Closed cnieves1 closed 1 year ago
Hey thanks for reporting! Sounds severe.
The other SSH options do not apply to the key generation: https://github.com/ThomDietrich/home-assistant-addons/blob/master/autossh/run.sh#L27=
I see no harm in switching the standard key type. I will commit an untested change now, Would you please be so kind and let me know if version 1.0.8 resolves the issue!?
I've pushed the change to a branch but not yet to master: https://github.com/ThomDietrich/home-assistant-addons/commit/7a4f395671e7debdddeb486978eebd8811a66502
I'm troubled by the implications of this. Every setup of this add-on will need to replace their keys after the update. They might loose temporary access to their setup. I need to leave in a few minutes and have to think about this later. Any thoughts?
Sure! I can check the key algorithm in the log, but I have to wait until tomorrow to upload the key to the server and check the connection...
I have the auto update checked on for this addon, so it should update automatically. If it doesn't, do you know how to force the update manually?
Thanks,
As I said, this is in another branch and won't pop up as an automatic update.
I was actually thinking about a warning in the update release notes but people like you, with automatic update, won't read these. Damn...
I am thinking of users who can't physically reach their instance. The add-on will stop working and you and I are to blame :D
Can't find the update because it is on a branch... Tried with a file editor, but I couldn't find the file... Maybe because it is on a docker? I tried a 'find / -iname "autossh"' in the ssh docker with no results, I think because it is a different docker... Any ideas?
I frequently update my HAOS. For instance, this remote access stopped working some weeks ago, but I only recently realized it lays at the roots of the ssh algorithm..
I think you can ask the HA folks to drop a note in their blog about this. At least I read it... And for the future, it seems a good idea that the user could change the algorithm in the configuration...
By the way, I don't see any risk at changing the default key generation algorithm..
For users with this addon installed, everything will be the same until they switch on the force keygen option. The only thing you have to do is to be able to support both filenames: autossh_rsa_key.pub and autossh_key.pub. Maybe use the latter if it exists, and the former in case it doesn't...
I am going on vacation today and wanted to avoid to break anything. I've just pushed the update and it seems to work without any further action 👍 Thanks! Cheers
Unfortunately I think this still happens with HAOS 2022.9.6 and Fedora 36 as host. On my Fedora 36 host I get the following errors logged:
Sep 29 23:12:32 v2202201153511174265 sshd[504544]: Unable to negotiate with port 15749: no matching host key type found. Their offer: sk-ssh-ed25519@openssh.com [preauth] Sep 29 23:12:32 v2202201153511174265 sshd[504542]: Unable to negotiate with port 15817: no matching host key type found. Their offer: sk-ecdsa-sha2-nistp256@openssh.com [preauth]
Hey @Cogitri, "Fedora 36 as host" you mean Fedora on the SSH server? Otherwise it seems to work quite well so far
Yup, seems like the Fedora 36/37 OpenSSH 8.8 server doesn't like the ed25519 key. Changing it to a (secure) RSA one works (I just changed this in my fork for now)
That's annoying. How do you recon we solve this? I would really hate to need to introduce this as a config option, but might be the only solution!?
Hm, possibly. I have to admit I'm not quite sure why the Fedora server doesn't accept the ED25519 key, so maybe a config option would work.
Could you do us a favor and do a bit of research? I can't imagine a modern system to not support this new key type, which is available and recommended for a long time. If still needed, happy to accept a pull-request with an optional config parameter, defaulting to ed25519.
@cnieves1 what do you think?
Hi I have autossh version 1.0.0 installed. I updated to HA OS 2022.6.0, and I'm not longer able to login to my remote server (which didn't changed). I get the following log:
It seems RSA is no longer supported by installed SSH: https://www.linuxadictos.com/en/openssh-8-8-arrives-saying-goodbye-to-ssh-rsa-support-bug-fixes-and-more.html
I tried to generate ed25519 SSH keys adding "-t ed25519" to "other SSH options" in AutoSSH configuration but it keeps generating a RSA key...
How can I solve this?
Thanks in advance!