Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1775693

Summary: paramiko lacks support for rsa-sha2-256, leads to AuthenticationException
Product: [Fedora] Fedora Reporter: Christian Heimes <cheimes>
Component: python-paramikoAssignee: Othman Madjoudj <athmanem>
Status: ASSIGNED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 34CC: agrimm, athmanem, gwync, igor.raits, ivazqueznet, orion, paul, rebus, sgallagh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christian Heimes 2019-11-22 15:36:02 UTC
Description of problem:
python-paramiko lacks support for SHA2 based RSA public key authentication algorithms. rsa-sha2-256 and rsa-sha2-512 are specificed in RFC 8332. The lack of SHA2 support breaks pubkey auth with systems that have FUTURE or FIPS crypto policy enabled.

Version-Release number of selected component (if applicable):
python3-paramiko-2.6.0-2.fc31

How reproducible:
always

Steps to Reproduce:
1. Enable FUTURE crypto policy on a host: update-crypto-policies --set FUTURE
2. systemctl restart sshd
3. try to connect to host with Paramiko client

Actual results:
>>> from paramiko.client import SSHClient, AutoAddPolicy
>>> client = SSHClient()
>>> client.set_missing_host_key_policy(AutoAddPolicy())
>>> client.connect(host, key_filename="/path/to/id_rsa", username="root")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.7/site-packages/paramiko/client.py", line 446, in connect
    passphrase,
  File "/usr/lib/python3.7/site-packages/paramiko/client.py", line 764, in _auth
    raise saved_exception
  File "/usr/lib/python3.7/site-packages/paramiko/client.py", line 700, in _auth
    self._transport.auth_publickey(username, key)
  File "/usr/lib/python3.7/site-packages/paramiko/transport.py", line 1580, in auth_publickey
    return self.auth_handler.wait_for_response(my_event)
  File "/usr/lib/python3.7/site-packages/paramiko/auth_handler.py", line 250, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.

journald on the host contains:
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
userauth_pubkey: key type ssh-ed25519 not in PubkeyAcceptedKeyTypes [preauth]Received disconnect from IP port 56120:11: disconnected by user

Expected results:
connection works

Additional info:
There is a new PR for RSA SHA2 https://github.com/paramiko/paramiko/pull/1520 but the PR is not yet finished. I commented on the PR and pointed out some missing bits.

Comment 1 Othman Madjoudj 2019-11-23 00:34:23 UTC
I'll include the PR once upstream accept/merge it since carrying downstream patch is not very practical.

Comment 2 Ben Cotton 2020-11-03 15:52:34 UTC
This message is a reminder that Fedora 31 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '31'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 31 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 3 Paul Howarth 2020-11-03 17:45:57 UTC
PR still not merged upstream.

Comment 4 Ben Cotton 2021-02-09 15:13:28 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle.
Changing version to 34.