|
From: | Antônio Theóphilo |
Subject: | Re: [Fab-user] reject_unknown_hosts option |
Date: | Fri, 21 Oct 2011 15:40:57 -0200 |
Thank you Jeff We've configured the logs as you suggested and discovered some issues regarding OpenBSD 4.9 that maybe is worthy to shared with others ("crazy" guys that like to suffer :) that plan to use OpenBSD with Fabric: Since August 2010 (http://api.libssh.org/rfc/PROTOCOL) OpenSSH started to support Elliptic Curve Cryptography and it seems that, when OpenBSD 4.9 machines are involved (our case) in SSH public-key negotiation, this is the preferred option instead of the traditional ssh-rsa. This crashes Paramiko probably because it doesn't support this kind of cryptography yet. Manual overwriting the public key on the known_hosts file, replacing the elliptic curve key by the rsa one seems to work. For the interested below are our fabfile test, our known_hosts file and the Fabric/Paramiko output in cases of success and failure. Regards Antonio <fabfile.py> from fabric.api import task,run,settings,env from pprint import pprint import paramiko import logging logger = paramiko.util.get_logger('paramiko') logger.setLevel(logging.DEBUG) logger.addHandler(logging.StreamHandler()) env.shell = '/usr/local/bin/bash -l -c' env.reject_unknown_hosts = True @task(default=True) def test(): run('hostname') <~/.ssh/known_hosts> #10.0.1.2 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL7VyT5ufRzymozhp1mynf4+dDksru3BkQMd9dWbEOj+NL0aEKF5NXqoVKxVFwrwucdoErsEwv4NRxaWxJiVG4E= 10.0.1.2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDblWteZNvVHs7yMLWhqL6rRKcTCE2i8utafN/F3W+cL4jDy7Ca5L1e/4vxBNRWqYvRZKLazDYeP8dxGbFoGwfjpa70Kgzmwd20RDsTeiuqHACuWWQQ/p/ben+0eOkrPExSJ2cPD8HtjPnRMw14i3X4EH9vya54UL0t+k9jMzvBOfm+hoeMv4yPUwkcUGG0J/CAnotE66mqd8jpZj9AYTJEP50H5Fj6CKwFuMOz9CIie2j9vavwnJubZ/rqjlSKrov9cIE6X3mhk14U+CY0DSqP9f0oWkmLQv6RmHETaAnVzTZyHVefkkHdocfVOAbuB/3EFlpPsmn0yxfTM4K7+/W/ <failure output with ecdsa-sha2-nistp256 key> address@hidden:~/fabric]# fab -H 10.0.1.2 [10.0.1.2] Executing task 'test' [10.0.1.2] run: hostname starting thread (client mode): 0x84c856acL Connected (version 2.0, client OpenSSH_5.8) kex algos:['ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss', 'ecdsa-sha2-nistp256'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'address@hidden'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'address@hidden'] client mac:['hmac-md5', 'hmac-sha1', 'address@hidden', 'hmac-ripemd160', 'address@hidden', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', 'address@hidden', 'hmac-ripemd160', 'address@hidden', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'address@hidden'] server compress:['none', 'address@hidden'] client lang:[''] server lang:[''] kex follows?False Ciphers agreed: local=aes128-ctr, remote=aes128-ctr using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local aes128-ctr, remote aes128-ctr; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none Switch to new keys ... Rejecting ssh-rsa host key for 10.0.1.2: 247ad0cd4e224fba259d694dba534c96 [10.0.1.2] Login password: starting thread (client mode): 0x84c85e0cL Connected (version 2.0, client OpenSSH_5.8) kex algos:['ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss', 'ecdsa-sha2-nistp256'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'address@hidden'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'address@hidden'] client mac:['hmac-md5', 'hmac-sha1', 'address@hidden', 'hmac-ripemd160', 'address@hidden', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', 'address@hidden', 'hmac-ripemd160', 'address@hidden', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'address@hidden'] server compress:['none', 'address@hidden'] client lang:[''] server lang:[''] kex follows?False Ciphers agreed: local=aes128-ctr, remote=aes128-ctr using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local aes128-ctr, remote aes128-ctr; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none Switch to new keys ... Rejecting ssh-rsa host key for 10.0.1.2: 247ad0cd4e224fba259d694dba534c96 Fatal error: Unknown server 10.0.1.2 Aborting. EOF in transport thread EOF in transport thread <success output with RSA key> address@hidden:~/fabric]# fab -H 10.0.1.2 [10.0.1.2] Executing task 'test' [10.0.1.2] run: hostname starting thread (client mode): 0x8205c72cL Connected (version 2.0, client OpenSSH_5.8) kex algos:['ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss', 'ecdsa-sha2-nistp256'] client encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'address@hidden'] server encrypt:['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'address@hidden'] client mac:['hmac-md5', 'hmac-sha1', 'address@hidden', 'hmac-ripemd160', 'address@hidden', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', 'address@hidden', 'hmac-ripemd160', 'address@hidden', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', 'address@hidden'] server compress:['none', 'address@hidden'] client lang:[''] server lang:[''] kex follows?False Ciphers agreed: local=aes128-ctr, remote=aes128-ctr using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local aes128-ctr, remote aes128-ctr; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none Switch to new keys ... Trying SSH agent key 95bba2ccd9d2a304520c9e89a7c61d1b userauth is OK Authentication (publickey) successful! [chan 1] Max packet in: 34816 bytes [chan 1] Max packet out: 32768 bytes Secsh channel 1 opened. [chan 1] Sesch channel 1 request ok [chan 1] Sesch channel 1 request ok [chan 1] EOF received (1) [chan 1] EOF sent (1) [10.0.1.2] out: fabric02 [10.0.1.2] out: Done. EOF in transport thread Disconnecting from 10.0.1.2... done. address@hidden:~/fabric]# On 21/10/2011, at 02:25, Jeff Forcier wrote:
Antônio Theóphilo
|
[Prev in Thread] | Current Thread | [Next in Thread] |