net-ssh fails under version 3.0.0 of the library when trying to connect to a server using an rsa host key

[skaes]

If I understand it correctly, version 3.0.0, when compiled against an openssl 1.1 library is supposed to work as before,

Unfortunately it can not connect to host that use an RSA host key:

. /net-ssh-test some-host-using-an-rsa-host-key
D, [2022-01-04T10:39:43.730661 #62362] DEBUG -- net.ssh.transport.session[53c]: establishing connection to some-host-using-an-rsa-host-key
D, [2022-01-04T10:39:43.784954 #62362] DEBUG -- net.ssh.transport.session[53c]: connection established
I, [2022-01-04T10:39:43.785162 #62362]  INFO -- net.ssh.transport.server_version[550]: negotiating protocol version
D, [2022-01-04T10:39:43.785239 #62362] DEBUG -- net.ssh.transport.server_version[550]: local is `SSH-2.0-Ruby/Net::SSH_6.1.0 x86_64-darwin21'
D, [2022-01-04T10:39:43.816831 #62362] DEBUG -- net.ssh.transport.server_version[550]: remote is `SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3'
I, [2022-01-04T10:39:43.832333 #62362]  INFO -- net.ssh.transport.algorithms[564]: sending KEXINIT
D, [2022-01-04T10:39:43.832609 #62362] DEBUG -- socket[578]: queueing packet nr 0 type 20 len 748
D, [2022-01-04T10:39:43.832688 #62362] DEBUG -- socket[578]: sent 752 bytes
D, [2022-01-04T10:39:43.837431 #62362] DEBUG -- socket[578]: read 400 bytes
D, [2022-01-04T10:39:43.837495 #62362] DEBUG -- socket[578]: received packet nr 0 type 20 len 396
I, [2022-01-04T10:39:43.837541 #62362]  INFO -- net.ssh.transport.algorithms[564]: got KEXINIT from server
I, [2022-01-04T10:39:43.837599 #62362]  INFO -- net.ssh.transport.algorithms[564]: negotiating algorithms
D, [2022-01-04T10:39:43.837673 #62362] DEBUG -- net.ssh.transport.algorithms[564]: negotiated:
* kex: diffie-hellman-group-exchange-sha256
* host_key: ssh-rsa
* encryption_server: aes256-ctr
* encryption_client: aes256-ctr
* hmac_client: hmac-sha2-512
* hmac_server: hmac-sha2-512
* compression_client: none
* compression_server: none
* language_client: 
* language_server: 
D, [2022-01-04T10:39:43.837700 #62362] DEBUG -- net.ssh.transport.algorithms[564]: exchanging keys
D, [2022-01-04T10:39:43.837792 #62362] DEBUG -- socket[578]: queueing packet nr 1 type 34 len 20
D, [2022-01-04T10:39:43.837829 #62362] DEBUG -- socket[578]: sent 24 bytes
D, [2022-01-04T10:39:43.885406 #62362] DEBUG -- socket[578]: read 280 bytes
D, [2022-01-04T10:39:43.885566 #62362] DEBUG -- socket[578]: received packet nr 1 type 31 len 276
D, [2022-01-04T10:39:43.892059 #62362] DEBUG -- socket[578]: queueing packet nr 2 type 32 len 268
D, [2022-01-04T10:39:43.892124 #62362] DEBUG -- socket[578]: sent 272 bytes
D, [2022-01-04T10:39:43.921702 #62362] DEBUG -- socket[578]: read 1104 bytes
D, [2022-01-04T10:39:43.921972 #62362] DEBUG -- socket[578]: received packet nr 2 type 33 len 1084
/Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh/transport/kex/abstract.rb:101:in `verify_signature': could not verify server signature (Net::SSH::Exception)
        from /Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh/transport/kex/abstract.rb:50:in `exchange_keys'
        from /Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh/transport/algorithms.rb:445:in `exchange_keys'
        from /Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh/transport/algorithms.rb:245:in `proceed!'
        from /Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh/transport/algorithms.rb:184:in `accept_kexinit'
        from /Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh/transport/session.rb:210:in `block in poll_message'
        from /Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh/transport/session.rb:190:in `loop'
        from /Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh/transport/session.rb:190:in `poll_message'
        from /Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh/transport/session.rb:225:in `block in wait'
        from /Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh/transport/session.rb:223:in `loop'
        from /Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh/transport/session.rb:223:in `wait'
        from /Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh/transport/session.rb:90:in `initialize'
        from /Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh.rb:251:in `new'
        from /Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh.rb:251:in `start'
        from ./net-ssh-test:10:in `<main>'
from ./net-ssh-test:10:in `<main>'

Here's the test script:

Net::SSH.start(ARGV[0], nil, :verbose => :debug) do |ssh|
  puts ssh.exec!("pwd")
end

Running the same command using version 2.2.1 of the gem works fine.

[tycooon]

Have the same problem but with Ed25519 key: Ed25519::VerifyError: signature verification failed!. Using openssl 2.2.1 fixes the issue as well.

[zedalaye]

You just have to add the gem x25519 to your Gemfile as explained here : https://github.com/net-ssh/net-ssh#key-exchange

[skaes]

Probably no longer an issue, but I can't easily verify it.

[thomas-merz]

Hi @skaes , I think it's still an issue with net-ssh (7.3.0) and openssl (3.3.0, 3.2.1, 3.2.0, default: 3.1.0)

Net::SSH::HostKeyMismatch (fingerprint SHA256:… does not match for "…,…")

[rhenium]

1. /Users/stefan.kaes/.rvm/gems/ruby-3.1.0/gems/net-ssh-6.1.0/lib/net/ssh/transport/kex/abstract.rb:101:in `verify_signature': could not verify server signature (Net::SSH::Exception)

2. Ed25519::VerifyError: signature verification failed!

3. Net::SSH::HostKeyMismatch (fingerprint SHA256:… does not match for "…,…")

None of them are raised by ruby/openssl (and all look separate issues to me). I'd suggest asking at the net-ssh upstream https://github.com/net-ssh/net-ssh instead.

I think it might be useful to include the OpenSSL library version that you're using, too. You can find it in the OpenSSL::OPENSSL_LIBRARY_VERSION constant.