Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#8279 release blocker: regression closed fixed (fixed)

Fedora 23 buildbots are failing on OpenSSH tests

Reported by: hawkowl Owned by: hawkowl
Priority: highest Milestone: Twisted 16.2
Component: conch Keywords:
Cc: z3p Branch: branches/unbork-openssh-8279-2
branch-diff, diff-cov, branch-cov, buildbot
Author: hawkowl


(Marking this as a regression because it makes a supported platform unsupported)

I believe it is because the test SSH keys are too small -- here's the test command ran with -vv:

OpenSSH_7.2p2, OpenSSL 1.0.2g-fips  1 Mar 2016
debug1: Reading configuration data /dev/null
debug2: resolving "" port 33270
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to [] port 33270.
debug1: Connection established.
debug1: identity file dsa_test type 2
debug1: key_load_public: No such file or directory
debug1: identity file dsa_test-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version Twisted
debug1: no match: Twisted
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to as \'testuser\'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms:,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos:,aes128-ctr,aes192-ctr,aes256-ctr,,,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc:,aes128-ctr,aes192-ctr,aes256-ctr,,,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos:,,,,,,,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:,,,,,,,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,,zlib
debug2: compression stoc: none,,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-dss,ssh-rsa
debug2: ciphers ctos: aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-cbc,blowfish-cbc,3des-cbc
debug2: ciphers stoc: aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-cbc,blowfish-cbc,3des-cbc
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-md5
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-md5
debug2: compression ctos: none,zlib
debug2: compression stoc: none,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
ssh_dispatch_run_fatal: Connection to port 33270: DH GEX group out of range
Couldn\'t read packet: Connection reset by peer

Change History (8)

comment:1 Changed 3 years ago by DefaultCC Plugin

Cc: z3p added

comment:2 Changed 3 years ago by hawkowl

Author: hawkowl
Branch: branches/unbork-openssh-8279

(In [47191]) Branching to unbork-openssh-8279.

comment:3 Changed 3 years ago by hawkowl

Branch: branches/unbork-openssh-8279branches/unbork-openssh-8279-2

(In [47195]) Branching to unbork-openssh-8279-2.

comment:4 Changed 3 years ago by hawkowl

Keywords: review added

I figured it out, the kex was too small for OpenSSH 7.2 ( , the keys are fine (for now, anyway).

Builders spun, please review.

comment:5 Changed 3 years ago by Adi Roiban

Looks good. thanks!

Happy to see this fixed :)

I don't see any mention about the kex in the release notes. It only talk about RSA key size.

Please merge.

comment:6 Changed 3 years ago by Adi Roiban

Keywords: review removed
Owner: set to hawkowl

see previous message. sorry for the noise.


comment:7 Changed 3 years ago by hawkowl

Resolution: fixed
Status: newclosed

(In [47204]) Merge unbork-openssh-8279-2: Fix OpenSSH-using tests on Fedora 23

Author: hawkowl Reviewer: adiroiban Fixes: #8279

comment:8 Changed 3 years ago by Tristan Seligmann

For posterity's sake, I believe this is the relevant line in the release notes:

  • ssh(1), sshd(8): increase the minimum modulus size supported for diffie-hellman-group-exchange to 2048 bits.

diffie-hellman-group1-sha1 uses a 1024 bit group, whereas diffie-hellman-group14-sha1 uses a 2048 bit group.

Note: See TracTickets for help on using tickets.