SSH KexAlgorithms causes SSH daemon to fail #500
Comments
|
Running ssh-hardening after the upgrade command and before the reboot doesn't help as the ssh-daemon still reports OpenSSH version 8.4 |
|
For the people running into the same issue. We're doing this this now before rebooting for the upgrade. Seems to work quite well. - name: Upgrade | Patch SSH algorithms to circumvent https://github.com/dev-sec/ansible-collection-hardening/issues/500
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^KexAlgorithms [email protected]'
line: KexAlgorithms [email protected],[email protected],diffie-hellman-group-exchange-sha256
- name: Upgrade | Run system upgrade reboot
command: "dnf system-upgrade reboot"
ignore_errors: yes # Fedora will kill this SSH connection immediately
args:
warn: false |
|
I think Fedora did some custom patching here. Especially since the not working Key Exchange is clearly in the list of supported Key Exchanges. This is somewhat puzzling. |
|
This seems to be the culprit:
That's weird behavior imo: https://docs.fedoraproject.org/en-US/quick-docs/dnf-system-upgrade/#sect-upgraded-package-configurations |
|
That Fedora behaviour is really, really weird. Who would want their basic services configuration to be reverted to the defaults automatically? 😒 |
|
I'm running into the same on Ubuntu 22.04. The above work-around does not work for me. Update: This works for me: - name: Run devsec.hardening.ssh_hardening
vars:
ssh_kex:
- [email protected]
- [email protected]
- diffie-hellman-group-exchange-sha256
ansible.builtin.import_role:
name: devsec.hardening.ssh_hardening |
|
We should probably update the ciphers here: https://github.com/dev-sec/ssh-baseline/blob/master/libraries/ssh_crypto.rb Then we can also update the ciphers used in the collection. |
Ubuntu 22.04 has a newer version of openssh that doesn't play well with the ssh_hardnening playbook, as documented in dev-sec/ansible-collection-hardening#500. This works around it in a way that works for both 20.04 and 22.04.
- While setting up the latest test instances, we used Ubuntu 22.04 (LTS) and ran into an error when running the ssh hardening task Unsupported KEX algorithm "[email protected]" This is a reported issue that can be found at dev-sec/ansible-collection-hardening#500 and has the solution used here. It was reported that it works with Ubuntu 20.04 as well. We have all instances on either 20.04 or 22.04
|
Should be fixed for some time now here: #437 and here dev-sec/ssh-baseline#209 |
Describe the bug
Because of the renaming of a KEX algorithm, an upgrade from Fedora 33 to 34 or 35, will cause the SSH daemon to crash on start with this message.
Unsupported KEX algorithm "[email protected]"Although this algorithm was updated in #437, it's currently quite difficult to apply this fix as it's only run when the
sshd_versionis equal or above8.5. Fedora 33 seems to have version 8.4. More details below.This is a continuation issue from #433
Expected behavior
I think the key algorithm rename should be done, before it causes problems. I'm also aware that this might not be possible, as OpenSSL didn't follow a nice deprecation path, it seems.
But I'm not sure about this, maybe we can change the key algorithm name already in 8.4, which would prevent this problem.
Actual behavior
SSH daemon crashes with the following message
Unsupported KEX algorithm "[email protected]"OS / Environment
Ansible Version
Role Version
/cc @schurzi @dlouzan
The text was updated successfully, but these errors were encountered: