python3-paramiko can't connect to Jammy hosts, likely because of the stricter signature requirements introduced in openssh 8.8p1-1.
Reproducer:
1. Setup a passwordless keypair and add localhost to known_hosts, so that:
paride@stramonio:~$ SSH_AUTH_SOCK= ssh -i ~/.ssh/id_rsa_insecure localhost date
2022-02-23T12:35:39 CET
2. Try the same with paramiko from python3-paramiko:
$ ipython3
In [1]: from paramiko import SSHClient
In [2]: client = SSHClient()
In [3]: client.load_system_host_keys()
In [4]: client.connect('localhost', key_filename='/home/paride/.ssh/id_rsa_insecure')
Unknown exception: q must be exactly 160, 224, or 256 bits long
[Full Traceback Below]
In [1]: from paramiko import SSHClient
In [2]: client = SSHClient()
In [3]: client.load_system_host_keys()
In [4]: client.connect('localhost', key_filename='/home/paride/.ssh/id_rsa_insecure')
In [5]: # It works!
The Point 2. failure can be reproduced by installing older versions of paramiko via pip, so the issue is not specific to Ubuntu. Likely related upstream changes/issues:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2109, in run
handler(self.auth_handler, m)
File "/usr/lib/python3/dist-packages/paramiko/auth_handler.py", line 298, in _parse_service_accept
sig = self.private_key.sign_ssh_data(blob)
File "/usr/lib/python3/dist-packages/paramiko/dsskey.py", line 109, in sign_ssh_data
key = dsa.DSAPrivateNumbers(
File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 244, in private_key
return backend.load_dsa_private_numbers(self)
File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 827, in load_dsa_private_numbers
dsa._check_dsa_private_numbers(numbers)
File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 282, in _check_dsa_private_numbers
_check_dsa_parameters(parameters)
File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 274, in _check_dsa_parameters
raise ValueError("q must be exactly 160, 224, or 256 bits long")
ValueError: q must be exactly 160, 224, or 256 bits long
python3-paramiko can't connect to Jammy hosts, likely because of the stricter signature requirements introduced in openssh 8.8p1-1.
Reproducer:
1. Setup a passwordless keypair and add localhost to known_hosts, so that:
paride@stramonio:~$ SSH_AUTH_SOCK= ssh -i ~/.ssh/ id_rsa_ insecure localhost date
2022-02-23T12:35:39 CET
2. Try the same with paramiko from python3-paramiko:
$ ipython3
In [1]: from paramiko import SSHClient load_system_ host_keys( ) connect( 'localhost' , key_filename= '/home/ paride/ .ssh/id_ rsa_insecure' )
In [2]: client = SSHClient()
In [3]: client.
In [4]: client.
Unknown exception: q must be exactly 160, 224, or 256 bits long
[Full Traceback Below]
3. Try with a newer paramiko:
$ python3 -m venv /tmp/newparamiko o/bin/activate
$ source /tmp/newparamik
$ pip install -q paramiko==2.9.2
$ ipython3
In [1]: from paramiko import SSHClient load_system_ host_keys( ) connect( 'localhost' , key_filename= '/home/ paride/ .ssh/id_ rsa_insecure' )
In [2]: client = SSHClient()
In [3]: client.
In [4]: client.
In [5]: # It works!
The Point 2. failure can be reproduced by installing older versions of paramiko via pip, so the issue is not specific to Ubuntu. Likely related upstream changes/issues:
* https:/ /github. com/paramiko/ paramiko/ pull/1643 /github. com/paramiko/ paramiko/ issues/ 1955
* https:/
--- Point 2. Traceback ---
Traceback (most recent call last): python3/ dist-packages/ paramiko/ transport. py", line 2109, in run self.auth_ handler, m) python3/ dist-packages/ paramiko/ auth_handler. py", line 298, in _parse_ service_ accept key.sign_ ssh_data( blob) python3/ dist-packages/ paramiko/ dsskey. py", line 109, in sign_ssh_data umbers( python3/ dist-packages/ cryptography/ hazmat/ primitives/ asymmetric/ dsa.py" , line 244, in private_key load_dsa_ private_ numbers( self) python3/ dist-packages/ cryptography/ hazmat/ backends/ openssl/ backend. py", line 827, in load_dsa_ private_ numbers _check_ dsa_private_ numbers( numbers) python3/ dist-packages/ cryptography/ hazmat/ primitives/ asymmetric/ dsa.py" , line 282, in _check_ dsa_private_ numbers dsa_parameters( parameters) python3/ dist-packages/ cryptography/ hazmat/ primitives/ asymmetric/ dsa.py" , line 274, in _check_ dsa_parameters
File "/usr/lib/
handler(
File "/usr/lib/
sig = self.private_
File "/usr/lib/
key = dsa.DSAPrivateN
File "/usr/lib/
return backend.
File "/usr/lib/
dsa.
File "/usr/lib/
_check_
File "/usr/lib/
raise ValueError("q must be exactly 160, 224, or 256 bits long")
ValueError: q must be exactly 160, 224, or 256 bits long