Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add use_rsa_sha2_algorithms option for paramiko #78789

Merged
merged 8 commits into from
Sep 21, 2022
Merged

Add use_rsa_sha2_algorithms option for paramiko #78789

merged 8 commits into from
Sep 21, 2022

Conversation

sivel
Copy link
Member

@sivel sivel commented Sep 15, 2022
edited

SUMMARY

Add use_rsa_sha2_algorithms option, keep rsa-sha2 enabled by default

ISSUE TYPE
  • Bugfix Pull Request
  • Feature Pull Request
COMPONENT NAME

lib/ansible/plugins/connection/paramiko_ssh.py

ADDITIONAL INFORMATION

@ansibot ansibot added WIP This issue/PR is a work in progress. Nevertheless it was shared for getting input from peers. affects_2.14 bug This issue/PR relates to a bug. needs_triage Needs a first human triage before being processed. support:core This issue/PR relates to code supported by the Ansible Engineering Team. test This PR relates to tests. labels Sep 15, 2022
nitzmahone
nitzmahone reviewed Sep 15, 2022
View reviewed changes
Copy link
Member

@nitzmahone nitzmahone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is definitely the low-friction and easy fix. If we assume we're not making significant investments in paramiko in the future, this is probably sufficient (vs more configurable explicit lists of enabled/disabled algos, or a "single algo" (per type) override that would allow us to be specific without monkeypatching. I'm +1 for this as-is, other than probably switching the default for security over convenience. 😆

lib/ansible/plugins/connection/paramiko_ssh.py Outdated Show resolved Hide resolved
@nitzmahone nitzmahone removed the needs_triage Needs a first human triage before being processed. label Sep 15, 2022
@webknjaz
Copy link
Member

/azp run

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

sivel and others added 2 commits September 20, 2022 09:49
@sivel
Add clog frag
22cdd8d
@sivel @mattclay
Force paramiko upgrade
207676f 
Co-authored-by: Matt Clay <matt@mystile.com>
@sivel @mattclay
Specify type
f0b46fe 
Co-authored-by: Matt Clay <matt@mystile.com>
@ansibot ansibot added needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI. and removed needs_ci This PR requires CI testing to be performed. Please close and re-open this PR to trigger CI. labels Sep 20, 2022
@ansibot

This comment was marked as resolved.

Sign in to view
@ansibot ansibot added the new_plugin This PR includes a new plugin. label Sep 20, 2022
@ansibot
Copy link
Contributor

ansibot commented Sep 20, 2022

The test ansible-test sanity --test validate-modules [explain] failed with 1 error:

lib/ansible/plugins/connection/paramiko_ssh.py:0:0: option-incorrect-version-added: version_added for new option (use_rsa_sha2_algorithms) should be '2.15'. Currently StrictVersion ('2.14')

click here for bot help

@ansibot ansibot added the ci_verified Changes made in this PR are causing tests to fail. label Sep 20, 2022
@sivel sivel marked this pull request as ready for review September 20, 2022 23:54
@sivel
Copy link
Member Author

sivel commented Sep 20, 2022

version_added test is failing, and that is expected, since we'll backport this to 2.14.

@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed WIP This issue/PR is a work in progress. Nevertheless it was shared for getting input from peers. labels Sep 20, 2022
@sivel sivel mentioned this pull request Sep 21, 2022
Merged
@ansibot ansibot removed the ci_verified Changes made in this PR are causing tests to fail. label Sep 21, 2022
@ansibot ansibot added core_review In order to be merged, this PR must follow the core review workflow. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Sep 21, 2022
@ansibot ansibot added ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed core_review In order to be merged, this PR must follow the core review workflow. labels Sep 21, 2022
@sivel sivel changed the title Add use_rsa_sha2_algorithms option, disable rsa-sha2 by default Add use_rsa_sha2_algorithms option for paramiko Sep 21, 2022
@sivel sivel merged commit 76b7466 into ansible:devel Sep 21, 2022
sivel added a commit to sivel/ansible that referenced this pull request Sep 21, 2022
@sivel
[stable-2.14] Add use_rsa_sha2_algorithms option for paramiko (ansi…
86e7b54 
…ble#78789)

Fixes ansible#76737
Fixes ansible#77673

Co-authored-by: Matt Clay <matt@mystile.com>
(cherry picked from commit 76b7466)

Co-authored-by: Matt Martz <matt@sivel.net>
sivel added a commit that referenced this pull request Sep 21, 2022
@sivel
[stable-2.14] Add use_rsa_sha2_algorithms option for paramiko (#78789
9000105 
…) (#78842)

Fixes #76737
Fixes #77673

Co-authored-by: Matt Clay <matt@mystile.com>
(cherry picked from commit 76b7466)

Co-authored-by: Matt Martz <matt@sivel.net>
@mattclay mattclay mentioned this pull request Sep 22, 2022
Closed
1 task
@ansible ansible locked and limited conversation to collaborators Sep 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mattclay mattclay mattclay approved these changes

@nitzmahone nitzmahone nitzmahone approved these changes

Assignees
No one assigned
Labels
affects_2.14 bug This issue/PR relates to a bug. ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. new_plugin This PR includes a new plugin. support:core This issue/PR relates to code supported by the Ansible Engineering Team. test This PR relates to tests.
Projects
ansible-core 2.14
  
Awaiting triage
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@sivel @webknjaz @ansibot @mattclay @nitzmahone