support newer mac algorithms in "juju ssh" reachability checks
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
We've been rolling out stricter baseline sshd configurations. In particular we've selected the following MAC algorithms on the basis that they are good choices that are also supported by openssh as far back as Ubuntu 14.04 LTS (trusty):
<email address hidden>,<email address hidden>,<email address hidden>
However I recently discovered while finalizing a recent new deployment that "juju ssh" apparently doesn't support any of these algorithms (at least as of 2.1.2) when checking reachability. In our case, when reachability succeeds, the openssh client is used to make the actual connection, which supports the restricted MAC configuration.
04:21:28 INFO juju.cmd supercommand.go:63 running juju [2.1.2 gc go1.6]
[...]
04:21:28 DEBUG juju.network.ssh reachable.go:175 ssh: handshake failed: ssh: no common algorithm for client to server MAC; client offered: [hmac-sha2-256 hmac-sha1 hmac-sha1-96], server offered: [<email address hidden> <email address hidden> <email address hidden>]
04:21:28 DEBUG juju.network.ssh reachable.go:175 ssh: handshake failed: ssh: no common algorithm for client to server MAC; client offered: [hmac-sha2-256 hmac-sha1 hmac-sha1-96], server offered: [<email address hidden> <email address hidden> <email address hidden>]
04:21:28 DEBUG juju.cmd.
[...]
Please consider upgrading juju ssh's MAC algorithm suite.
We've used https:/
description: | updated |
summary: |
- support newer mac algorithms in "juju ssh" + support newer mac algorithms in "juju ssh" reachability checks |
description: | updated |
Changed in juju: | |
status: | New → Confirmed |
Changed in juju: | |
status: | Confirmed → Triaged |
importance: | Undecided → Wishlist |
Changed in juju: | |
status: | Expired → Triaged |
Possible solutions could be to simplify the reachability check to succeed when an SSH banner is seen, or even to succeed merely if the TCP connection is successfully established.