Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ed25519 Algorithm Compatibility #2094

Open
charlieartist opened this issue Dec 12, 2021 · 9 comments
Open

Ed25519 Algorithm Compatibility #2094

charlieartist opened this issue Dec 12, 2021 · 9 comments

Comments

@charlieartist
Copy link

Since more web servers are moving toward a higher level of security, and OpenSSH updates are recommending the Ed25519 Algorithm, would it be a good idea if Capistrano allowed its use by default, instead of having to update Net-SSH manually?

Even GitHub is recommending this algorithm.
@tacerus
Copy link

tacerus commented Dec 12, 2021

Hi, I just opened an issue (capistrano/sshkit#495) and then found yours - could you elaborate on updating Net-SSH manually? I wonder if it is related to my situation and would like to give it a try. I installed Capistrano in RVM, does that make a difference? My apologies if these are rookie questions - I rarely work with Ruby but try to utilize Capistrano more.

@mattbrictson
Copy link
Member

Capistrano uses net-ssh, and net-ssh has chosen not to include ed25519 support by default. To enable it, you have to install two additional gems, like this:

gem "bcrypt_pbkdf", require: false
gem "ed25519", require: false

If you don't do this, then net-ssh should helpfully print an error message when you try to connect using an ed25519 key:

net-ssh requires the following gems for ed25519 support:
 * ed25519 (>= 1.2, < 2.0)
 * bcrypt_pbkdf (>= 1.0, < 2.0)
See https://github.com/net-ssh/net-ssh/issues/565 for more information

Is this the "having to update net-ssh manually" that you mentioned?

Since ed25519 is very common these days (as you pointed out), we could document this better in the Capistrano README, something I proposed in #1825. Would that be a good solution?

@tacerus
Copy link

tacerus commented Dec 13, 2021

Thank you!
Yes, that is what I meant. It looks like my issue is not related however, I still receive the same output, and it does not show the useful error message you pointed out. But it was worth a try!

@charlieartist
Copy link
Author

@mattbrictson It may also be good to give alternate instructions for users who aren't using gemfiles in projects, and aren't that well-versed in Ruby. Would something like this work?
gem install 'bcrypt_pbkdf:<2.0' 'ed25519:<2.0'

@mattbrictson
Copy link
Member

gem install 'bcrypt_pbkdf:<2.0' 'ed25519:<2.0'

@charlieartist yes, that should work.

@DaniG2k
Copy link

DaniG2k commented Jun 4, 2022
edited
Loading

I think I've encountered an issue related to this. My server has an id_ed25519 key. When I try to deploy with cap production deploy I am seeing the following error:

#<Thread:0x0000000109077510 /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/runners/parallel.rb:10 run> terminated with exception (report_on_exception is true):
/Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/runners/parallel.rb:15:in `rescue in block (2 levels) in execute': Exception while executing as deploy@xxx.xx.xxx.xxx: Authentication failed for user deploy@xxx.xx.xxx.xxx (SSHKit::Runner::ExecuteError)
        from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/runners/parallel.rb:11:in `block (2 levels) in execute'
/Users/me/.rvm/gems/ruby-3.1.2/gems/net-ssh-6.1.0/lib/net/ssh.rb:268:in `start': Authentication failed for user deploy@xxx.xx.xxx.xxx (Net::SSH::AuthenticationFailed)
        from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/connection_pool.rb:63:in `call'
        from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/connection_pool.rb:63:in `with'
        from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/netssh.rb:177:in `with_ssh'
        from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/netssh.rb:130:in `execute_command'
        from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/abstract.rb:148:in `block in create_command_and_execute'
        from <internal:kernel>:90:in `tap'
        from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/abstract.rb:148:in `create_command_and_execute'
        from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/abstract.rb:61:in `test'
        from /Users/me/.rvm/gems/ruby-3.1.2/gems/capistrano-passenger-0.2.1/lib/capistrano/tasks/passenger.cap:43:in `block (3 levels) in <top (required)>'
        from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/abstract.rb:31:in `instance_exec'
        from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/backends/abstract.rb:31:in `run'
        from /Users/me/.rvm/gems/ruby-3.1.2/gems/sshkit-1.21.2/lib/sshkit/runners/parallel.rb:12:in `block (2 levels) in execute'
(Backtrace restricted to imported tasks)
cap aborted!
SSHKit::Runner::ExecuteError: Exception while executing as deploy@xxx.xx.xxx.xxx: Authentication failed for user deploy@xxx.xx.xxx.xxx


Caused by:
Net::SSH::AuthenticationFailed: Authentication failed for user deploy@xxx.xx.xxx.xxx

Tasks: TOP => rvm:hook => passenger:rvm:hook => passenger:test_which_passenger

I can't figure out why this is happening, but my guess is that it has something to do with OpenSSH and ed25519 encryption 🤔

@mattbrictson
Copy link
Member

Capistrano actually uses the net-ssh gem for SSH, not OpenSSH. Can you run irbto start a Ruby console and then test the following (substitute xxx.xx.xxx.xxx with your action hostname)?

$ irb
>> require "net/ssh"
true
>> Net::SSH.start("xxx.xx.xxx.xxx", "deploy")

If you still get a Net::SSH::AuthenticationFailed exception, then this is probably a net-ssh issue and not a capistrano one.

@DaniG2k
Copy link

DaniG2k commented Jun 5, 2022
edited
Loading

Thanks, yes it seems to be a net-ssh problem in that case 🤔 I've raised an issue there.

@antarr
Copy link

antarr commented Dec 1, 2022

I'm running into a simalar error. But it's not attempting to use the key. I being prompted for a password that is not accepted.

 bundle exec cap production deploy:check
/Users/antarr/.rbenv/versions/3.0.1/lib/ruby/3.0.0/digest.rb:6: warning: already initialized constant Digest::REQUIRE_MUTEX
/Users/antarr/.rbenv/versions/3.0.1/lib/ruby/gems/3.0.0/gems/digest-3.1.0/lib/digest.rb:20: warning: previous definition of REQUIRE_MUTEX was here
ubuntu@myserver.com's password:
ubuntu@myserver.com's password:(Backtrace restricted to imported tasks)
cap aborted!
Interrupt: 
set :ssh_options, {
  forward_agent: true,
  user: fetch(:user),
  keepalive: true,
  keys: %w(~/.ssh/id_rsa ~/.ssh/id_ed25519),
}

@brianjaustin brianjaustin mentioned this issue Mar 3, 2024
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mattbrictson @antarr @DaniG2k @charlieartist @tacerus