1747748 – Remote execution job hangs indefinitely when using unsupported ssh key algorithm

Bug 1747748 - Remote execution job hangs indefinitely when using unsupported ssh key algorithm

Summary: Remote execution job hangs indefinitely when using unsupported ssh key algorithm

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Remote Execution
Sub Component:
Version:	6.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	6.10.0
Assignee:	Peter Koprda
QA Contact:	Peter Ondrejka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-01 07:54 UTC by Hao Chang Yu
Modified:	2021-11-16 14:09 UTC (History)
CC List:	8 users (show)
Fixed In Version:	tfm-rubygem-foreman_remote_execution_core-1.4.7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-16 14:08:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ssh ruby test script (1.38 KB, application/x-ruby) 2019-09-01 08:17 UTC, Hao Chang Yu	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	27769	0	Normal	Closed	Remote execution job hangs indefinitely when using unsupported ssh key algorithm	2021-07-29 11:01:13 UTC
Red Hat Product Errata	RHSA-2021:4702	0	None	None	None	2021-11-16 14:09:04 UTC

Description Hao Chang Yu 2019-09-01 07:54:46 UTC

Description of problem:
If an user generates a ssh key with ed25519 algorithm and uses this key to perform a remote execution via the Satellite, the Dynflow flow task will fail silently and hang indefinitely.

Version-Release number of selected component (if applicable):
6.5

How reproducible:
When using a key type not supported by the ruby net/ssh.


Steps to Reproduce:
1. Generate a ed25519 ssh key

su - -s /bin/bash foreman-proxy
ssh-keygen -t ed25519 -C "test_key"
cd .ssh
mv id_ed25519.pub id_rsa_foreman_proxy.pub
mv id_ed25519 id_rsa_foreman_proxy

2. Copy the public key to the target machine.

3. Trigger a remote execution job via Satellite web UI.

Actual results:
Task hang indefinitely or until the job timeout

Expected results:
Catch the error and the task should fail with proper error message.

Additional info:

The reason that the job hang is the 'NoImplementError' is not inheriting the 'StandardError' so no exception is caught.

irb(main):014:0* begin
irb(main):015:1*    raise NotImplementedError, "Testing"
irb(main):016:1>  rescue Exception
irb(main):017:1>    p "Caught you!"
irb(main):018:1> end
"Caught you!"
=> "Caught you!"


irb(main):019:0> begin
irb(main):020:1*    raise NotImplementedError, "Testing"
irb(main):021:1>  rescue
irb(main):022:1>    p "Caught you!"
irb(main):023:1> end
NotImplementedError: Testing
	from (irb):20
	from /usr/bin/irb:12:in `<main>'


I attached a script to test run the ssh command directly which helped to reproduce the error.


su - -s /bin/bash foreman-proxy
scl enable tfm "ruby /tmp/ssh_cmd.rb my-target.example.com root 'sudo sh -c uptime'"
<snip>
D, [2019-09-01T17:30:15.600578 #25120] DEBUG -- net.ssh.authentication.session[a6c020]: trying publickey
Traceback (most recent call last):
	14: from /tmp/ssh_cmd.rb:28:in `<main>'
	13: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh.rb:237:in `start'
	12: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/session.rb:66:in `authenticate'
	11: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/session.rb:66:in `each'
	10: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/session.rb:80:in `block in authenticate'
	 9: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/methods/publickey.rb:19:in `authenticate'
	 8: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/key_manager.rb:101:in `each_identity'
	 7: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/key_manager.rb:217:in `load_identities'
	 6: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/key_manager.rb:217:in `map'
	 5: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/key_manager.rb:221:in `block in load_identities'
	 4: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/key_factory.rb:84:in `load_public_key'
	 3: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/key_factory.rb:103:in `load_data_public_key'
	 2: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/buffer.rb:242:in `read_key'
	 1: from /opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/buffer.rb:275:in `read_keyblob'
/opt/theforeman/tfm/root/usr/share/gems/gems/net-ssh-4.0.1/lib/net/ssh/authentication/ed25519_loader.rb:19:in `raiseUnlessLoaded': unsupported key type `ssh-ed25519' (NotImplementedError)
net-ssh requires the following gems for ed25519 support:
 * rbnacl (>= 3.2, < 5.0)
 * rbnacl-libsodium, if your system doesn't have libsodium installed.
 * bcrypt_pbkdf (>= 1.0, < 2.0)
See https://github.com/net-ssh/net-ssh/issues/478 for more information
Gem::MissingSpecError : "Could not find 'rbnacl' (< 5.0, >= 3.2.0) among 202 total gem(s)

Comment 3 Hao Chang Yu 2019-09-01 08:15:24 UTC

Also raised a RFE bug 1747751 to support ed25519 key

Comment 4 Hao Chang Yu 2019-09-01 08:17:51 UTC

Created attachment 1610472 [details]
ssh ruby test script

Comment 5 Adam Ruzicka 2019-09-03 12:55:16 UTC

Created redmine issue https://projects.theforeman.org/issues/27769 from this bug

Comment 8 Adam Ruzicka 2021-07-14 12:17:49 UTC

Fix for this was just merged upstream, proposing for 6.10.

Comment 10 Peter Ondrejka 2021-08-17 11:02:36 UTC

Verified on Satellite 6.10 snap 13, using ed25519 as an unsupported key (as 1747751 didn't get in yet). Rex job no longer hangs, it exits with the following message

Error initializing command: NotImplementedError - unsupported key type `ssh-ed25519'
net-ssh requires the following gems for ed25519 support:
 * rbnacl (>= 3.2, < 5.0)
 * rbnacl-libsodium, if your system doesn't have libsodium installed.
 * bcrypt_pbkdf (>= 1.0, < 2.0)
See https://github.com/net-ssh/net-ssh/issues/478 for more information
Gem::MissingSpecError : "Could not find 'rbnacl' (>= 3.2.0, < 5.0) among 258 total gem(s)
Checked in 'GEM_PATH=/opt/theforeman/tfm/root/usr/share/gems:/usr/share/foreman-proxy/.gem/ruby:/opt/rh/rh-ruby27/root/usr/share/gems:/opt/rh/rh-ruby27/root/usr/local/share/gems', execute `gem env` for more information"
Exit status: EXCEPTION

Comment 13 errata-xmlrpc 2021-11-16 14:08:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702

Note You need to log in before you can comment on or make changes to this bug.