asuswrt cannot connect over ssh

[glentakahashi]

Home Assistant release with the issue:
0.86.0b3

Last working Home Assistant release (if known):
0.85.1

Operating environment (Hass.io/Docker/Windows/etc.):
Docker raspberrypi3-homeassistant

Component/platform:
https://www.home-assistant.io/components/asuswrt/

Description of problem:
the asuswrt component can no longer connect over ssh, instead throwing an error about X25519 not being supported on this version of openssl. This applies to both password and key authentication.

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

asuswrt:
  host: 192.168.1.1
  protocol: ssh
  username: user
  ssh_key: asuswrt.key

Traceback (if applicable):

2019-01-23 16:07:24 ERROR (MainThread) [homeassistant.setup] Error during setup of component asuswrt
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/homeassistant/setup.py", line 145, in _async_setup_component
    hass, processed_config)
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/asuswrt.py", line 61, in async_setup
    await api.connection.async_connect()
  File "/usr/local/lib/python3.6/site-packages/aioasuswrt/connection.py", line 66, in async_connect
    self._client = await asyncssh.connect(self._host, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/misc.py", line 182, in __await__
    return (yield from self._coro)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 5454, in connect
    conn, _ = yield from create_connection(None, host, port, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 5110, in create_connection
    yield from auth_waiter
  File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 627, in data_received
    while self._inpbuf and self._recv_handler():
  File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 847, in _recv_packet
    processed = handler.process_packet(pkttype, seq, packet)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/packet.py", line 215, in process_packet
    self._packet_handlers[pkttype](self, pkttype, pktid, packet)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 1414, in _process_kexinit
    self._kex = get_kex(self, kex_alg)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/kex.py", line 122, in get_kex
    return handler(alg, conn, hash_alg, *args)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/kex_ecdh.py", line 47, in __init__
    self._priv = ecdh_class(*args)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/crypto/curve25519.py", line 31, in __init__
    self._priv_key = x25519.X25519PrivateKey.generate()
  File "/usr/local/lib/python3.6/site-packages/cryptography/hazmat/primitives/asymmetric/x25519.py", line 39, in generate
    _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
cryptography.exceptions.UnsupportedAlgorithm: X25519 is not supported by this version of OpenSSL.

Additional information:

[jabesq]

Same issue with Hass.io raspberrypi3 Operating environment

[kennedyshead]

OpenSSL is not a part of HASS, however what is the output of openssl version -a

[ltjessem]

I'm getting the same error after upgrading from 0.85.1 to 0.86.0, downgrading back to 0.85.1 works right away.

[cgarwood]

Not sure if related, but do any of you also use HomeKit? There was a homekit component update that upgraded a cryptography package: #20325

[armata007]

I have the same error but do not use homekit. Downgrading helped

[jabesq]

Issue still present with 0.86.1

[mmatesic01]

I confirm that on 0.86.1 the issue exists. It didn't on 0.85.1.

[vinmar1]

Running Hassio on RPi3B+ Same issue, asuswrt died going from 0.85.1 to 0.86.0 says invalid configuration. I never got telnet to work but ssh has be pretty solid and going back to 0.85.1 fixes it immediately. I tried telnet again before falling back and it's still broken as well. I have ssh access only available by LAN in my router config to eliminate outside access so I'm not using a key.

In my configuration.yaml

asuswrt:
host: 192.168.1.1
username: my-login-id
password: my-password
protocol: ssh
port: 22

[adas4190]

Same here. It is annoying that it it broken again.

[pszewello]

Same here :)

[somar05]

Same. Downgrade and working again.

[adas4190]

I belive it is very popular component and device tracking system and I don't understand why it is getting broken almost every time there is update. I love HA regardles but it make life hard sometimes especially when there is a lot of automation based on device tracking.

Is there any workaround?? (apart of downgrading - I like lovelace :))

[vinmar1]

I belive it is very popular component and device tracking system and I don't understand why it is getting broken almost every time there is update. I love HA regardles but it make life hard sometimes especially when there is a lot of automation based on device tracking.

Is there any workaround?? (apart of downgrading - I like lovelace :))

You could temporarily use bluetooth as a tracker if you have it available but for me it just doesn't have the range, I have a big house so WiFi made more sense.

[adas4190]

Same here 😁

[mikenabhan]

I am having the same issue.

[adas4190]

Unfortunetely I cannot find better presence tracker than asuswrt - when it is working 😉

[MajorGlory78]

Same issue here. Using SSH, not using a key. Just user/pass as it is all only accesible from LAN.

[Junho83]

same problem.

[Jefe2]

Same here. AsusWRT worked on 0.85.1, quit working upon upgrading to 0.86.1
RPi3B+, HassOS, SSH key.

[bereska]

same here, ok on 0.85.1, stopped working on 0.86.1, rpi3b+, docker, ssh

[nphil]

same issue here, using ssh key to log in

[adas4190]

Telnet is broken aswell... at least for me

[kennedyshead]

For telnet I'd have to see your logs, please open an issue here: github.com/kennedyshead/aioasuswrt/issues/

For the ssh issue I'm 90% sure it have to do wit ssh-key and running in docker. A temporary solution would be to login without key for now and re-enable it when the problem in Hassio is solved.

[ltjessem]

Several people in this thread, including me, are not using ssh_key.

[ltjessem]

I just tried switching to telnet to eliminate OpenSSL from the picture and got the following:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/device_tracker/__init__.py", line 173, in async_setup_platform
    hass, {DOMAIN: p_config})
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/device_tracker/asuswrt.py", line 20, in async_get_scanner
    await scanner.async_connect()
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/device_tracker/asuswrt.py", line 37, in async_connect
    data = await self.connection.async_get_connected_devices()
  File "/usr/local/lib/python3.6/site-packages/aioasuswrt/asuswrt.py", line 171, in async_get_connected_devices
    dev = await self.async_get_wl()
  File "/usr/local/lib/python3.6/site-packages/aioasuswrt/asuswrt.py", line 107, in async_get_wl
    lines = await self.connection.async_run_command(_WL_CMD)
  File "/usr/local/lib/python3.6/site-packages/aioasuswrt/connection.py", line 91, in async_run_command
    await self.async_connect()
  File "/usr/local/lib/python3.6/site-packages/aioasuswrt/connection.py", line 113, in async_connect
    await self._reader.readuntil(b'login: ')
  File "/usr/local/lib/python3.6/asyncio/streams.py", line 578, in readuntil
    raise IncompleteReadError(chunk, None)
asyncio.streams.IncompleteReadError: 0 bytes read on a total of None expected bytes

[kennedyshead]

I just tried switching to telnet to eliminate OpenSSL from the picture and got the following:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/device_tracker/__init__.py", line 173, in async_setup_platform
    hass, {DOMAIN: p_config})
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/device_tracker/asuswrt.py", line 20, in async_get_scanner
    await scanner.async_connect()
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/device_tracker/asuswrt.py", line 37, in async_connect
    data = await self.connection.async_get_connected_devices()
  File "/usr/local/lib/python3.6/site-packages/aioasuswrt/asuswrt.py", line 171, in async_get_connected_devices
    dev = await self.async_get_wl()
  File "/usr/local/lib/python3.6/site-packages/aioasuswrt/asuswrt.py", line 107, in async_get_wl
    lines = await self.connection.async_run_command(_WL_CMD)
  File "/usr/local/lib/python3.6/site-packages/aioasuswrt/connection.py", line 91, in async_run_command
    await self.async_connect()
  File "/usr/local/lib/python3.6/site-packages/aioasuswrt/connection.py", line 113, in async_connect
    await self._reader.readuntil(b'login: ')
  File "/usr/local/lib/python3.6/asyncio/streams.py", line 578, in readuntil
    raise IncompleteReadError(chunk, None)
asyncio.streams.IncompleteReadError: 0 bytes read on a total of None expected bytes

Have you set port 23?

[ltjessem]

Yes I am, here's the relevant config, sorry I forgot to include that:

asuswrt:
  host: 192.168.1.1
  protocol: telnet
  username: admin
  password: ***
  port: 23

device_tracker:
  - platform: asuswrt
    interval_seconds: 60
    consider_home: 600
    new_device_defaults:
      track_new_devices: false

[olskar]

@glentakahashi Oh i see :)

[pixeldublu]

+1

[jokerigno]

Same error on 0.86.2

[kennedyshead]

Could someone please test pip install https://github.com/kennedyshead/aioasuswrt/archive/master.zip and check if that version works in your installation. (for SSH bug)

[gabe565]

Could someone please test pip install https://github.com/kennedyshead/aioasuswrt/archive/master.zip and check if that version works in your installation. (for SSH bug)

That seems to have fixed the cryptography.exceptions.UnsupportedAlgorithm error for me. The 1.1.18 release looks like it will fix.

