cant connect to legacy host using ssh-rsa /ssh-dss hostkey algorithm

[dberardo-com]

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that AWX is open source software provided for free and that I might not receive a timely response.
• I am NOT reporting a (potential) security vulnerability. (These should be emailed to security@ansible.com instead.)

Bug Summary

adding to ansible_ssh_common_args -oHostKeyAlgorithms=ssh-rsa results in this error:

[ssh_dispatch_run_fatal: Connection to UNKNOWN port 65535: error in libcrypto](kex: host key algorithm: (no match))

AWX version

24.3.1

Select the relevant components

• UI
• UI (tech preview)
• API
• Docs
• Collection
• CLI
• Other

Installation method

kubernetes

Modifications

no

Ansible version

No response

Operating system

No response

Web browser

No response

Steps to reproduce

add the run var ansible_ssh_common_args -oHostKeyAlgorithms=ssh-rsa

Expected results

smooth connection

Actual results

it does not get a key match

Additional information

No response

[TheRealHaoLiu]

does this work with any of our previous awx-ee images? can you help pin point when this stop working.

[dberardo-com]

i didnt play around the versions , but i am sure it works with an older one. check this out : https://www.reddit.com/r/ansible/comments/1443kd8/comment/l3vkq11/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

u/Technical-Tax1578 avatar
Technical-Tax1578
•
3d ago
seems an openssl issue, perhaps too high of a version. try to use another execution environment, 21.11.0 worked for me, perhaps you can try higher ones and let me know which is the last one to work. https://quay.io/repository/ansible/awx-ee?tab=tags&tag=latest

[chinochao]

@TheRealHaoLiu @dberardo-com I found this same issue with older Keys. We had the following in our Inventory and it was still failing to connect.
ansible_ssh_common_args: '-o PubkeyAcceptedKeyTypes=+ssh-dss'

After further investigation, this was caused by the crypto policies in the EE image. This used to work with older AWX versions that ran in CentOS 7 and 8, but turns out the EE images are using CentOS Stream 9 which has SHA1 disabled. I added this to our custom EE images to run update-crypto-policies and it fixed the issue.

  append_final:
    - COPY --from=quay.io/ansible/receptor:devel /usr/bin/receptor /usr/bin/receptor
    - RUN mkdir -p /var/run/receptor
    - RUN update-crypto-policies --set DEFAULT:SHA1
    - RUN git lfs install --system

For more details refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#proc_re-enabling-sha-1_using-the-system-wide-cryptographic-policies

This error indicates the issue is with the crypto policies, specially the error in libcrypto
sign_and_send_pubkey: signing failed for DSA "pem.key": error in libcrypto

I created this PR ansible/awx-ee#248

[dberardo-com]

great catch !

ist this setting any sort of defaults ? update-crypto-policies --set DEFAULT:SHA1

is it possible to avoid setting sha1 as the default ? or no need to bother ?

[chinochao]

@dberardo-com DEFAULT is the default setting. DEFAULT:SHA1 is just appending SHA1 to the default. Do not need to worry. Redhat docs recommends it, there is another setting called LEGACY which will also enable SHA1 but that is the one is not recommended by Redhat.

This is how it looks

[root@a2a14a2e54a5 runner]# update-crypto-policies --show
DEFAULT
[root@a2a14a2e54a5 runner]# update-crypto-policies --set DEFAULT:SHA1
Setting system policy to DEFAULT:SHA1
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[root@a2a14a2e54a5 runner]# update-crypto-policies --show
DEFAULT:SHA1