image-builder icon indicating copy to clipboard operation
image-builder copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Workaround SSH error "no matching host key type found. Their offer: ssh-rsa"

Open invidian opened this issue 2 years ago • 4 comments

What steps did you take and what happened:

Right now, if one builds the CAPI images with OpenSSH version 8.8+ on the host system, the environment variable below is required to make provisioning work. This is because OpenSSH starting from version 8.8 has disabled ssh-rsa algorithm from default configuration and this is what Ansible plugin for Packer still generates.

ANSIBLE_SSH_ARGS="-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa"

What did you expect to happen:

Builds to work on modern systems out of the box.

Anything else you would like to add:

I suggest we commit those arguments as default ones until upstream issue is not resolved.

As an alternative, we could try disabling Ansible provisioner proxy, bypassing local keys generation completely. I don't know what side effects that creates though.

Environment:

Project (Image Builder for Cluster API, kube-deploy/imagebuilder, konfigadm): Image Builder for Cluster API

Additional info for Image Builder for Cluster API related issues:

  • OS (e.g. from /etc/os-release, or cmd /c ver): Arch Linux
  • Packer Version: 1.8.1
  • Packer Provider:
  • Ansible Version: 2.11.5

/kind bug [One or more /area label. See https://github.com/kubernetes-sigs/cluster-api/labels?q=area for the list of labels]

CC @kopiczko

invidian avatar May 30 '22 16:05 invidian

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Aug 28 '22 16:08 k8s-triage-robot

/remove-lifecycle stale

invidian avatar Aug 28 '22 19:08 invidian

Looks like this problem also prevents being able to use Ubuntu 22.04 as a base VM. Doesn't look like the env var can be used as a workaround in that situation (at least it didn't work for me).

Although the error is somewhat different so I may be mistaken that it's the same problem:

ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

AverageMarcus avatar Oct 10 '22 15:10 AverageMarcus

we successfully implemented a workaround in our environment by directly setting

"existing_ansible_ssh_args": "-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"

Meecr0b avatar Oct 14 '22 04:10 Meecr0b