Today i found that zuul does not like the ecdsa key given from the fingerprint when ssh in. It kept asking about rsa instead of ecdsa which was offered.
A manual way to fix this was to do
ssh -o HostKeyAlgorithms=ssh-rsa -p 29418 jenkins@127.0.0.1
to add the rsa key into known_host.
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Update paramiko to 2.2 | integration/zuul | debian/jessie-wikimedia | +25 -0 | |
| Update paramiko to 2.2 | integration/zuul | upstream | +1 -1 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Declined | None | T257383 Update wikibugs's Gerrit ssh host keys | |||
| Stalled | None | T257382 Update libup for Gerrit's new ssh host keys | |||
| Restricted Task | |||||
| Resolved | hashar | T171165 Add support for ecdsa keys in zuul (Also update paramiko to 2.2+) |
Fixed by https://github.com/paramiko/paramiko/commit/0ddb28f3313e793cf574ed5fed42761be1adf6d5
upgrade paramiko to 2.2.
Change 383913 had a related patch set uploaded (by Paladox; owner: Paladox):
[integration/zuul@upstream] Update paramiko to 2.2
Change 383914 had a related patch set (by Paladox) published:
[integration/zuul@debian/jessie-wikimedia] Update paramiko to 2.2
Upstream have this https://review.openstack.org/#/c/528728/ change pending.
Maybe backport it?
Change 383913 abandoned by Hashar:
Update paramiko to 2.2
Reason:
I want to use the Debian packages as much as possible. Jessie ships python-paramiko and in debian/jessie-wikimedia we use it as a dependency to the package.
Moreover patch to Zuul code should go to the branch patch-queue/debian/jessie-wikimedia and then get exported in the debian/jessie-wikimedia branch under /debian/patches/ . I am using git buildpackage for that (command: "gbp pq") https://honk.sigxcpu.org/projects/git-buildpackage/manual-html/gbp.patches.html
@hashar couldn’t we backport the one from stretch to Jessie if it’s the newer one and works?
Change 383914 abandoned by Hashar:
Update paramiko to 2.2
Reason:
We use the Debian package for paramiko as defined in debian/control :)
quoting Hashar "There is currently a 1024 RSA key, hopefully Paramiko would support a 2048 bits one."
What we want to know here is "does it support a2048 bit RSA key" and if it does then it's not actually a blocker for T240266 even if ECDSA support is not being added.
Apparently Paramiko introduced ecdsa keys support with 1.12.0 (see http://www.paramiko.org/changelog.html ).
The deployed Zuul has Paramiko 1.18.5 (which comes from integration/zuul/deploy). I tried to connect to bastion.wmflabs.org using it:
$ make -f makefile.deploy deploy $ ./venv/bin/python >>> import paramiko >>> client = paramiko.SSHClient() >>> client.load_system_host_keys() >>> client.set_missing_host_key_policy(paramiko.WarningPolicy()) >>> client.connect('bastion.wmflabs.org', username='hashar')
And surely it managed to connect over ecdsa:
>>> print(client._transport.__dict__['host_key_type']) ecdsa-sha2-nistp256
It might not support 384 and 512 bits ones though, since they got added in Paramiko 2.x.
2.0.6 has an entry:
https://github.com/paramiko/paramiko/issues/865
[Bug] #865: SSHClient now requests the type of host key it has (e.g. from known_hosts) and does not consider a different type to be a “Missing” host key. This fixes a common case where an ECDSA key is in known_hosts and the server also has an RSA host key.
But that might be unrelated. Tentatively marking this as fixed since the Paramiko version we use nowadays (1.18.5) does have support for ecdsa.