unsupported key type `rsa-sha2-512' (NotImplementedError)

[Atroskelis]

Expected behavior

It should connect

Actual behavior

Gives an error

System configuration

• 7.1.0 - 7.2.3
• ruby ruby 3.0.4p208

Example App

  @ssh = Net::SSH.start(@node.ip, @node.auth[:username], make_ssh_opts)

where make_ssh_opts

    def make_ssh_opts
      secure = Oxidized.config.input.ssh.secure?
      ssh_opts = {
        number_of_password_prompts:      0,
        keepalive:                       vars(:ssh_no_keepalive) ? false : true,
        verify_host_key:                 secure ? :always : :never,
        append_all_supported_algorithms: true,
        password:                        @node.auth[:password],
        timeout:                         Oxidized.config.timeout,
        port:                            (vars(:ssh_port) || 22).to_i,
        forward_agent:                   false
      }

You can use this as stating point:

gem 'net-ssh', '= 4.0.0.beta3'
require 'net/ssh'
puts Net::SSH::Version::CURRENT

@host = 'localhost'
@user = ENV['USER']
Net::SSH.start(@host, @user) do |ssh|
  puts ssh.exec!('echo "hello"')
end

results in

7.1.0
/usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh/buffer.rb:342:in `read_keyblob': unsupported key type `rsa-sha2-512' (NotImplementedError)
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh/buffer.rb:248:in `read_key'
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb:103:in `send_kexinit'
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh/transport/kex/abstract.rb:48:in `exchange_keys'
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh/transport/algorithms.rb:448:in `exchange_keys'
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh/transport/algorithms.rb:248:in `proceed!'
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh/transport/algorithms.rb:187:in `accept_kexinit'
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh/transport/session.rb:210:in `block in poll_message'
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh/transport/session.rb:190:in `loop'
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh/transport/session.rb:190:in `poll_message'
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh/transport/session.rb:227:in `block in wait'
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh/transport/session.rb:224:in `loop'
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh/transport/session.rb:224:in `wait'
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh/transport/session.rb:89:in `initialize'
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh.rb:255:in `new'
        from /usr/local/share/gems/gems/net-ssh-7.1.0/lib/net/ssh.rb:255:in `start'
        from test.rb:7:in `<main>'

debug2: host key algorithms: rsa-sha2-512,ssh-ed25519

[ytti]

I believe this is because net-ssh does not yet support RFC8332, so behaviour is expected. I'm sure upstream would accept PR adding the support.

The secondary concern is, that the code will raise upon seeing any unsupported host key, instead of waiting to receive at least one supported. I'm sure upstream would also accept PR for this secondary concern.

EDIT: Looking further, I'm not able to reproduce this with OpenSSH server and net-ssh, it is possible that in this particular case, the far end incorrectly uses wrong string, when just ssh-rsa should be used. I think RFC8332 is supported, but I'm not entirely confident.

[Atroskelis]

Fixed by appending /^rsa-sha2-(256|512)$/ to when /^ssh-rsa$/

Not sure if this is tehnically ethical for a PR.

[ytti]

Fixed by appending /^rsa-sha2-(256|512)$/ to when /^ssh-rsa$/

Not sure if this is tehnically ethical for a PR.

I believe the fix would be non-sensical, as it would just allow incorrectly behaving far-end to work. If any fix should be submitted to net-ssh, the fix would be that it fails only if it can't find over 0 working hostkey, instead of failing on any it cannot parse.