[BUG] go crypto package out of date #12

spirulence · 2024-03-18T18:39:51Z

Describe the bug
The provider fails to connect to remote instances running recent Ubuntu and other default cloud images. On terraform apply the provider makes attempts to connect but eventually fails with a handshake error.

data.sftp_remote_file.remote_file: Still reading... [10s elapsed]
data.sftp_remote_file.remote_file: Still reading... [20s elapsed]

Planning failed. Terraform encountered an error while generating this plan.

│ Error: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain
│ 
│   with data.sftp_remote_file.remote_file,
│   on main.tf line 57, in data "sftp_remote_file" "remote_file":
│   57: data "sftp_remote_file" "remote_file" {
│

This seems to be happening because the provider is using the Go crypto support package from a few years back. I initially thought this was because of an incompatible cipher, but I'm no longer sure this is the case. In a branch I'm working on, with an update to the crypto package, this error does not happen.

2024-03-18T18:30:42.021197+00:00 recent-ciphers-droplet sshd[2400]: Connection from 146.190.xx.xx port 58088 on 165.227.77.167 port 22 rdomain ""
2024-03-18T18:30:42.021448+00:00 recent-ciphers-droplet sshd[2400]: debug1: Local version string SSH-2.0-OpenSSH_9.3p1 Ubuntu-1ubuntu3
2024-03-18T18:30:42.021719+00:00 recent-ciphers-droplet sshd[2400]: debug1: Remote protocol version 2.0, remote software version Go
2024-03-18T18:30:42.021888+00:00 recent-ciphers-droplet sshd[2400]: debug1: compat_banner: no match: Go
2024-03-18T18:30:42.023597+00:00 recent-ciphers-droplet sshd[2400]: debug1: permanently_set_uid: 106/65534 [preauth]
2024-03-18T18:30:42.024113+00:00 recent-ciphers-droplet sshd[2400]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
2024-03-18T18:30:42.024341+00:00 recent-ciphers-droplet sshd[2400]: debug1: SSH2_MSG_KEXINIT sent [preauth]
2024-03-18T18:30:42.096210+00:00 recent-ciphers-droplet sshd[2400]: debug1: SSH2_MSG_KEXINIT received [preauth]
2024-03-18T18:30:42.096620+00:00 recent-ciphers-droplet sshd[2400]: debug1: kex: algorithm: [email protected] [preauth]
2024-03-18T18:30:42.096813+00:00 recent-ciphers-droplet sshd[2400]: debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
2024-03-18T18:30:42.097004+00:00 recent-ciphers-droplet sshd[2400]: debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
2024-03-18T18:30:42.097195+00:00 recent-ciphers-droplet sshd[2400]: debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
2024-03-18T18:30:42.097405+00:00 recent-ciphers-droplet sshd[2400]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
2024-03-18T18:30:42.170761+00:00 recent-ciphers-droplet sshd[2400]: debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
2024-03-18T18:30:42.176975+00:00 recent-ciphers-droplet sshd[2400]: debug1: rekey out after 4294967296 blocks [preauth]
2024-03-18T18:30:42.177302+00:00 recent-ciphers-droplet sshd[2400]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
2024-03-18T18:30:42.177492+00:00 recent-ciphers-droplet sshd[2400]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
2024-03-18T18:30:42.262378+00:00 recent-ciphers-droplet sshd[2400]: debug1: SSH2_MSG_NEWKEYS received [preauth]
2024-03-18T18:30:42.262823+00:00 recent-ciphers-droplet sshd[2400]: debug1: rekey in after 4294967296 blocks [preauth]
2024-03-18T18:30:42.263015+00:00 recent-ciphers-droplet sshd[2400]: debug1: KEX done [preauth]
2024-03-18T18:30:42.338033+00:00 recent-ciphers-droplet sshd[2400]: debug1: userauth-request for user root service ssh-connection method none [preauth]
2024-03-18T18:30:42.338513+00:00 recent-ciphers-droplet sshd[2400]: debug1: attempt 0 failures 0 [preauth]
2024-03-18T18:30:42.339847+00:00 recent-ciphers-droplet sshd[2400]: debug1: PAM: initializing for "root"
2024-03-18T18:30:42.342681+00:00 recent-ciphers-droplet sshd[2400]: debug1: PAM: setting PAM_RHOST to "146.190.xx.xx"
2024-03-18T18:30:42.342947+00:00 recent-ciphers-droplet sshd[2400]: debug1: PAM: setting PAM_TTY to "ssh"
2024-03-18T18:30:42.421854+00:00 recent-ciphers-droplet sshd[2400]: Connection closed by authenticating user root 146.190.38.234 port 58088 [preauth]
2024-03-18T18:30:42.422277+00:00 recent-ciphers-droplet sshd[2400]: debug1: do_cleanup [preauth]
2024-03-18T18:30:42.422517+00:00 recent-ciphers-droplet sshd[2400]: debug1: monitor_read_log: child log fd closed
2024-03-18T18:30:42.422785+00:00 recent-ciphers-droplet sshd[2400]: debug1: do_cleanup
2024-03-18T18:30:42.423028+00:00 recent-ciphers-droplet sshd[2400]: debug1: PAM: cleanup
2024-03-18T18:30:42.423877+00:00 recent-ciphers-droplet sshd[2400]: debug1: Killing privsep child 2401
2024-03-18T18:30:42.424079+00:00 recent-ciphers-droplet sshd[2400]: debug1: audit_event: unhandled event 12

This is happening at least on DigitalOcean and AWS with many of the default images - I have tested on Ubuntu on those clouds.

To Reproduce
With a valid DigitalOcean token specified as a variable, try applying the following terraform:

terraform {
  required_providers {
    sftp = {
      source  = "danitso/sftp"
      version = "0.2.0"
    }
    tls = {
      source  = "hashicorp/tls"
      version = "3.1.0"
    }
    digitalocean = {
      source  = "digitalocean/digitalocean"
      version = "2.5.0"
    }
  }
}

variable "do_token" {
  description = "DigitalOcean API token"
  sensitive = true
}

provider "digitalocean" {
  token = var.do_token
}

resource "tls_private_key" "droplet_access" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "digitalocean_ssh_key" "recent_ciphers_ssh_key" {
  name       = "recent-ciphers-ssh-key"
  public_key = tls_private_key.droplet_access.public_key_openssh
}

locals {
 # by default SSHD does not log the needed information, for privacy and security of users
  user_data = <<-EOF
              #!/bin/bash
              echo "LogLevel DEBUG" > /etc/ssh/sshd_config.d/loglevel.conf
              service ssh restart
              EOF
}

resource "digitalocean_droplet" "recent_ciphers_droplet" {
    name   = "recent-ciphers-droplet"
    region = "nyc3"
    size   = "s-1vcpu-1gb"
    image  = "ubuntu-23-10-x64"
    ssh_keys = [
        digitalocean_ssh_key.recent_ciphers_ssh_key.fingerprint,
    ]

    user_data = local.user_data
}

data "sftp_remote_file" "remote_file" {
  host     = digitalocean_droplet.recent_ciphers_droplet.ipv4_address
  user = "root"
  password = tls_private_key.droplet_access.private_key_pem
  path     = "/root/.bashrc"
  timeout = "30s" #without this line you may take many minutes to see the failure
}

output "remote_file_content" {
  value = data.sftp_remote_file.remote_file.contents
}

Expected behavior
The provider should be able to read the remote file and Terraform should then be able to output the contents of the root .bashrc file.

The text was updated successfully, but these errors were encountered:

spirulence · 2024-03-18T18:40:48Z

I have a branch in progress that addresses this issue.

spirulence changed the title ~~[BUG] go crypto provider cipher suite out of date~~ [BUG] go crypto package out of date Mar 18, 2024

spirulence linked a pull request Mar 18, 2024 that will close this issue

update crypto library #13

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] go crypto package out of date #12

[BUG] go crypto package out of date #12

spirulence commented Mar 18, 2024

spirulence commented Mar 18, 2024

[BUG] go crypto package out of date #12

[BUG] go crypto package out of date #12

Comments

spirulence commented Mar 18, 2024

spirulence commented Mar 18, 2024