-
Bug
-
Resolution: Done
-
Undefined
-
None
-
None
-
False
-
-
False
-
-
During the last DLRN Trunk bootstrap (i.e.: centos9-antelope), we hit issue of worker not being able to submit FTBFS patches to RDO Gerrit instance.
The reason is that the SSH client (i.e openssh-clients) provided in COS, is sourcing the crypto policies from "/etc/crypto-policies/back-ends/opensshserver.config" provided by crypto-policies-20221215 RPM from [1].
Below the policy:
$ less /etc/crypto-policies/back-ends/opensshserver.config
CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'
it's using ecdsa-sha2-nistp256 as the first preferred SSH key exchange algorithm (i.e -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,[...])
That's why when we run the command below from a COS system:
# ssh -t -p 29418 review.rdoproject.org The authenticity of host '[review.rdoproject.org]:29418 ([38.102.83.25]:29418)' can't be established. ECDSA key fingerprint is SHA256:lNxdGov9Kol+apgEFQlFvr8uIYKyvG7rK/k/zvEwTlM. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[review.rdoproject.org]:29418,[38.102.83.25]:29418' (ECDSA) to the list of known hosts.
we got the ECDSA key fingerprint
# less ~/.ssh/known_hosts
[review.rdoproject.org]:29418,[38.102.83.25]:29418 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLOLaO81l9MzOYM85DVm7RzDQp3GIPuf86F4gUbOQUYR8/1fGjZ6+5wrz3ZqIwxe4X5D43ZwRZD/DNFmvQPtYLg=
So, we need to edit this line in ansible-role-dlrn [2] with the ECDA key fingerprint in order to be able to send gerrit patches w/o being asked to accept the first time.
[1] https://gitlab.com/redhat/centos-stream/rpms/crypto-policies
[2] https://github.com/rdo-infra/ansible-role-dlrn/blob/19207bb188da9f7a97728fd524487b89e9f2ab95/tasks/worker.yml#L457
