Bug 1591801 - uutils.ssh.OpenSSHUtils - the key algorithm 'EC' is not supported on Fedora 28
Summary: uutils.ssh.OpenSSHUtils - the key algorithm 'EC' is not supported on Fedora 28
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: uutils
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent vote
Target Milestone: ovirt-4.3.0
: 4.3.0
Assignee: Martin Perina
QA Contact: Lukas Svaty
URL:
Whiteboard:
Depends On:
Blocks: oVirt_on_Fedora
TreeView+ depends on / blocked
 
Reported: 2018-06-15 15:17 UTC by Sandro Bonazzola
Modified: 2018-12-06 09:45 UTC (History)
4 users (show)

Fixed In Version: ovirt-engine-4.3.0_alpha
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-06 09:45:19 UTC
oVirt Team: Infra
rule-engine: ovirt-4.3+


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 92913 master ABANDONED core: Require JDK10 on Fedora for runtime 2018-11-08 08:38:02 UTC
oVirt gerrit 95323 master MERGED core: Enforce RSA public keys for SSH connections 2018-11-08 10:49:34 UTC
openjdk bug system JDK-8182580 None None None 2018-07-09 10:18:58 UTC

Description Sandro Bonazzola 2018-06-15 15:17:11 UTC
Adding an host with engine running on Fedora 28 server fails with:

2018-06-15 17:08:23,478+02 ERROR [org.ovirt.engine.core.uutils.ssh.OpenSSHUtils] (default task-2) [b9fdcbba-a577-4923-a718-c45f56aa0830] The key algorithm 'EC' is not supported, will return null.
2018-06-15 17:08:23,485+02 ERROR [org.ovirt.engine.core.bll.hostdeploy.AddVdsCommand] (default task-2) [b9fdcbba-a577-4923-a718-c45f56aa0830] Failed to establish session with host 'host': null

Involved packages:
ovirt-engine-4.3.0-0.0.master.20180613124113.git0abf28f2d59.fc28.noarch

# rpm -qav |grep ssh|sort
apache-sshd-0.14.0-7.fc28.noarch
fence-agents-ilo-ssh-4.2.1-1.fc28.x86_64
libssh-0.7.5-7.fc28.x86_64
libssh2-1.8.0-7.fc28.x86_64
openssh-7.7p1-3.fc28.x86_64
openssh-clients-7.7p1-3.fc28.x86_64
openssh-server-7.7p1-3.fc28.x86_64
sshpass-1.06-5.fc28.x86_64

Not sure if related to bug #1441528

Comment 1 Sandro Bonazzola 2018-06-15 15:22:00 UTC
If it may help:

rpm -qf /etc/crypto-policies/back-ends/openssh.config
crypto-policies-20180425-5.git6ad4018.fc28.noarch

cat /etc/crypto-policies/back-ends/openssh.config
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
GSSAPIKexAlgorithms gss-gex-sha1-,gss-group14-sha1-
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

Comment 2 Sandro Bonazzola 2018-06-15 15:31:29 UTC
Also note workaround mentioned in https://www.ovirt.org/release/3.6.1/#fedora-22 is not working:

"
Fedora 22
on hosts you need to add following line to /etc/ssh/sshd_config

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

and then execute

  # systemctl restart sshd
before adding the host to the engine.
"

Comment 3 Piotr Kliczewski 2018-06-28 09:02:22 UTC
This issue could be related to this [1] jdk bug.


[1] https://bugs.openjdk.java.net/browse/JDK-8182580

Comment 4 Martin Perina 2018-07-09 10:22:04 UTC
There is no progress on JDK-8182580 for year, but the issue seems to be working on JDK9, so we will most probably need to upgrade to JDK9/10 on Fedora to resolve the issue.

Comment 5 Gal Zaidman 2018-10-07 06:22:04 UTC
for knowledge preserving, the current workaround is to comment out the line:
"HostKey /etc/ssh/ssh_host_ecdsa_key" from /etc/ssh/sshd_config on the host


Note You need to log in before you can comment on or make changes to this bug.