Launchpad Bazaar and Git servers hang on SSH ECDSA/ED25519 authentication

Bug #830679 reported by Mantas Mikulėnas on 2011-08-21
50
This bug affects 9 people
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Colin Watson
lazr.sshserver
High
Colin Watson
turnip
High
Colin Watson
txpkgupload
High
Colin Watson

Bug Description

When connecting to "bazaar.launchpad.net" over SSH (for "lp:..." and "bzr+ssh://...") using OpenSSH 5.8p2 client, the connection hangs when authentication using an ECDSA key is attempted.

[2011-08-21T19:42:56Z]
$ ssh -vvv <email address hidden> bzr whatever
OpenSSH_5.8p2, OpenSSL 1.0.0d 8 Feb 2011
[...]
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/grawity/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/grawity/.ssh/id_dsa
debug3: no such identity: /home/grawity/.ssh/id_dsa
debug1: Offering ECDSA public key: /home/grawity/.ssh/id_ecdsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
[hangs until killed]

This makes it impossible to checkout Launchpad projects (using "bzr co lp:....") after I have done "bzr lp-login".

Related branches

description: updated
Changed in launchpad:
status: New → Incomplete
status: Incomplete → New
tags: added: codehosting-ssh ssh
Graham Binns (gmb) on 2011-08-22
Changed in launchpad:
status: New → Triaged
importance: Undecided → High

This is seriously annoying. Does "bzr branch" use ssh? I'm assuming it does, and I'm also assuming it doesn't run ssh with -v. I'm trying to install a package from the AUR that uses bzr, and i've literally spend the last 4 hours trying to work around this.

Mantas Mikulėnas (grawity) wrote :

James - yes, if you have done `bzr launchpad-login`, it starts using SSH for everything.

As a workaround, you can update your ~/.ssh/config to use a RSA key:

Host bazaar.launchpad.net
        IdentitiesOnly yes
        IdentityFile ~/.ssh/id_rsa

James (dboyzetown) wrote :

Yes, sorry, I forgot to post that I got this working. Confirmed though that that fix does indeed work. Thanks Mantas =]

Mantas Mikulėnas (grawity) wrote :

As an update (still open three years later?...), it turns out that OpenSSH "certificates" also trigger this bug:

    debug1: Offering RSA-CERT public key: /home/grawity/.ssh/id_global
    debug2: we sent a publickey packet, wait for reply
    [hangs]

Even the IdentitiesOnly option does not work here, as OpenSSH always tries <file>-cert.pub in addition to just <file> (it's documented in ssh_config with no option to disable).

Fortunately I was only testing the feature and can work around by removing ~/.ssh/*-cert.pub, but some other people wouldn't be so lucky.

Colin Watson (cjwatson) on 2015-01-14
affects: launchpad → lazr.sshserver
William Grant (wgrant) on 2015-06-20
Changed in lazr.sshserver:
assignee: nobody → William Grant (wgrant)
Mantas Mikulėnas (grawity) wrote :

The next (post-6.9) OpenSSH release will have a more reliable workaround (and at the same time, more issues):

Host bazaar.launchpad.net
        # Limit client pubkeys to RSA
        PubkeyAcceptedKeyTypes ssh-rsa
        # Re-enable weak 768-bit DH group
        KexAlgorithms diffie-hellman-group1-sha1

William Grant (wgrant) on 2015-10-05
Changed in lazr.sshserver:
assignee: William Grant (wgrant) → nobody
Colin Watson (cjwatson) on 2018-02-25
Changed in lazr.sshserver:
assignee: nobody → Colin Watson (cjwatson)
status: Triaged → In Progress
Colin Watson (cjwatson) on 2018-02-25
summary: - Launchpad Bazaar server -- hangs on SSH ECDSA authentication
+ Launchpad Bazaar and Git servers hang on SSH ECDSA/ED25519
+ authentication
Colin Watson (cjwatson) wrote :

Fixed in lazr.sshserver 0.1.6. I'll upgrade the other projects shortly so that we can actually deploy this.

Changed in lazr.sshserver:
status: In Progress → Fix Released
Colin Watson (cjwatson) on 2018-02-26
Changed in launchpad:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Changed in turnip:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Colin Watson (cjwatson) on 2018-02-26
Changed in turnip:
status: In Progress → Fix Committed
Colin Watson (cjwatson) on 2018-02-26
tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson) on 2018-03-01
Changed in turnip:
status: Fix Committed → Fix Released
Colin Watson (cjwatson) on 2018-03-02
Changed in txpkgupload:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Colin Watson (cjwatson) on 2018-03-09
Changed in launchpad:
status: Fix Committed → Fix Released
Colin Watson (cjwatson) on 2018-03-09
Changed in txpkgupload:
status: In Progress → Fix Committed
Colin Watson (cjwatson) wrote :

This is now fixed on all of our SSH endpoints. If you have workarounds for this in ~/.ssh/config, you can remove them now.

Changed in txpkgupload:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers