Launchpad doesn't support secure SSH parameters
Bug #1933722 reported by
Sam Bull
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Fix Released
|
High
|
Colin Watson | ||
| lazr.sshserver |
Fix Released
|
High
|
Colin Watson | ||
| turnip |
Fix Released
|
High
|
Colin Watson | ||
| txpkgupload |
Fix Released
|
High
|
Colin Watson | ||
Bug Description
With a secure config created for SSH, I am unable to connect without adding a weakened config for launchpad.
For example:
Unable to negotiate with 91.189.95.84 port 22: no matching host key type found. Their offer: ssh-rsa
ssh-rsa is considered insecure, enough that I believe it has been disabled by default in openssh now. Maybe it should be disabled for LP, but it certainly shouldn't be the ONLY option for connecting. This is currently required for both HostKeyAlgorithms and PubkeyAcceptedK
Additionally, I need to add hmac-sha2-512 to MACs, because LP doesn't support any etm versions, for example: <email address hidden> or <email address hidden>
Related branches
~andrey-fedoseev/turnip/+git/dependencies:update-twisted
- Launchpad code reviewers: Pending requested
-
Diff: 780 lines (+0/-0)0 files modified
~cjwatson/txpkgupload:Twisted-20.3.0+lp6
- Jürgen Gmach: Approve
-
Diff: 13 lines (+1/-1)1 file modifiedrequirements.txt (+1/-1)
~cjwatson/txpkgupload/+git/dependencies:Twisted-20.3.0+lp6
- Jürgen Gmach: Approve
-
Diff: 4 lines (+0/-0)0 files modified
~cjwatson/launchpad:ssh-ed25519
- Ioana Lasc (community): Approve
-
Diff: 128 lines (+35/-9)5 files modifiedlib/lp/registry/interfaces/ssh.py (+9/-2)
lib/lp/registry/stories/person/xx-add-sshkey.txt (+14/-3)
lib/lp/registry/templates/person-editsshkeys.pt (+3/-4)
lib/lp/registry/tests/test_ssh.py (+7/-0)
lib/lp/testing/factory.py (+2/-0)
~cjwatson/txpkgupload:Twisted-20.3.0+lp5
- Ioana Lasc (community): Approve
-
Diff: 53 lines (+6/-3)2 files modifiedrequirements.txt (+5/-2)
setup.py (+1/-1)
~cjwatson/turnip:Twisted-20.3.0+lp5
- Ioana Lasc (community): Approve
-
Diff: 50 lines (+6/-8)2 files modifiedrequirements.txt (+5/-7)
setup.py (+1/-1)
~cjwatson/launchpad:Twisted-20.3.0+lp5
- Ioana Lasc (community): Approve
-
Diff: 22 lines (+2/-2)1 file modifiedrequirements/launchpad.txt (+2/-2)
~cjwatson/txpkgupload/+git/dependencies:Twisted-20.3.0+lp5
- Ioana Lasc (community): Approve
-
Diff: 20 lines (+0/-0)0 files modified
~cjwatson/turnip/+git/dependencies:Twisted-20.3.0+lp5
- Ioana Lasc (community): Approve
-
Diff: 12 lines (+0/-0)0 files modified
~cjwatson/lp-source-dependencies:Twisted-20.3.0+lp5
- Ioana Lasc (community): Approve
-
Diff: 8 lines (+0/-0)0 files modified
~cjwatson/lazr.sshserver:rsa-sha2
- Ioana Lasc (community): Approve
-
Diff: 45 lines (+6/-3)2 files modifiedNEWS.txt (+2/-0)
src/lazr/sshserver/auth.py (+4/-3)
~cjwatson/twisted:conch-rsa-sha2-ed25519
- Ioana Lasc (community): Approve
-
Diff: 3023 lines (+1672/-178)23 files modifieddocs/conch/examples/sshsimpleserver.py (+16/-9)
docs/installation/howto/optional.rst (+3/-0)
src/twisted/_version.py (+11/-5)
src/twisted/conch/newsfragments/10208.feature (+1/-0)
src/twisted/conch/newsfragments/10266.feature (+1/-0)
src/twisted/conch/newsfragments/8966.feature (+1/-0)
src/twisted/conch/newsfragments/9765.feature (+1/-0)
src/twisted/conch/scripts/ckeygen.py (+42/-4)
src/twisted/conch/ssh/_kex.py (+2/-1)
src/twisted/conch/ssh/_keys_pynacl.py (+196/-0)
src/twisted/conch/ssh/factory.py (+7/-1)
src/twisted/conch/ssh/keys.py (+218/-44)
src/twisted/conch/ssh/transport.py (+184/-35)
src/twisted/conch/ssh/userauth.py (+2/-2)
src/twisted/conch/test/keydata.py (+21/-0)
src/twisted/conch/test/test_ckeygen.py (+58/-7)
src/twisted/conch/test/test_keys.py (+506/-32)
src/twisted/conch/test/test_recvline.py (+1/-1)
src/twisted/conch/test/test_ssh.py (+36/-3)
src/twisted/conch/test/test_transport.py (+350/-28)
src/twisted/python/_setup.py (+6/-1)
src/twisted/python/test/test_setup.py (+4/-4)
tox.ini (+5/-1)
| description: | updated |
Revision history for this message
| Colin Watson (cjwatson) wrote | #1 |
| affects: | launchpad → lazr.sshserver |
Revision history for this message
| Colin Watson (cjwatson) wrote | #2 |
| Changed in lazr.sshserver: | |
| status: | New → Triaged |
| importance: | Undecided → High |
Revision history for this message
| Colin Watson (cjwatson) wrote | #3 |
| Changed in launchpad: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| Changed in turnip: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| Changed in txpkgupload: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| Changed in lazr.sshserver: | |
| assignee: | nobody → Colin Watson (cjwatson) |
| status: | Triaged → Fix Released |
Revision history for this message
| Colin Watson (cjwatson) wrote | #4 |
| Changed in txpkgupload: | |
| assignee: | nobody → Colin Watson (cjwatson) |
| status: | Triaged → Fix Released |
Revision history for this message
| Colin Watson (cjwatson) wrote | #5 |
| Changed in turnip: | |
| assignee: | nobody → Colin Watson (cjwatson) |
| status: | Triaged → Fix Released |
Revision history for this message
| Colin Watson (cjwatson) wrote | #6 |
| Changed in txpkgupload: | |
| status: | Fix Released → In Progress |
Revision history for this message
| Colin Watson (cjwatson) wrote | #7 |
| Changed in launchpad: | |
| assignee: | nobody → Colin Watson (cjwatson) |
| status: | Triaged → Fix Released |
Revision history for this message
| Colin Watson (cjwatson) wrote | #8 |
| Changed in txpkgupload: | |
| status: | In Progress → Fix Released |
To post a comment you must log in.
This mainly needs to be fixed in Twisted upstream, but the key algorithm types will probably also then need some enablement work in lazr.sshserver. And then we'll have somewhat similar problems as in bug 907675, in that we need to finish the upgrade to Python 3 and also upgrade to Ubuntu 18.04 in order to be able to use recent upstream versions of Twisted.