Skip to content

Commit

Permalink
fix: accept RSA SHA1 signatures in the ssh client for CI
Browse files Browse the repository at this point in the history
OpenSSH has deprecated SHA1, and in 8.8 it was removed from the default
accepted signature algorithm list.

OpenSSH server implements signature algorithm negotiation. Go's SSH
server implementation does not. Since we use RSA keys in CI, the ssh
client uses those keys and because it can't negotiate an alternative
falls back to the default disallowed SHA1 algorithm, which causes the
connection to fail.

So for now to work around this problem we explicitly allow SHA1 in the
client.

Once signature negotiation is implemented in Go we can drop this patch.
See golang/crypto#197.
  • Loading branch information
smlx committed Feb 25, 2022
1 parent be338d2 commit c3ae845
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion tests/tasks/ssh/ssh-portal-command.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
- name: "{{ testname }} - running {{ command }} on {{ username }}@{{ ssh_portal_host }} on port {{ ssh_portal_port }}, searching for '{{ expected_content }}'"
shell: ssh {{ username }}@{{ ssh_portal_host }} -p {{ ssh_portal_port }} {{ command }}
shell: ssh {{ username }}@{{ ssh_portal_host }} -p {{ ssh_portal_port }} -o 'PubkeyAcceptedKeyTypes +ssh-rsa' {{ command }}
register: result
until: result.stdout is search(expected_content)
retries: 30
Expand Down

0 comments on commit c3ae845

Please sign in to comment.