packer-plugin-ansible icon indicating copy to clipboard operation
packer-plugin-ansible copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

SSH generated key: DSA deprecated on some system

Open lerenn opened this issue 3 years ago • 1 comments

Overview of the Issue

When using the plugin on Fedora 33+, you can't login on VM displaying this:

==> amazon-ebs.debian: failed to handshake
amazon-ebs.debian: fatal: [default]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added '[127.0.0.1]:38133' (RSA) to the list of known hosts.\r\nsign_and_send_pubkey: no mutual signature supported\r\[email protected]: Permission denied (publickey).", "unreachable": true}

I have found that sign_and_send_pubkey: no mutual signature supported seems to be caused by temporary keys generated by Ansible, using the DSA format, which is considered as insecure and not supported anymore.

A temporary solution is to authorize DSA keys on the client, which has workd for me:

echo "PubkeyAcceptedKeyTypes +ssh-dss" >> ~/.ssh/config
chmod 0600 ~/.ssh/config

Reproduction Steps

  • User a system that doesn't allow DSA key (like Fedora system)
  • Create an example with a simple ansible script
  • Watch the logs

Plugin and Packer version

From packer version 1.7.3 and default ansible plugin

Operating system and Environment details

Fedora 34, amd64.

Logs

    amazon-ebs.debian:
    amazon-ebs.debian: PLAY [Configure the system] ****************************************************
    amazon-ebs.debian:
    amazon-ebs.debian: TASK [Gathering Facts] *********************************************************
==> amazon-ebs.debian: failed to handshake
    amazon-ebs.debian: fatal: [default]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added '[127.0.0.1]:33277' (RSA) to the list of known hosts.\r\nsign_and_send_pubkey: no mutual signature supported\r\[email protected]: Permission denied (publickey).", "unreachable": true}
    amazon-ebs.debian:
    amazon-ebs.debian: PLAY RECAP *********************************************************************
    amazon-ebs.debian: default                    : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0

lerenn avatar Jun 23 '21 16:06 lerenn