Launchpad Bazaar and Git servers hang on SSH ECDSA/ED25519 authentication

Bug #830679 reported by Mantas Mikulėnas
50
This bug affects 9 people
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Colin Watson
lazr.sshserver
High
Colin Watson
turnip
High
Colin Watson
txpkgupload
High
Colin Watson

Bug Description

When connecting to "bazaar.launchpad.net" over SSH (for "lp:..." and "bzr+ssh://...") using OpenSSH 5.8p2 client, the connection hangs when authentication using an ECDSA key is attempted.

[2011-08-21T19:42:56Z]
$ ssh -vvv <email address hidden> bzr whatever
OpenSSH_5.8p2, OpenSSL 1.0.0d 8 Feb 2011
[...]
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/grawity/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/grawity/.ssh/id_dsa
debug3: no such identity: /home/grawity/.ssh/id_dsa
debug1: Offering ECDSA public key: /home/grawity/.ssh/id_ecdsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
[hangs until killed]

This makes it impossible to checkout Launchpad projects (using "bzr co lp:....") after I have done "bzr lp-login".

Related branches

description: updated
Changed in launchpad:
status: New → Incomplete
status: Incomplete → New
tags: added: codehosting-ssh ssh
Revision history for this message
Robert Collins (lifeless) wrote : Re: [Bug 830679] Re: Launchpad Bazaar server -- hangs on SSH ECDSA authentication

This may require a twisted conch patch

Graham Binns (gmb)
Changed in launchpad:
status: New → Triaged
importance: Undecided → High
Revision history for this message
James (dboyzetown) wrote : Re: Launchpad Bazaar server -- hangs on SSH ECDSA authentication

This is seriously annoying. Does "bzr branch" use ssh? I'm assuming it does, and I'm also assuming it doesn't run ssh with -v. I'm trying to install a package from the AUR that uses bzr, and i've literally spend the last 4 hours trying to work around this.

Revision history for this message
Mantas Mikulėnas (grawity) wrote :

James - yes, if you have done `bzr launchpad-login`, it starts using SSH for everything.

As a workaround, you can update your ~/.ssh/config to use a RSA key:

Host bazaar.launchpad.net
        IdentitiesOnly yes
        IdentityFile ~/.ssh/id_rsa

Revision history for this message
James (dboyzetown) wrote :

Yes, sorry, I forgot to post that I got this working. Confirmed though that that fix does indeed work. Thanks Mantas =]

Revision history for this message
Mantas Mikulėnas (grawity) wrote :

As an update (still open three years later?...), it turns out that OpenSSH "certificates" also trigger this bug:

    debug1: Offering RSA-CERT public key: /home/grawity/.ssh/id_global
    debug2: we sent a publickey packet, wait for reply
    [hangs]

Even the IdentitiesOnly option does not work here, as OpenSSH always tries <file>-cert.pub in addition to just <file> (it's documented in ssh_config with no option to disable).

Fortunately I was only testing the feature and can work around by removing ~/.ssh/*-cert.pub, but some other people wouldn't be so lucky.

Colin Watson (cjwatson)
affects: launchpad → lazr.sshserver
William Grant (wgrant)
Changed in lazr.sshserver:
assignee: nobody → William Grant (wgrant)
Revision history for this message
Mantas Mikulėnas (grawity) wrote :

The next (post-6.9) OpenSSH release will have a more reliable workaround (and at the same time, more issues):

Host bazaar.launchpad.net
        # Limit client pubkeys to RSA
        PubkeyAcceptedKeyTypes ssh-rsa
        # Re-enable weak 768-bit DH group
        KexAlgorithms diffie-hellman-group1-sha1

William Grant (wgrant)
Changed in lazr.sshserver:
assignee: William Grant (wgrant) → nobody
Colin Watson (cjwatson)
Changed in lazr.sshserver:
assignee: nobody → Colin Watson (cjwatson)
status: Triaged → In Progress
Colin Watson (cjwatson)
summary: - Launchpad Bazaar server -- hangs on SSH ECDSA authentication
+ Launchpad Bazaar and Git servers hang on SSH ECDSA/ED25519
+ authentication
Revision history for this message
Colin Watson (cjwatson) wrote :

Fixed in lazr.sshserver 0.1.6. I'll upgrade the other projects shortly so that we can actually deploy this.

Changed in lazr.sshserver:
status: In Progress → Fix Released
Colin Watson (cjwatson)
Changed in launchpad:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Changed in turnip:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Colin Watson (cjwatson)
Changed in turnip:
status: In Progress → Fix Committed
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson)
Changed in turnip:
status: Fix Committed → Fix Released
Colin Watson (cjwatson)
Changed in txpkgupload:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → Fix Released
Colin Watson (cjwatson)
Changed in txpkgupload:
status: In Progress → Fix Committed
Revision history for this message
Colin Watson (cjwatson) wrote :

This is now fixed on all of our SSH endpoints. If you have workarounds for this in ~/.ssh/config, you can remove them now.

Changed in txpkgupload:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers