[bug] SSH Connection: Pubkey auth attempt with unknown algo #643
Comments
nemesifier
added this to Backlog
in OpenWISP Priorities for next releases
via automation
|
I found out the reason, it's explained here: paramiko/paramiko#1961. |
nemesifier
added a commit
that referenced
this issue
May 4, 2022
Paramiko versions > 2.8 try to use sha2 as a default pub key algorithm if the target SSH server doesn't advertise the preferred pub key algorithm used, which is the case for OpenWrt <= 19. This causes SSH connections to fail with: "Pubkey auth attempt with unknown algo". The fix suggested by Paramiko is to disable sha2 algorithms, which is not great for systems where newer versions of OpenWrt and dropbear are in use, for this reason, this patch disables the sha2 algorithms only if a first SSH connection attempt fails by raising the exception paramiko.ssh_exception.AuthenticationException, initialized with the string 'Authentication failed.'. Closes #643
nemesifier
added a commit
that referenced
this issue
May 4, 2022
Paramiko versions > 2.8 try to use sha2 as a default HostKeyAlgorithms if the target SSH server doesn't advertise the preferred HostKeyAlgorithms, which is the case for OpenWrt <= 19. This causes SSH connections to fail with: "Pubkey auth attempt with unknown algo", because dropbear on OpenWrt <= 19 doesn't support sha2. The fix suggested by Paramiko is to disable the sha2 HostKeyAlgorithms, which is not great for systems where newer versions of OpenWrt and dropbear are in use, for this reason, this patch disables the sha2 HostKeyAlgorithms only if a first SSH connection attempt fails by raising the exception paramiko.ssh_exception.AuthenticationException. As a bonus fix, I found out that it's better to explicitly close the SSH connection when the authentication fails, otherwise a lingering SSH connection can stay open for a while. Closes #643
nemesifier
added a commit
that referenced
this issue
May 4, 2022
Paramiko versions > 2.8 try to use sha2 as a default HostKeyAlgorithms if the target SSH server doesn't advertise the preferred HostKeyAlgorithms, which is the case for OpenWrt <= 19. This causes SSH connections to fail with: "Pubkey auth attempt with unknown algo", because dropbear on OpenWrt <= 19 doesn't support sha2. The fix suggested by Paramiko is to disable the sha2 HostKeyAlgorithms, which is not great for systems where newer versions of OpenWrt and dropbear are in use, for this reason, this patch disables the sha2 HostKeyAlgorithms only if a first SSH connection attempt fails by raising the exception paramiko.ssh_exception.AuthenticationException. As a bonus fix, I found out that it's better to explicitly close the SSH connection when the authentication fails, otherwise a lingering SSH connection can stay open for a while. Closes #643
nemesifier
added a commit
that referenced
this issue
May 4, 2022
Paramiko versions > 2.8 try to use sha2 as a default HostKeyAlgorithms if the target SSH server doesn't advertise the preferred HostKeyAlgorithms, which is the case for OpenWrt <= 19. This causes SSH connections to fail with: "Pubkey auth attempt with unknown algo", because dropbear on OpenWrt <= 19 doesn't support sha2. The fix suggested by Paramiko is to disable the sha2 HostKeyAlgorithms, which is not great for systems where newer versions of OpenWrt and dropbear are in use, for this reason, this patch disables the sha2 HostKeyAlgorithms only if a first SSH connection attempt fails by raising the exception paramiko.ssh_exception.AuthenticationException. As a bonus fix, I found out that it's better to explicitly close the SSH connection when the authentication fails, otherwise a lingering SSH connection can stay open for a while. Closes #643
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On some systems the SSH connection to OpenWrt fails with the following error message on the OpenWrt side:
It happens on OpenWrt 19 with RSA keys.
On the server side the error message is either "Authentication failed" or "Timed out".
The text was updated successfully, but these errors were encountered: