fix: accept RSA SHA1 signatures in the ssh client for CI

OpenSSH has deprecated SHA1, and in 8.8 it was removed from the default accepted signature algorithm list. OpenSSH server implements signature algorithm negotiation. Go's SSH server implementation does not. Since we use RSA keys in CI, the ssh client uses those keys and because it can't negotiate an alternative falls back to the default disallowed SHA1 algorithm, which causes the connection to fail. So for now to work around this problem we explicitly allow SHA1 in the client. Once signature negotiation is implemented in Go we can drop this patch. See golang/crypto#197.
uselagoon · Feb 25, 2022 · 4996493 · 4996493
1 parent 7d96a86
commit 4996493
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/tests/tasks/ssh/ssh-portal-command.yaml b/tests/tasks/ssh/ssh-portal-command.yaml
@@ -1,5 +1,5 @@
 - name: "{{ testname }} - running {{ command }} on {{ username }}@{{ ssh_portal_host }} on port {{ ssh_portal_port }}, searching for '{{ expected_content }}'"
-  shell: ssh {{ username }}@{{ ssh_portal_host }} -p {{ ssh_portal_port }} {{ command }}
+  shell: ssh {{ username }}@{{ ssh_portal_host }} -p {{ ssh_portal_port }} -o 'PubkeyAcceptedKeyTypes +ssh-rsa' {{ command }}
   register: result
   until: result.stdout is search(expected_content)
   retries: 30