client >= %{openstack_java_version}
@@ -597,7 +596,6 @@ org/apache/commons/configuration/main/commons-configuration.jar commons-configur
 org/apache/commons/httpclient/main/commons-httpclient.jar
 org/apache/commons/jxpath/main/commons-jxpath.jar commons-jxpath.jar
 org/apache/mina/main/mina-core.jar apache-mina/mina-core.jar
-org/apache/sshd/main/sshd-core.jar apache-sshd/sshd-core.jar
 org/apache/xmlrpc/main/xmlrpc-client.jar
 org/apache/xmlrpc/main/xmlrpc-common.jar
 org/postgresql/main/postgresql.jar postgresql-jdbc.jar

Comment 7 Juan Hernández 2013-11-22 11:48:06 UTC

I'm closing this bug as it was about upgrading to the at least 0.8.0, and that is done. Open a new bug for the new issue if required.

Comment 8 Alon Bar-Lev 2013-11-27 10:34:52 UTC

I am not sure I understand why fedora cannot downgrade broken package caused due to this bug within the same bug domain.

Note You need to log in before you can comment on or make changes to this bug.