search

net-ssh / net-sftp

Pure Ruby implementation of an SFTP (protocols 1-6) client.
http://net-ssh.github.io/
MIT License
287 stars 131 forks source link

Upgrading to ruby 3.1 leads to "verify_signature" error #130

Closed quantson closed 2 years ago

quantson commented 2 years ago

Hello,

We're using the net-sftp gem to connect to various SFTP servers hosted by our customers. We recently upgraded to ruby 3.1 from 3.0.2 and are now receiving the below exception on a small sample of our outgoing connections (3 out of approximatively 20 different servers).

/usr/local/bundle/gems/net-ssh-6.1.0/lib/net/ssh/transport/kex/abstract.rb:101:in `verify_signature': could not verify server signature (Net::SSH::Exception)

I unfortunately don't know much about how those distant servers are set up. I've tried to connect using the append_all_supported_algorithms: true to ssh options but it didn't change anything.

Prior to update ruby version: 3.0.2 net-ssh version: 6.1.0 net-sftp version: 3.0.0

After update ruby version: 3.1.0 net-ssh version: 6.1.0 net-sftp version: 3.0.0

edit: adding verbose debug output

D, [2022-01-17T18:17:20.809841 #685] DEBUG -- net.ssh.transport.session[35d7c]: establishing connection to xx.xxx.xxx.xxx:2221
D, [2022-01-17T18:17:20.821827 #685] DEBUG -- net.ssh.transport.session[35d7c]: connection established
I, [2022-01-17T18:17:20.822213 #685]  INFO -- net.ssh.transport.server_version[35d90]: negotiating protocol version
D, [2022-01-17T18:17:20.822409 #685] DEBUG -- net.ssh.transport.server_version[35d90]: local is `SSH-2.0-Ruby/Net::SSH_6.1.0 x86_64-linux'
D, [2022-01-17T18:17:20.855658 #685] DEBUG -- net.ssh.transport.server_version[35d90]: remote is `SSH-2.0-mod_sftp'
I, [2022-01-17T18:17:20.856676 #685]  INFO -- net.ssh.transport.algorithms[35da4]: sending KEXINIT
D, [2022-01-17T18:17:20.856956 #685] DEBUG -- socket[35db8]: queueing packet nr 0 type 20 len 796
D, [2022-01-17T18:17:20.857200 #685] DEBUG -- socket[35db8]: sent 800 bytes
D, [2022-01-17T18:17:20.857583 #685] DEBUG -- socket[35db8]: read 288 bytes
D, [2022-01-17T18:17:20.857915 #685] DEBUG -- socket[35db8]: received packet nr 0 type 20 len 284
I, [2022-01-17T18:17:20.858096 #685]  INFO -- net.ssh.transport.algorithms[35da4]: got KEXINIT from server
I, [2022-01-17T18:17:20.858242 #685]  INFO -- net.ssh.transport.algorithms[35da4]: negotiating algorithms
D, [2022-01-17T18:17:20.859040 #685] DEBUG -- net.ssh.transport.algorithms[35da4]: negotiated:
* kex: diffie-hellman-group-exchange-sha256
* host_key: ssh-rsa
* encryption_server: aes256-ctr
* encryption_client: aes256-ctr
* hmac_client: hmac-sha2-512
* hmac_server: hmac-sha2-512
* compression_client: none
* compression_server: none
* language_client: 
* language_server: 
D, [2022-01-17T18:17:20.859214 #685] DEBUG -- net.ssh.transport.algorithms[35da4]: exchanging keys
D, [2022-01-17T18:17:20.859593 #685] DEBUG -- socket[35db8]: queueing packet nr 1 type 34 len 20
D, [2022-01-17T18:17:20.859783 #685] DEBUG -- socket[35db8]: sent 24 bytes
D, [2022-01-17T18:17:21.090983 #685] DEBUG -- socket[35db8]: read 280 bytes
D, [2022-01-17T18:17:21.091320 #685] DEBUG -- socket[35db8]: received packet nr 1 type 31 len 276
D, [2022-01-17T18:17:21.101149 #685] DEBUG -- socket[35db8]: queueing packet nr 2 type 32 len 268
D, [2022-01-17T18:17:21.101546 #685] DEBUG -- socket[35db8]: sent 272 bytes
D, [2022-01-17T18:17:21.112042 #685] DEBUG -- socket[35db8]: read 848 bytes
D, [2022-01-17T18:17:21.112263 #685] DEBUG -- socket[35db8]: received packet nr 2 type 33 len 828
/usr/local/bundle/gems/net-ssh-6.1.0/lib/net/ssh/transport/kex/abstract.rb:101:in `verify_signature': could not verify server signature (Net::SSH::Exception)
Thornolf commented 2 years ago

Hey ! We have the same problem on our side with our application, how could we help you to fix this ?

quantson commented 2 years ago

@Thornolf, see the thread on the net-ssh issue (https://github.com/net-ssh/net-ssh/issues/847), you can fix the issue by forcing openssl < 3.0 in your gemfile

Thornolf commented 2 years ago

Thank you so much !

fwininger commented 2 years ago

I have the same issue on a Centos 6 and if I bypass host key verification with : verify_host_key: :never, i have : 

///git/net-ssh/lib/net/ssh/transport/packet_stream.rb:239:in `poll_next_packet': padding error, need 3504390562 block 16 (Net::SSH::Exception)
    from ///git/net-ssh/lib/net/ssh/transport/packet_stream.rb:103:in `block in next_packet'
    from ///git/net-ssh/lib/net/ssh/transport/packet_stream.rb:102:in `loop'
    from ///git/net-ssh/lib/net/ssh/transport/packet_stream.rb:102:in `next_packet'
    from ///git/net-ssh/lib/net/ssh/transport/session.rb:193:in `block in poll_message'
    from ///git/net-ssh/lib/net/ssh/transport/session.rb:190:in `loop'
    from ///git/net-ssh/lib/net/ssh/transport/session.rb:190:in `poll_message'
    from ///git/net-ssh/lib/net/ssh/transport/session.rb:175:in `next_message'
    from ///git/net-ssh/lib/net/ssh/authentication/session.rb:102:in `block in next_message'
    from ///git/net-ssh/lib/net/ssh/authentication/session.rb:101:in `loop'
    from ///git/net-ssh/lib/net/ssh/authentication/session.rb:101:in `next_message'
    from ///git/net-ssh/lib/net/ssh/authentication/session.rb:130:in `expect_message'
    from ///git/net-ssh/lib/net/ssh/authentication/session.rb:61:in `authenticate'
    from ///git/net-ssh/lib/net/ssh.rb:254:in `start'
fwininger commented 2 years ago

PR https://github.com/net-ssh/net-ssh/pull/857 solve this issue.

fwininger commented 2 years ago

https://github.com/net-ssh/net-ssh/pull/864 solve this issue

quantson commented 2 years ago

Thank you @fwininger, closing this :)