Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-15771

Fuse 7 (on Karaf): camel-ssh does not support EdDSA digital signing

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • fuse-7.9-GA
    • fuse-7.8-GA
    • Camel, Karaf
    • None
    • False
    • False
    • % %
    • +
    • Undefined
    • Hide

      Create a trivial Camel route like this:

      <route>
 <from uri="timer://foo?period=5000&amp;fixedRate=true"/>
 <setBody><constant>ls</constant></setBody>
 <to uri="ssh:paddington?certResource=file:///home/kevin/.ssh/id_rsa&amp;knownHostsResource=file:///home/kevin/.ssh/known_hosts&amp;username=kevin"/>
<to uri="log://foo1?showHeaders=true"/>
</route>

      where the hostname references an SSL server that only supports EdDSA signing. This is easy to configure on the standard Linux `sshd` – just comment out all `HostKey` lines in `/etc/ssh/sshd_config` except

      HostKey /etc/ssh/ssh_host/ed25519_key

       

       

      Show
      Create a trivial Camel route like this: <route> <from uri= "timer: //foo?period=5000&amp;fixedRate= true " /> <setBody><constant>ls</constant></setBody> <to uri= "ssh:paddington?certResource=file: ///home/kevin/.ssh/id_rsa&amp;knownHostsResource=file:///home/kevin/.ssh/known_hosts&amp;username=kevin" /> <to uri= "log: //foo1?showHeaders= true " /> </route> where the hostname references an SSL server that only supports EdDSA signing. This is easy to configure on the standard Linux `sshd` – just comment out all `HostKey` lines in `/etc/ssh/sshd_config` except HostKey /etc/ssh/ssh_host/ed25519_key    

      When using `camel-ssh` with an SSH provider that supports only EdDSA certificate signing, Camel cannot verify the server's key. Depending on how the route is configured, this may be a fatal exception, or the route may continue with warnings, like this:

      2021-02-11 16:07:10,380 | WARN  | dec6]-nio2-thread-31 | .c.s.ResourceBasedSSHKeyVerifier | 1103 - org.apache.camel.camel-ssh - 2.21.0.fuse-770013-redhat-00001 | Could not find matching key for client session, connection will continue anyway due to configuration
2021-02-11 16:07:10,478 | WARN  | edec6]-nio2-thread-4 | .a.s.c.s.ClientConnectionService | 185 - org.apache.sshd.core - 1.7.0 | globalRequest(ClientConnectionService[ClientSessionImpl[iesb1006@esb-int1.hrs.siemens.com/139.25.75.109:22]])[hostkeys-00@openssh.com, want-reply=false] failed (SshException) to process: EdDSA provider not supported

      In either case, the server's key is unverified.

      It seems that the `ssh-core` SSH client implementation is hardcoded to load the class `net.i2p.crypto.eddsa`, which is available in a JAR at `mvn:net.i2p.crypto/eddsa`. However, dependency conflicts are preventing this JAR being installed on Karaf and, even if that weren't the case, I'm not sure that the classloader architecture would allow the class to be loaded.

              ggrzybek Grzegorz Grzybek
              rhn-support-kboone Kevin Boone
              Federico Mariani Federico Mariani
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: