Tuesday, 2022-02-22

« Monday, 2022-02-21 Index Wednesday, 2022-02-23 »
*** rlandy|ruck|bbl is now known as rlandy|ruck00:35
*** rlandy|ruck is now known as rlandy|out00:44
*** ysandeep|out is now known as ysandeep04:47
fnordahlSince yesterday, my SSH keys are no longer accepteed for git access to Gerrit. I tried to re-create the keys through the web UI but that does not appear to have helped. Anything up with the gerrit ssh key auth system atm?06:22
*** amoralej|off is now known as amoralej07:34
fricklerfnordahl: did you possibly update your local ssh client or configuration? there was an issue which affected fedora 35 users amongst others07:53
fnordahlfrickler: I'm running on the development release of Ubuntu, Jammy, so that is quite possible. Do you have any details on what changed?07:55
fricklerfnordahl: let me try to find something07:56
*** ysandeep is now known as ysandeep|lunch07:58
fnordahlI see from the changelog that RSA signatures using SHA-1 is dropped, but neither my key or review.opendev.org keys appear to be in that category08:01
fricklerfnordahl: it's a question of bad negotiation. one workaround is to use en ed25519 key instead. and I just did a local test and it seems that indeed jammy has recently updated to openssh 8.8 which changed the client behavior08:04
fricklerI only found https://lists.opendev.org/pipermail/service-discuss/2021-October/000291.html so far which describes the issue. there is also some other workaround setting some ssh option08:05
fnordahlfrickler: great, thank you for the pointer. I'll try to find a workaround from that. The opendev gerrit does have a ED25519 key as one of its server keys, but it also have others: https://pastebin.ubuntu.com/p/CmpYh8J4qW/08:08
fricklerfnordahl: well the workaround would be for you to use an ed25519 key instead of your rsa key. the other option is to add "-o 'PubkeyAcceptedKeyTypes +ssh-rsa'" to your ssh command or ssh config08:11
fnordahlfrickler: that SSH option worked!08:19
fnordahlFor future travelers with OpenSSH 8.8, popping this into your ~/.ssh/config will get you sorted: https://pastebin.ubuntu.com/p/dG3Qws4MQs/08:19
*** jpena|off is now known as jpena08:33
*** ysandeep|lunch is now known as ysandeep08:41
opendevreviewdaniel.pawlik proposed openstack/ci-log-processing master: DNM Add option to download log files to the directory  https://review.opendev.org/c/openstack/ci-log-processing/+/83033709:48
*** bshephar1 is now known as bshephar10:58
*** ysandeep is now known as ysandeep|dr_appt10:59
*** rlandy|out is now known as rlandy|ruck11:15
*** dviroel|out is now known as dviroel11:21
fungifnordahl: yes, the reason we haven't been specifically recommending that is that it does downgrade host authentication security compared to newer openssh defaults (though by downgrading them to the previous defaults, so it's probably reasonably safe if that's your preference)12:24
fungiwe have a long-standing bug with gerrit upstream trying to get their host key negotiation fixed12:25
fungithis started cropping up in fedora 23 over a year ago12:25
fungiif the built-in sshd for gerrit supported host key negotiation, it could continue to use rsa with a stronger hash and openssh would happily use that12:26
fnordahlfungi: I understand the reluctance to document that workaround, and great that there is a bug with gerrit to fix the root of the issue.12:43
fnordahlfungi: I don't really have a preference nor a choice, downgrading OpenSSH is not an option, so using this option specifically for the host review.opendev.org appears like a pragmatic path forward for me.12:44
fungisure, it's what i'll probably end up doing too now that openssh 8.8 has landed in debian/unstable12:54
*** afaranha_ is now known as afaranha12:59
fungioh! looks like it's probably fixed in gerrit's master branch as of last month: https://bugs.chromium.org/p/gerrit/issues/detail?id=12758#c713:01
fungi"Bump sshd version to 2.8.0 and update jgit to 56f45e36d [...] SSHD-1216: Server-side implementation of the RFC 8332 server-sig-algs extension: the server announces that it prefers the SHA-2 signatures for RSA keys."13:02
*** ysandeep|dr_appt is now known as ysandeep13:02
*** rlandy|ruck is now known as rlandy|ruck|mtg13:04
fungilikely not trivially backportable, so may have to wait for us to upgrade to 3.613:04
fungiyeah, i don't see it in the stable-3.5 branch history13:07
fungi(and we're still on 3.4 at the moment)13:07
*** amoralej is now known as amoralej|lunch13:08
opendevreviewdaniel.pawlik proposed openstack/ci-log-processing master: DNM Add option to download log files to the directory  https://review.opendev.org/c/openstack/ci-log-processing/+/83033713:25
*** amoralej|lunch is now known as amoralej14:13
fricklerhmm, I tested with 3.5.0.1-1504-gd4e5d1cbb8 which should be the latest master and it doesn't seem to fix the issue14:15
*** rlandy|ruck|mtg is now known as rlandy|ruck14:23
fungifrickler: and it included mina-sshd 2.8.0?14:26
fungimaybe it also needs to be configured in gerrit14:26
fricklerI'm not sure how to check what it includes, I just built a container according to https://www.github.com/GerritCodeReview/docker-gerrit and ran it in the zuul quickstart environment14:31
frickleractually it says so: Remote protocol version 2.0, remote software version GerritCodeReview_3.5.0.1-1504-gd4e5d1cbb8 (APACHE-SSHD-2.8.0)14:34
fungihuh, so it's got the fix in theory, but maybe the extension has to be explicitly enabled by gerrit or something14:35
fungior maybe the fix is broken14:35
*** ysandeep is now known as ysandeep|dinner14:39
fricklermy money is on the latter option. I tried setting sshd.enableDeprecatedKexAlgorithms = true but that didn't help, either14:43
fungii guess followup to the chromium and/or apache bug trackers is in order if we're sure it still doesn't work14:47
*** ysandeep|dinner is now known as ysandeep15:10
*** dviroel is now known as dviroel|lunch15:11
opendevreviewyatin proposed openstack/project-config master: Update Neutron's Dashboard as per recent changes  https://review.opendev.org/c/openstack/project-config/+/83044015:15
clarkbfungi: frickler: I think mina 2.8.0 only fixes it for the client side which gerrit uses for replication. The server side, which our users run into, needs the next mina update15:48
clarkbthe problem there originates in mina itself marking the original bug that ianw filed as fixed when they only fixed the client side15:48
clarkbI had to respond (and maybe I craeted a new issue?) basically saying this only fixed half the problem and not the half of the problem we were concerned about15:49
fungiclarkb: not sure then why it mentions "Server-side implementation" in the release node from mina15:50
fungithe SSHD-1216 jira ticket seemed to be about fixing it for the server side once it was pointed out that the original fix was only on the client side15:50
clarkbhttps://issues.apache.org/jira/browse/SSHD-1141 is the original. THen 1216 is what should've addressed the server side15:50
fungiright15:51
clarkbhttps://issues.apache.org/jira/browse/SSHD-1216 and that does report 2.8.0 includes the fix15:51
fungiwhich should be included in 2.8.0 if i'm reading correctly15:51
clarkbso ya maybe the fix isn't complete15:51
clarkbhttps://bugs.chromium.org/p/gerrit/issues/detail?id=13930 is the gerrit side issue. Maybe we should update that issue?15:53
clarkbfrickler: if you still have the up to date gerrit install looking at the ssh -vvv output is helpful. You should see the client try to do the kex negotiation and then the server ignore it. you can compare against the production gerrit to see the difference if there is one15:55
fricklerclarkb: I already did that and found no difference15:55
clarkbMy hunch then is this is due to how gerrit is contructing the server15:56
clarkbsince the change on the mina side does seem to implement it, but it is in a default kex handler and maybe gerrit isn't applying that properly15:56
opendevreviewMerged openstack/project-config master: Move missed repos under openstack-ansible-roles ACL  https://review.opendev.org/c/openstack/project-config/+/82927816:09
clarkbfrickler: yes I think that is the issue. I can work on a change for upstream between meetings16:10
clarkbHarder for me to test as I don't have a gerrit master test setup right now though16:10
fricklerclarkb: I just used the zuul quickstart setup and replaced the gerrit container16:11
frickleronly change needed was to add "user: root" in the docker-compose16:12
clarkbfrickler: what did you replace the container with? But also thats a good hint. Thanks16:14
*** dviroel|lunch is now known as dviroel16:15
fricklerclarkb: built locally with https://www.github.com/GerritCodeReview/docker-gerrit and the instructions for the master branch there with Dockerfile-dev16:15
fricklerso only "docker build -t gerritcodereview/gerrit:dev -f Dockerfile-dev ."16:16
fricklerin ubuntu/2016:16
clarkbthanks!16:17
frickleroh, there was some apt failure, too, needed to add DEBIAN_FRONTEND=noninteractive to the apt command16:18
* frickler goes away for a bit, bbl16:19
clarkbgithub is having issues which means I can't run my local build :) I suspect pushing to upstream won't help either.16:39
clarkbhttps://www.githubstatus.com/ reports everything is fine but https://github.com/bazelbuild/rules_nodejs/releases/download/5.1.0/rules_nodejs-5.1.0.tar.gz is a 503 for me. Is anyone else able to reach that tarball?16:44
* clarkb finds breakfast and hopes that github manages to fix this in the meantime16:45
fungi200 OK16:48
fungimaybe there's a bad cdn endpoint16:48
fungii was able to download it fine16:48
clarkbhrm ya still failing here. Probably their cdn then17:02
opendevreviewdaniel.pawlik proposed openstack/ci-log-processing master: DNM Add option to download log files to the directory  https://review.opendev.org/c/openstack/ci-log-processing/+/83033717:03
clarkbhttps://github.com/github/feedback/discussions/11915 I'm not the only one17:08
*** ysandeep is now known as ysandeep|out17:16
*** Guest7 is now known as diablo_rojo_phone17:24
*** diablo_rojo_phone is now known as Guest22917:24
clarkbok github doesn't explode anymore but now my bazel is too old. Time to look at their directions for master builds17:41
*** jpena is now known as jpena|off17:42
*** amoralej is now known as amoralej|off17:45
opendevreviewMerged openstack/project-config master: Update Neutron's Dashboard as per recent changes  https://review.opendev.org/c/openstack/project-config/+/83044018:51
clarkbdebug1: kex_input_ext_info: server-sig-algs=<...rsa-sha2-512,rsa-sha2-256,ssh-rsa>18:57
clarkbThat shows up when I try to ssh to my local build. I haven't managed to configure it to accept a specific key (turns out this is a huge pita when you use an agent without key material on disk)18:58
clarkbI think I'll go ahead and push what I have after the infra meeting and then people can look at it closer18:58
clarkbI really wish that there was a way to say "use this key" without having material on disk18:58
clarkbseems like you have to have at least the pubkey on disk18:59
clarkbanyway that log line doesn't show up when I talk to review.opendev.org18:59
clarkbI think that implies this is working18:59
clarkbeven if I don't have fully successful authentication18:59
clarkbalso when you specify -i with a key that is on disk it tries your agent keys anyway19:00
clarkbwhy is ssh so obtuse about this19:00
fungihiding details from users is apparently a sign of "usability"19:03
clarkbfungi: since you use rsa keys can you double check if that log line debug1: kex_input_ext_info: server-sig-algs shows up for you or not?19:04
clarkbI'm worried that since I talked ed25519 to review.o.o it may have short circuited and I'm missing something19:04
clarkbbut since you use rsa it not showing up would be clear indication my change makes a difference?19:04
clarkband I'll also try to figure out adding my test key to my local test setup to see if it can rsa with sha219:05
fungiwhat should i be trying to ssh into?19:05
clarkbfungi: review.o.o port 29418 using your normal rsa ssh key19:06
clarkbusing at least -v19:06
clarkbI was doing gerrit ls-projects but any other command is probably fine too19:06
fungiclarkb: it does not show up for me with ssh -v to our gerrit, no19:07
clarkbthanks! I think that is pretty clear indication my fix does something :)19:07
clarkbI'll get the change pushed up after the meeting19:08
fungicool, thanks19:08
*** tbarron is now known as Guest25219:40
clarkbI was able to confirm using rsa to a build of my change worked after adding my key to the account. Now I'm building an upstream build without my change in it to perform the same test which should fail19:43
clarkbcool and now confirmed what frickler  was seeing with the upstream war19:47
clarkbfrickler: good catch on that and thank you for saying something. Would've been frustrating if 3.6 released and we assumed the problem was fixed only for it to still be broken :)19:54
fungiindeed!19:55
fricklerwell I had the zuul setup still up from some other test, and I hoped to be able to simply confirm the fix instead of falsifying20:07
*** dviroel is now known as dviroel|brb21:23
*** dviroel|brb is now known as dviroel21:40
*** rlandy|ruck is now known as rlandy|out23:57
« Monday, 2022-02-21 Index Wednesday, 2022-02-23 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!