New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

implement curve25519-sha256@libssh.org #214

Closed
mfazekas opened this Issue Jan 7, 2015 · 33 comments

Comments

Projects
None yet
@mfazekas
Collaborator

mfazekas commented Jan 7, 2015

see #211

@mfazekas mfazekas added this to the 2.10 milestone Jan 7, 2015

@mfazekas mfazekas self-assigned this Jan 7, 2015

@mfazekas

This comment has been minimized.

@Seegras

This comment has been minimized.

Seegras commented Jan 15, 2015

That is not the only algorithm missing (but the only relevant kex that is missing. The others use NIST curves, which you should avoid anyway).

MACs:
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
Basically, you can ignore every MAC with md5 and sha1

Ciphers:
chacha20-poly1305@openssh.com

@odigity

This comment has been minimized.

odigity commented Jan 16, 2015

+1

Just ran into this today, and took me a long time to figure out what the problem was, because I could ssh to user@host, but not cap to it... (was using ed25519 keys, had to replace them with rsa to work)

@ghost

This comment has been minimized.

ghost commented Jan 16, 2015

+1

@mfazekas

This comment has been minimized.

Collaborator

mfazekas commented Jan 16, 2015

@odigity ed25519 for private key, right? what was the error? 2.9.2 should give meaningfull errors about this. And yes there are many stuff to implement, PR-s welcome.

@odigity

This comment has been minimized.

odigity commented Jan 16, 2015

Contents of config/deploy/development.rb:

server 'web1.porcclub.dev', roles: ['web'], ssh_options: {
  auth_methods:  ['publickey'],
  forward_agent: true,
  keys:          [ENV['HOME'] + '/.ssh/porcclub_deploy_rsa'],
#  keys:          [ENV['HOME'] + '/.ssh/porcclub_deploy_ed25519'],
  user:          'portal'
}

With RSA key:

vagrant@web1:~/portal$ cap development check_ssh_forwarding
DEBUG [3f665050] Running /usr/bin/env whoami on web1.porcclub.dev
DEBUG [3f665050] Command: /usr/bin/env whoami
DEBUG [3f665050] Finished in 0.087 seconds with exit status 0 (successful).
DEBUG [3f665050]    portal
DEBUG [3f665050] Finished in 0.087 seconds with exit status 0 (successful).

Comment our RSA key, uncomment ed25519 key:

vagrant@web1:~/portal$ cap development check_ssh_forwarding
DEBUG [834e3868] Running /usr/bin/env whoami on web1.porcclub.dev
DEBUG [834e3868] Command: /usr/bin/env whoami
(Backtrace restricted to imported tasks)
cap aborted!
SSHKit::Runner::ExecuteError: Exception while executing on host web1.porcclub.dev: Authentication failed for user portal@web1.porcclub.dev
/home/vagrant/portal/lib/capistrano/tasks/misc.rake:6:in `block (2 levels) in <top (required)>'
Net::SSH::AuthenticationFailed: Authentication failed for user portal@web1.porcclub.dev
/home/vagrant/portal/lib/capistrano/tasks/misc.rake:6:in `block (2 levels) in <top (required)>'
Tasks: TOP => check_ssh_forwarding
(See full trace by running task with --trace)

Confirmed that both public keys are in portal user's authorized_keys file, and am able to SSH on the command line using either key.

@odigity

This comment has been minimized.

odigity commented Jan 16, 2015

The good news is I managed to find a way around this problem.

Turns out if you're using SSH agent forwarding, rather than having net-ssh source the key directly, then ed25519 keys work fine under Capistrano.

I did the following, starting on my Ubuntu 14.04.1 desktop:

  1. I killed gnome-keyring, which comes on by default in Ubuntu and ALSO doesn't support ed25519.
  2. Started up ssh-agent instead.
  3. Added my ed25519 key to add via ssh-add.
  4. Enabling forwarding in my Vagrantfile via config.ssh_forward_agent = true and reloaded the VM.
  5. vagrant ssh
  6. cap development check_ssh_forwarding

And it worked. The auth chain extended into the next hop (portal@web.porcclub.dev), and from there to my GitLab server (both places had the ed25519 pub key already configured, obviously).

@odigity

This comment has been minimized.

odigity commented Jan 16, 2015

Update: All of a sudden it's no longer working, but RSA still is. Not sure if I made a mistake earlier, or if I screwed something up after.

Guess I have to fallback to RSA keys for now after all...

@mfazekas

This comment has been minimized.

Collaborator

mfazekas commented Feb 15, 2015

ed25519 is coming thanks to https://github.com/cryptosphere/rbnacl see #228
password protected keys is only supported when already loaded to agent

@odigity

This comment has been minimized.

odigity commented Feb 15, 2015

Woo hoo!

@centromere

This comment has been minimized.

centromere commented Feb 15, 2015

+1

@yolk

This comment has been minimized.

yolk commented Jun 5, 2015

Any news on this?

@doits

This comment has been minimized.

doits commented Jun 15, 2015

+1, stumbled at this right now, capistrano (using this library) was always asking for ssh password and I had to debug this for > 20 min to find out it was because of me using an ed25519 key ...

@indiv0

This comment has been minimized.

indiv0 commented Jul 19, 2015

+1, the vagrant-libvirt plugin uses this library and because of this issue it ends up asking for an SSH password if an ed25519 key is used.

@JamesHarrison

This comment has been minimized.

JamesHarrison commented Jul 31, 2015

+1 here - if it's not going to be fixed, can I suggest that the unimplemented key error be surfaced so that this isn't utterly opaque without the ssh_options verbose flag set to debug?

@mfazekas

This comment has been minimized.

Collaborator

mfazekas commented Jul 31, 2015

@JamesHarrison can you please clarify the usecase?
You have ed25519 key set up and net-ssh fails back to plain password auth, and you want some warning explaining that ed25519 key was ignored as it's non supported?

@JamesHarrison

This comment has been minimized.

JamesHarrison commented Jul 31, 2015

@mfazekas Apologies, failed to spot this wasn't the Capistrano git, my mistake! In Capistrano, if a server is configured not to permit password authentication then you simply get an authentication failed message with no explanation as to what happened or why your authentication failed. Capistrano doesn't display net-ssh messages by default, even if they're errors.

@qzio

This comment has been minimized.

qzio commented Jan 19, 2016

👍
I was struck by this using chef's knife ssh.

Would really nice to at least get an error.

@ernetas

This comment has been minimized.

ernetas commented Feb 18, 2016

👍 Really missing this.

P. S. @qzio not sure about Chef, but e.g., in Capistrano you can increase verbosity of SSH and that shows a normal error.

@mfazekas

This comment has been minimized.

Collaborator

mfazekas commented Mar 19, 2016

FYI: just released net-ssh 4.0.0.alpha1 with support for ed25519

@mfazekas mfazekas modified the milestones: 2.10, 4.0 Mar 19, 2016

@jkraemer

This comment has been minimized.

jkraemer commented Aug 7, 2016

this works great for me with alpha1 and alpha3 but appears to be broken again in alpha4 and beta1.

alpha4 yields NameError: uninitialized constant Net::SSH::Buffer::ED25519, beta1 yields uninitialized constant Net::SSH::Authentication::ED25519Loader::ED25519_LOAD_ERROR when trying to connect using an ed25519 key. Ruby 2.3.0.

Edit: here's the stack traces:

alpha4:

NameError: uninitialized constant Net::SSH::Buffer::ED25519
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.alpha4/lib/net/ssh/buffer.rb:259:in `read_keyblob'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.alpha4/lib/net/ssh/buffer.rb:239:in `read_key'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.alpha4/lib/net/ssh/key_factory.rb:106:in `load_data_public_key'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.alpha4/lib/net/ssh/key_factory.rb:87:in `load_public_key'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.alpha4/lib/net/ssh/authentication/key_manager.rb:221:in `block in load_identities'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.alpha4/lib/net/ssh/authentication/key_manager.rb:217:in `map'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.alpha4/lib/net/ssh/authentication/key_manager.rb:217:in `load_identities'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.alpha4/lib/net/ssh/authentication/key_manager.rb:101:in `each_identity'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.alpha4/lib/net/ssh/authentication/methods/publickey.rb:19:in `authenticate'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.alpha4/lib/net/ssh/authentication/session.rb:80:in `block in authenticate'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.alpha4/lib/net/ssh/authentication/session.rb:66:in `each'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.alpha4/lib/net/ssh/authentication/session.rb:66:in `authenticate'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.alpha4/lib/net/ssh.rb:245:in `start'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/connection_pool.rb:59:in `call'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/connection_pool.rb:59:in `with'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/netssh.rb:143:in `with_ssh'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/netssh.rb:96:in `execute_command'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/abstract.rb:137:in `block in create_command_and_execute'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/abstract.rb:137:in `tap'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/abstract.rb:137:in `create_command_and_execute'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/abstract.rb:69:in `execute'
/home/jk/.gem/ruby/2.3.0/gems/capistrano-3.4.1/lib/capistrano/tasks/git.rake:17:in `block (3 levels) in <top (required)>'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/abstract.rb:29:in `instance_exec'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/abstract.rb:29:in `run'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/runners/parallel.rb:12:in `block (2 levels) in execute'

beta1:

NameError: uninitialized constant Net::SSH::Authentication::ED25519Loader::ED25519_LOAD_ERROR
Did you mean?  Net::SSH::Authentication::ED25519Loader
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.beta1/lib/net/ssh/authentication/ed25519_loader.rb:17:in `raiseUnlessLoaded'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.beta1/lib/net/ssh/buffer.rb:262:in `read_keyblob'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.beta1/lib/net/ssh/buffer.rb:242:in `read_key'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.beta1/lib/net/ssh/key_factory.rb:103:in `load_data_public_key'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.beta1/lib/net/ssh/key_factory.rb:84:in `load_public_key'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.beta1/lib/net/ssh/authentication/key_manager.rb:221:in `block in load_identities'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.beta1/lib/net/ssh/authentication/key_manager.rb:217:in `map'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.beta1/lib/net/ssh/authentication/key_manager.rb:217:in `load_identities'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.beta1/lib/net/ssh/authentication/key_manager.rb:101:in `each_identity'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.beta1/lib/net/ssh/authentication/methods/publickey.rb:19:in `authenticate'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.beta1/lib/net/ssh/authentication/session.rb:80:in `block in authenticate'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.beta1/lib/net/ssh/authentication/session.rb:66:in `each'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.beta1/lib/net/ssh/authentication/session.rb:66:in `authenticate'
/home/jk/.gem/ruby/2.3.0/gems/net-ssh-4.0.0.beta1/lib/net/ssh.rb:241:in `start'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/connection_pool.rb:59:in `call'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/connection_pool.rb:59:in `with'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/netssh.rb:143:in `with_ssh'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/netssh.rb:96:in `execute_command'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/abstract.rb:137:in `block in create_command_and_execute'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/abstract.rb:137:in `tap'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/abstract.rb:137:in `create_command_and_execute'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/abstract.rb:69:in `execute'
/home/jk/.gem/ruby/2.3.0/gems/capistrano-3.4.1/lib/capistrano/tasks/git.rake:17:in `block (3 levels) in <top (required)>'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/abstract.rb:29:in `instance_exec'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/backends/abstract.rb:29:in `run'
/home/jk/.gem/ruby/2.3.0/gems/sshkit-1.10.0/lib/sshkit/runners/parallel.rb:12:in `block (2 levels) in execute'
@mfazekas

This comment has been minimized.

Collaborator

mfazekas commented Aug 7, 2016

Can you exectute to debug this problem?

bundle exec irb
require 'net/ssh'
require 'net/ssh/authentication/ed25519_loader'
puts Net::SSH::Authentication::ED25519Loader::ERROR
@jkraemer

This comment has been minimized.

jkraemer commented Aug 8, 2016

Sure. Here's the result with beta1:

irb(main):001:0> require 'net/ssh'
=> true
irb(main):002:0> require 'net/ssh/authentication/ed25519_loader'
=> false
irb(main):003:0> puts Net::SSH::Authentication::ED25519Loader::ERROR
rbnacl-libsodium is not part of the bundle. Add it to Gemfile.
=> nil
@mfazekas

This comment has been minimized.

Collaborator

mfazekas commented Aug 8, 2016

@jkraemer i've just updata 4.0.0-beta2 which should fix raise the correct error. As the error stated you need to add rbnacl-libsodium and rbnacl to your gemfile in order for ed25519 support to work.

@jkraemer

This comment has been minimized.

jkraemer commented Aug 9, 2016

thanks, this works!

On 08/08, Mikl�s Fazekas wrote:

@jkraemer i've just updata 4.0.0-beta2 which should fix raise the correct error. As the error stated you need to add rbnacl-libsodium and rbnacl to your gemfile in order for ed25519 support to work.


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#214 (comment)

Jens Kr�mer
https://jkraemer.net/

@epinault

This comment has been minimized.

epinault commented Oct 12, 2016

Any idea when this will be released in non beta?

@mfazekas

This comment has been minimized.

Collaborator

mfazekas commented Oct 13, 2016

@epinault have you tried beta did it work for you? I try to do an rc release this week

@epinault

This comment has been minimized.

epinault commented Oct 13, 2016

I did install the beta and it worked. Just was having trouble to pick it up with Bundler.

@mfazekas

This comment has been minimized.

Collaborator

mfazekas commented Oct 15, 2016

@epinault what's the issue with bundler? You should be able to do

gem 'net-ssh', '= 4.0.0.beta2'

or even

gem 'net-ssh', github: 'net-ssh/net-ssh'
@epinault

This comment has been minimized.

epinault commented Oct 17, 2016

I was trying >= 4.0 and would not work because it is in beta . But I found that you have to be specific with beta version. Anyway, not a big issue. Can't wait for the final release of this version of the gem :)

@mfazekas

This comment has been minimized.

Collaborator

mfazekas commented Nov 29, 2016

https://rubygems.org/gems/net-ssh/versions/4.0.0.rc1 is now released. For now rbnacl-libsodium, rbnacl, bcrypt_pbkdf have to be added to Gemfile for ed25519 to work.

@leehambley

This comment has been minimized.

leehambley commented Dec 29, 2016

With net-ssh 4.0 out (congratulations on a solid release 🍾 !) Capistrano (and SSHKit) have been weighing what to do about the new important dependencies over at capistrano/capistrano#1825

We think it'd be logical to have net-ssh require these new gems directly as ed25519 keys are rapidly becoming the default.

What do you think? (Sorry if I'm hijacking this issue), I'm picking up mostly on the line

For now rbnacl-libsodium, rbnacl, bcrypt_pbkdf have to be added to Gemfile for ed25519 to work.

And wondering what the grounds for the "for now" part are!

@mfazekas

This comment has been minimized.

Collaborator

mfazekas commented Dec 29, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment