Description of problem: python3-paramiko-2.4.3-2.el8 cannot authenticate with RSA keypairs to RHEL 9 servers. Version-Release number of selected component (if applicable): python3-paramiko-2.4.3-2.el8 How reproducible: always Steps to Reproduce: 1. Set up an el8 SSH client and el9 SSH server with an RSA SSH key pair (id_rsa, id_rsa.pub). 2. On the el8 system, yum install python3-paramiko 2.4.3 from EPEL 8. 3. Run the test.py script that connects with pubkey auth and copies a file: import paramiko import logging paramiko.util.get_logger("paramiko.transport").setLevel(logging.DEBUG) paramiko.util.get_logger("paramiko").setLevel(logging.DEBUG) ssh = paramiko.SSHClient() ssh.load_system_host_keys() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect('192.168.122.10', username='cloud-user') sftp = ssh.open_sftp() sftp.put('/etc/issue', 'issue.txt') sftp.close() ssh.close() Actual results: ssh.connect() fails with paramiko.ssh_exception.AuthenticationException: Authentication failed. The RHEL 9 /var/log/secure shows: Apr 28 09:51:11 localhost sshd[18154]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth] Apr 28 09:51:11 localhost sshd[18154]: Connection closed by authenticating user cloud-user 192.168.122.148 port 54648 [preauth] Expected results: The test.py script succeeds, and the el8 client can copy a file to el9. RHEL 9 /var/log/secure shows: Apr 28 09:51:25 localhost sshd[18156]: Accepted publickey for cloud-user from 192.168.122.148 port 55688 ssh2: RSA SHA256:ChUHxaJ82BRLvPdm7q44Sj/njKZ6k0d8WoOotPBPrj0 Apr 28 09:51:25 localhost sshd[18156]: pam_unix(sshd:session): session opened for user cloud-user(uid=1000) by (uid=0) Apr 28 09:51:25 localhost sshd[18156]: pam_unix(sshd:session): session closed for user cloud-user Additional info: Updating el8 to the version in epel9 (2.12.0) works perfectly, so I propose that we update epel8 to that version.
https://src.fedoraproject.org/rpms/python-paramiko/pull-request/2 merges the epel9 branch into epel8, resolving this bug.
I've built this newer version for epel8 at https://copr.fedorainfracloud.org/coprs/ktdreyer/paramiko/
FYI: Paramiko 2.4 can do RSA pubkey auth to RHEL 6 hosts fine, but with 2.9+ you will need to set disabled_algorithms or connect() will raise AuthenticationException. Here's the code I'm using: try: ssh.connect('192.168.122.10', username='cloud-user') except paramiko.ssh_exception.AuthenticationException: # This host could be RHEL 6, so disable rsa-sha2: ssh.connect('192.168.122.10', username='cloud-user', disabled_algorithms={'pubkeys': ['rsa-sha2-512', 'rsa-sha2-256']})
FEDORA-EPEL-2023-294cf22ce7 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-294cf22ce7
FEDORA-EPEL-2023-294cf22ce7 has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-294cf22ce7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2023-294cf22ce7 has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.