Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-15771

Fuse 7 (on Karaf): camel-ssh does not support EdDSA digital signing

    XMLWordPrintable

Details

    • Bug
    • Status: Done
    • Critical
    • Resolution: Done
    • fuse-7.8-GA
    • fuse-7.9-GA
    • Camel, Karaf
    • None
    • Hide

      Create a trivial Camel route like this:

      <route>
       <from uri="timer://foo?period=5000&amp;fixedRate=true"/>
       <setBody><constant>ls</constant></setBody>
       <to uri="ssh:paddington?certResource=file:///home/kevin/.ssh/id_rsa&amp;knownHostsResource=file:///home/kevin/.ssh/known_hosts&amp;username=kevin"/>
      <to uri="log://foo1?showHeaders=true"/>
      </route> 

      where the hostname references an SSL server that only supports EdDSA signing. This is easy to configure on the standard Linux `sshd` – just comment out all `HostKey` lines in `/etc/ssh/sshd_config` except

      HostKey /etc/ssh/ssh_host/ed25519_key 

       

       

      Show
      Create a trivial Camel route like this: <route> <from uri= "timer: //foo?period=5000&amp;fixedRate= true " /> <setBody><constant>ls</constant></setBody> <to uri= "ssh:paddington?certResource=file: ///home/kevin/.ssh/id_rsa&amp;knownHostsResource=file:///home/kevin/.ssh/known_hosts&amp;username=kevin" /> <to uri= "log: //foo1?showHeaders= true " /> </route> where the hostname references an SSL server that only supports EdDSA signing. This is easy to configure on the standard Linux `sshd` – just comment out all `HostKey` lines in `/etc/ssh/sshd_config` except HostKey /etc/ssh/ssh_host/ed25519_key    
    • +

    Description

      When using `camel-ssh` with an SSH provider that supports only EdDSA certificate signing, Camel cannot verify the server's key. Depending on how the route is configured, this may be a fatal exception, or the route may continue with warnings, like this:

      2021-02-11 16:07:10,380 | WARN  | dec6]-nio2-thread-31 | .c.s.ResourceBasedSSHKeyVerifier | 1103 - org.apache.camel.camel-ssh - 2.21.0.fuse-770013-redhat-00001 | Could not find matching key for client session, connection will continue anyway due to configuration
      2021-02-11 16:07:10,478 | WARN  | edec6]-nio2-thread-4 | .a.s.c.s.ClientConnectionService | 185 - org.apache.sshd.core - 1.7.0 | globalRequest(ClientConnectionService[ClientSessionImpl[iesb1006@esb-int1.hrs.siemens.com/139.25.75.109:22]])[hostkeys-00@openssh.com, want-reply=false] failed (SshException) to process: EdDSA provider not supported
       

      In either case, the server's key is unverified.

      It seems that the `ssh-core` SSH client implementation is hardcoded to load the class `net.i2p.crypto.eddsa`, which is available in a JAR at `mvn:net.i2p.crypto/eddsa`. However, dependency conflicts are preventing this JAR being installed on Karaf and, even if that weren't the case, I'm not sure that the classloader architecture would allow the class to be loaded.

      Attachments

        Activity

          People

            ggrzybek Grzegorz Grzybek
            rhn-support-kboone Kevin Boone
            Federico Mariani Federico Mariani
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: