Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: unsupported DSA key size 2048 #40691

Open
YohanArnoux opened this issue Aug 11, 2020 · 9 comments
Open

x/crypto/ssh: unsupported DSA key size 2048 #40691

YohanArnoux opened this issue Aug 11, 2020 · 9 comments

Comments

@YohanArnoux
Copy link

@YohanArnoux YohanArnoux commented Aug 11, 2020

What version of Go are you using (go version)?

$ go version
go version go1.13.8 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/yohan/.cache/go-build"
GOENV="/home/yohan/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/yohan/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go-1.13"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.13/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build019219636=/tmp/go-build -gno-record-gcc-switches"

go env Output
$ go env

What did you do?

I try to connect to an openVMS server with ssh2 rsa key (that work when I try to connect in the terminal with ssh -i etc)

What did you expect to see?

No connection error

What did you see instead?

An error that say handshake failed: ssh: unsupported DSa key size 2048
But I'm using a ssh2 -rsa key 1024bit

@seankhliao
Copy link
Contributor

@seankhliao seankhliao commented Aug 11, 2020

is the server you are connecting to using the DSA key?

note #40337 proposes removing support for DSA in ssh entirely

@YohanArnoux
Copy link
Author

@YohanArnoux YohanArnoux commented Aug 11, 2020

No i'm using a ssh2-rsa key,
I will try to remove dsa support and if it don't work i will send back a message, thank you!

@YohanArnoux
Copy link
Author

@YohanArnoux YohanArnoux commented Aug 11, 2020

I tried to remove the dsa file in my crypto folder and it don't work i will wait a response on note #40337 thank you!

@rsc
Copy link
Contributor

@rsc rsc commented Aug 11, 2020

What is the Go issue here? Is the client Go source code? Can you point us to the exact program you are running?
Assuming the OpenVMS server isn't lying, clearly something is finding a DSA key somewhere.

@YohanArnoux
Copy link
Author

@YohanArnoux YohanArnoux commented Aug 11, 2020

Here is the code I'm using:
`package main

import (
"bytes"
"fmt"
"io/ioutil"
"os"

"golang.org/x/crypto/ssh"

)

func main() {

pk, _ := ioutil.ReadFile(os.Getenv("HOME") + "/.ssh/id_rsa_1024_vms")
signer, err := ssh.ParsePrivateKey(pk)

if err != nil {
	panic(err)
}

config := &ssh.ClientConfig{
	User: "ya",
	Auth: []ssh.AuthMethod{
		ssh.PublicKeys(signer),
	},

	HostKeyCallback: ssh.InsecureIgnoreHostKey(),
}
config.Config.KeyExchanges = []string{"diffie-hellman-group1-sha1"}
config.Config.Ciphers = []string{"aes128-cbc"}

client, err := ssh.Dial("tcp", "sg1.sysgroup.fr:1022", config)

if err != nil {
	panic("Failed to dial: " + err.Error())
}

// Each ClientConn can support multiple interactive sessions,
// represented by a Session.
session, err := client.NewSession()
if err != nil {
	panic("Failed to create session: " + err.Error())
}
defer session.Close()

// Once a Session is created, you can execute a single command on
// the remote side using the Run method.

var b bytes.Buffer
session.Stdout = &b

if err := session.Run("ls"); err != nil {
	panic("Failed to run: " + err.Error())
}
fmt.Println(b.String())

}`

@YohanArnoux
Copy link
Author

@YohanArnoux YohanArnoux commented Aug 11, 2020

The code stop at the "fail to dial" error with the famous unsupported Key size.

@seankhliao
Copy link
Contributor

@seankhliao seankhliao commented Aug 11, 2020

as I mentioned before, the server you are connecting to is (only) offering a DSA key

ssh -T -oKexAlgorithms=diffie-hellman-group1-sha1 -p 1022 sg1.sysgroup.fr
Unable to negotiate with 109.3.221.206 port 1022: no matching host key type found. Their offer: ssh-dss

@YohanArnoux
Copy link
Author

@YohanArnoux YohanArnoux commented Aug 11, 2020

I don't understand something, if the server is only offering DSA key why can I connect to it with an ssh2 rsa key when I do ssh -i and not with go?

@andybons andybons added this to the Unplanned milestone Aug 11, 2020
@andybons andybons changed the title unsupported DSA key size 2048 x/crypto/ssh: unsupported DSA key size 2048 Aug 11, 2020
@seankhliao
Copy link
Contributor

@seankhliao seankhliao commented Aug 12, 2020

ssh public key auth needs 2 keys, 1 from the server, 1 from the client. Key types don't have to match, but the ssh client/daemon needs to be able to understand/use the keys of both itself and the other party.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.