Edit: Did this fix for anybody else? I had duplicated the asuswry.py component and had it as a custom component called asuswrt2.py and it had seemed to be working, but now I am not sure it's fixed. If I name it to asuswrt.py as a custom component to override the original, I start getting errors again.

[Junho83]

Is this problem solved?

[adas4190]

How can I try that fix on hassos? Sorry but I don't know how to use it.
It doesn't work on hassos terminal

[olskar]

It should be fixed, it is merged so hopefully we can get a 0.86.3 release soon with this included.

[Jc2k]

Note that the underlying root cause of this is that HASS.io uses alpine:3.8 which is based on musl libc and not glibc. This means manylinux1 wheels do not work. So while cryptography==2.3.1 is installed and does actually support X25519, the way HASS.io builds it (against an old alpine version of openssl) means some features get turned off. On Debian and Ubuntu the manylinux1 wheel is used, so all the features of cryptography==2.3.1 are present and accounted for.

[ZetaPhoenix]

Seeing this in 0.86.2 still.

[wzaatar]

+1, alas. Not using key, plain SSH username/password.

File "/usr/local/lib/python3.6/site-packages/cryptography/hazmat/primitives/asymmetric/x25519.py", line 39, in generate _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
cryptography.exceptions.UnsupportedAlgorithm: X25519 is not supported by this version of OpenSSL.

[inverse]

@olskar did this make it into the .3 release? The release notes state otherwise.

[olskar]

@inverse does not seen to be in .3 no. Not sure how fixes qualify into hotfix releases. @balloob probably knows :)

[wzaatar]

I confirm that the issue is still present in .3. Just updated and rebooted.

[bereska]

not in .3, frustrating this major bug is being ignored

[kennedyshead]

Put https://github.com/kennedyshead/home-assistant/blob/20d929b3883c4ce374dfa6dd93caebede5792bd4/homeassistant/components/asuswrt.py in custom_components reboot and try again

[wzaatar]

Put https://github.com/kennedyshead/home-assistant/blob/20d929b3883c4ce374dfa6dd93caebede5792bd4/homeassistant/components/asuswrt.py in custom_components reboot and try again

Hi @kennedyshead. I tried as per your advice and rebooted, but the error is still there.

[kennedyshead]

Ok, then we need to wait for the hassio fix of openssl. Not sure why libnacl dont work.

Edit: now I get it, there has been a change i asyncssh to use pyCA instead of libnacl. You could use an earlier version of asyncssh if you know howto.

[wzaatar]

Thanks, @kennedyshead. I'd rather not "cook" too much my prod Hassio installation. Will wait for the official fix.

[Schocker360]

Is it possible this didn't make it into the build because the status of this issue is set to "Closed"?

[craigcarps]

Both SSH and Telnet not working with 86.3, hopefully 86.4 comes out with a fix for ASUSWRT. Until then I'll manually have to do what my presence detection automation was setup to do.

Hopefully it gets resolved quickly

[yuqiuyi99]

me too，not work in 0.86.3

[kennedyshead]

Please lock this issue, it is taken cared of in hassio!

Note that the underlying root cause of this is that HASS.io uses alpine:3.8 which is based on musl libc and not glibc. This means manylinux1 wheels do not work. So while cryptography==2.3.1 is installed and does actually support X25519, the way HASS.io builds it (against an old alpine version of openssl) means some features get turned off. On Debian and Ubuntu the manylinux1 wheel is used, so all the features of cryptography==2.3.1 are present and accounted for.

[Schocker360]

Please lock this issue, it is taken cared of in hassio!

Note that the underlying root cause of this is that HASS.io uses alpine:3.8 which is based on musl libc and not glibc. This means manylinux1 wheels do not work. So while cryptography==2.3.1 is installed and does actually support X25519, the way HASS.io builds it (against an old alpine version of openssl) means some features get turned off. On Debian and Ubuntu the manylinux1 wheel is used, so all the features of cryptography==2.3.1 are present and accounted for.

@kennedyshead When you say it is taken care of in Hassio are you saying they updated to use glibc and in the next release it should be fixed? I'm just not quite sure if you are saying 1. It's not a bug 2. It is a bug and there is a work around out there or 3. It's fixed in the next (or a future release).