|
|
| Subject: | Zenoss 2.4.5 SSH collector not working with keys using different algorithm than SHA1 |
| Author: | [Not Specified] |
| Posted: | 2017-03-14 13:35 |
Hi all
I have a Zenoss Core 2.4.5 community edition that has happily served me until now. Recently I updated few machines to Ubuntu 16.04 that does not accept anymore SHA1 keys when handshaking SSH connections. No matter what I change in the collectors, the remote machine returns:
no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth] : 1 time(s)
I am now updating Zenoss using zenup with the latest patches. Is there a way to change the key used for the handshake?
Cheers,
Florido
| Subject: | It's rather related with this |
| Author: | [Not Specified] |
| Posted: | 2017-03-15 07:28 |
It's rather related with this issue:
| ZEN-22748 | Zenoss Core 5.1.1 SSH incompatible with OpenSSH 7.x |
Kind regards,
Robert E.
zenoss@webhostingspace.net
Zenoss Core/Service Dynamics 5.2.2 High Availability - the missing guide is here
| Subject: | Any chance fix ZEN-22748 will |
| Author: | [Not Specified] |
| Posted: | 2017-03-15 07:40 |
Any chance fix ZEN-22748 will be backported?
After this I am also a bit worried about the overall security approach. The flaws in SHA1 were known for very long time. I guess I'll have to look into the code...
| Subject: | A quick look into the code didn't help |
| Author: | [Not Specified] |
| Posted: | 2017-03-16 05:44 |
The code seems faily complicated. I think the problem is in
$ cat /opt/zenoss/lib/python/twisted/python/hashlib.py
# -*- test-case-name: twisted.python.test.test_hashlib -*-
# Copyright (c) Twisted Matrix Laboratories.
# See LICENSE for details.
"""
L{twisted.python.hashlib} presents a subset of the interface provided by
U{hashlib
interface required by various parts of Twisted. This allows application code
to transparently use APIs which existed before C{hashlib} was introduced or to
use C{hashlib} if it is available.
"""
try:
_hashlib = __import__("hashlib")
except ImportError:
from md5 import md5
from sha import sha as sha1
else:
md5 = _hashlib.md5
sha1 = _hashlib.sha1
__all__ = ["md5", "sha1"]
only these two are imported from hashlib but it supports more schemes. However I could not find where the connection is established to fix. Any hints where to look?
Thanks in advance
Florido
| Subject: | I'll try snmp then |
| Author: | [Not Specified] |
| Posted: | 2017-03-21 04:48 |
Since this is taking too long to respond and the zenoss people doesn't seem to be concerned about security I'll try out snmp for linux. The last experience was painful and useless. I hope the patch for Zenoss 5.x will be backported... Or at least somebody can clarify where to hack the code.
| < |
Previous Did you know there are hidden gems in your bucket? |
Next Export Help Required |
> |