Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/ssh: unsupported DSA key size 2048 #40691

Closed
YohanArnoux opened this issue Aug 11, 2020 · 10 comments
Closed

x/crypto/ssh: unsupported DSA key size 2048 #40691

YohanArnoux opened this issue Aug 11, 2020 · 10 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unplanned

Comments

@YohanArnoux
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.13.8 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/yohan/.cache/go-build"
GOENV="/home/yohan/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/yohan/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go-1.13"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.13/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build019219636=/tmp/go-build -gno-record-gcc-switches"

go env Output
$ go env

What did you do?

I try to connect to an openVMS server with ssh2 rsa key (that work when I try to connect in the terminal with ssh -i etc)

What did you expect to see?

No connection error

What did you see instead?

An error that say handshake failed: ssh: unsupported DSa key size 2048
But I'm using a ssh2 -rsa key 1024bit
@seankhliao
Copy link
Member

is the server you are connecting to using the DSA key?

note #40337 proposes removing support for DSA in ssh entirely

@YohanArnoux
Copy link
Author

No i'm using a ssh2-rsa key,
I will try to remove dsa support and if it don't work i will send back a message, thank you!

@YohanArnoux
Copy link
Author

I tried to remove the dsa file in my crypto folder and it don't work i will wait a response on note #40337 thank you!

@rsc
Copy link
Contributor

rsc commented Aug 11, 2020

What is the Go issue here? Is the client Go source code? Can you point us to the exact program you are running?
Assuming the OpenVMS server isn't lying, clearly something is finding a DSA key somewhere.

@YohanArnoux
Copy link
Author

YohanArnoux commented Aug 11, 2020
edited

Here is the code I'm using:
`package main

import (
"bytes"
"fmt"
"io/ioutil"
"os"

"golang.org/x/crypto/ssh"

)

func main() {

pk, _ := ioutil.ReadFile(os.Getenv("HOME") + "/.ssh/id_rsa_1024_vms")
signer, err := ssh.ParsePrivateKey(pk)

if err != nil {
	panic(err)
}

config := &ssh.ClientConfig{
	User: "ya",
	Auth: []ssh.AuthMethod{
		ssh.PublicKeys(signer),
	},

	HostKeyCallback: ssh.InsecureIgnoreHostKey(),
}
config.Config.KeyExchanges = []string{"diffie-hellman-group1-sha1"}
config.Config.Ciphers = []string{"aes128-cbc"}

client, err := ssh.Dial("tcp", "sg1.sysgroup.fr:1022", config)

if err != nil {
	panic("Failed to dial: " + err.Error())
}

// Each ClientConn can support multiple interactive sessions,
// represented by a Session.
session, err := client.NewSession()
if err != nil {
	panic("Failed to create session: " + err.Error())
}
defer session.Close()

// Once a Session is created, you can execute a single command on
// the remote side using the Run method.

var b bytes.Buffer
session.Stdout = &b

if err := session.Run("ls"); err != nil {
	panic("Failed to run: " + err.Error())
}
fmt.Println(b.String())

}`

@YohanArnoux
Copy link
Author

The code stop at the "fail to dial" error with the famous unsupported Key size.

@seankhliao
Copy link
Member

as I mentioned before, the server you are connecting to is (only) offering a DSA key

ssh -T -oKexAlgorithms=diffie-hellman-group1-sha1 -p 1022 sg1.sysgroup.fr
Unable to negotiate with 109.3.221.206 port 1022: no matching host key type found. Their offer: ssh-dss

@YohanArnoux
Copy link
Author

I don't understand something, if the server is only offering DSA key why can I connect to it with an ssh2 rsa key when I do ssh -i and not with go?

@andybons andybons added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Aug 11, 2020
@andybons andybons added this to the Unplanned milestone Aug 11, 2020
@andybons andybons changed the title unsupported DSA key size 2048 x/crypto/ssh: unsupported DSA key size 2048 Aug 11, 2020
@seankhliao
Copy link
Member

ssh public key auth needs 2 keys, 1 from the server, 1 from the client. Key types don't have to match, but the ssh client/daemon needs to be able to understand/use the keys of both itself and the other party.

@seankhliao
Copy link
Member

Duplicate of #23751

@seankhliao seankhliao marked this as a duplicate of #23751 Sep 6, 2021
@golang golang locked and limited conversation to collaborators Sep 6, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
5 participants
@rsc @andybons @gopherbot @seankhliao @YohanArnoux