Ubuntu
paramiko package

Can't connect to Jammy hosts (openssh >= 8.8p1-1)

Bug #1961979 reported by Paride Legovini
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
paramiko (Ubuntu)
Fix Released
High
Unassigned
Bionic
New
Undecided
Unassigned
Focal
New
Undecided
Unassigned
Impish
Won't Fix
Undecided
Unassigned
Jammy
Fix Released
High
Unassigned

Bug Description

python3-paramiko can't connect to Jammy hosts, likely because of the stricter signature requirements introduced in openssh 8.8p1-1.

Reproducer:

1. Setup a passwordless keypair and add localhost to known_hosts:

$ sudo apt install -y openssh-server openssh-client ipython3 python3-paramiko
$ ssh-keygen -f ~/.ssh/id_rsa_insecure
$ SSH_AUTH_SOCK= ssh-copy-id -i ~/.ssh/id_rsa_insecure localhost

2. Verify setup:

paride@stramonio:~$ SSH_AUTH_SOCK= ssh -i ~/.ssh/id_rsa_insecure localhost date
2022-02-23T12:35:39 CET

3. Try the same with paramiko from python3-paramiko:

$ ipython3

In [1]: import paramiko, os
In [2]: client = paramiko.SSHClient()
In [3]: client.load_system_host_keys()
In [4]: client.connect('localhost', key_filename=os.path.expanduser('~/.ssh/id_rsa_insecure'))
Unknown exception: q must be exactly 160, 224, or 256 bits long
[Full Traceback Below]

4. Try with a newer paramiko:

$ python3 -m venv /tmp/newparamiko
$ source /tmp/newparamiko/bin/activate
$ pip install -q paramiko==2.9.2
$ ipython3

In [1]: import paramiko, os
In [2]: client = paramiko.SSHClient()
In [3]: client.load_system_host_keys()
In [4]: client.connect('localhost', key_filename=os.path.expanduser('~/.ssh/id_rsa_insecure'))
In [5]: # It works!

The Point 3. failure can be reproduced by installing older versions of paramiko via pip, so the issue is not specific to Ubuntu. Likely related upstream changes/issues:

* https://github.com/paramiko/paramiko/pull/1643
* https://github.com/paramiko/paramiko/issues/1955

--- Point 3. Traceback ---

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 2109, in run
    handler(self.auth_handler, m)
  File "/usr/lib/python3/dist-packages/paramiko/auth_handler.py", line 298, in _parse_service_accept
    sig = self.private_key.sign_ssh_data(blob)
  File "/usr/lib/python3/dist-packages/paramiko/dsskey.py", line 109, in sign_ssh_data
    key = dsa.DSAPrivateNumbers(
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 244, in private_key
    return backend.load_dsa_private_numbers(self)
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 827, in load_dsa_private_numbers
    dsa._check_dsa_private_numbers(numbers)
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 282, in _check_dsa_private_numbers
    _check_dsa_parameters(parameters)
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/dsa.py", line 274, in _check_dsa_parameters
    raise ValueError("q must be exactly 160, 224, or 256 bits long")
ValueError: q must be exactly 160, 224, or 256 bits long

See original description
Tags: fr-2082
Paride Legovini (paride)
Changed in paramiko (Ubuntu):
importance: Undecided → High
Sebastien Bacher (seb128)
tags: added: rls-jj-incoming
Matthieu Clemenceau (mclemenceau)
tags: added: fr-2082
Revision history for this message
Paride Legovini (paride) wrote :

I added tasks for existing stable releases. I think we need to assess how badly this is going to impact users of stable releases, and evaluate if SRUs are an option. I had a first look and I don't think this is SRU material (too many changes, not limited to src:paramiko), but let's decide deliberately.

Brian Murray (brian-murray)
tags: removed: rls-jj-incoming
Benjamin Drung (bdrung)
description: updated
Revision history for this message
Benjamin Drung (bdrung) wrote :

I checked the upstream changes between 2.8.1 (jammy version) and 2.9.3: https://github.com/paramiko/paramiko/compare/2.8.1...2.9.3

There are only a few commits:

* Weird typos introduced 2 years ago, bah (only change to test cases)
* Longterm TODOs (adds only comments)
* Enhance kex DEBUG logging to be more readable
* Add support for RSA SHA2 host and public keys (we want this one)
* Add agent RSA-SHA2 support, also tweak changelog w/ more tickets (we want this one too)
* Changelog format tweak (only doc update)
* Cut 2.9.0
* Changelog and test re #1955 (we want this one)
* Fix #1955 (we want this one)
* Cut 2.9.1
* Add more visible backwards compat warning re 2.9 RSA2 changes (only doc update)
* Fix up logging and exception handling re: pubkey auth and presence/lack of server-sig-algs (we want this one)
* Cut 2.9.2
* Clarify disabled algorithms keys vs pubkeys in changelog (only doc update)
* Fix publickey authentication with signed RSA key (we want this one)
* Changelog closes #1963, closes #1977 (only doc update)
* util: store thread assigned id in thread-local storage, fixes #2002 (we want this one)
* Changelog re #2002, re #2003, closes #2002 (only doc update)
* Cut 2.9.3

Result: The difference between 2.8 and 2.9 is basically the RSA2 support that we want/need. Only the commit "Enhance kex DEBUG logging to be more readable" is not needed. So I say let's update the paramiko package to 2.9.3 instead of "backporting" the change.

For the SRUs we might only backport the client side support which is a smaller patch.

Revision history for this message
Benjamin Drung (bdrung) wrote :

I filed bug #1968730 as feature freeze exception request to fix this bug.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package paramiko - 2.9.3-0ubuntu1

---------------
paramiko (2.9.3-0ubuntu1) jammy; urgency=medium

  * New upstream release (LP: #1968730).
    - Add support for SHA-2 variants of RSA key verification algorithms
      to support openssh >= 8.8p1-1 (Closes: #1007168, LP: #1961979)
  * Refresh patches.

 -- Benjamin Drung <email address hidden> Tue, 12 Apr 2022 16:26:58 +0200

Changed in paramiko (Ubuntu Jammy):
status: New → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

Ubuntu 21.10 (Impish Indri) has reached end of life, so this bug will not be fixed for that specific release.

Changed in paramiko (Ubuntu Impish):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.