From 499649333e27391f849154712a2f7ad0b8dcc8c7 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Fri, 25 Feb 2022 10:36:59 +0800 Subject: [PATCH] fix: accept RSA SHA1 signatures in the ssh client for CI OpenSSH has deprecated SHA1, and in 8.8 it was removed from the default accepted signature algorithm list. OpenSSH server implements signature algorithm negotiation. Go's SSH server implementation does not. Since we use RSA keys in CI, the ssh client uses those keys and because it can't negotiate an alternative falls back to the default disallowed SHA1 algorithm, which causes the connection to fail. So for now to work around this problem we explicitly allow SHA1 in the client. Once signature negotiation is implemented in Go we can drop this patch. See https://github.com/golang/crypto/pull/197. --- tests/tasks/ssh/ssh-portal-command.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/tasks/ssh/ssh-portal-command.yaml b/tests/tasks/ssh/ssh-portal-command.yaml index ee9899149a..72af209b1e 100644 --- a/tests/tasks/ssh/ssh-portal-command.yaml +++ b/tests/tasks/ssh/ssh-portal-command.yaml @@ -1,5 +1,5 @@ - name: "{{ testname }} - running {{ command }} on {{ username }}@{{ ssh_portal_host }} on port {{ ssh_portal_port }}, searching for '{{ expected_content }}'" - shell: ssh {{ username }}@{{ ssh_portal_host }} -p {{ ssh_portal_port }} {{ command }} + shell: ssh {{ username }}@{{ ssh_portal_host }} -p {{ ssh_portal_port }} -o 'PubkeyAcceptedKeyTypes +ssh-rsa' {{ command }} register: result until: result.stdout is search(expected_content) retries: 30