Opened 3 years ago

Closed 3 years ago

#18786 closed defect (duplicate)

Gitian: Debian host needs non-dss ssh key

Reported by: dcf Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-gitian
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I'm trying to build Tor Browser on a Debian stretch host. It prompts for an SSH password at on-target in make-vms.sh here:

    stop-target $bits $dist
    start-target $bits $dist-$arch &
    for i in 1 2 3
    do      
      sleep 2
      on-target /bin/true && break
    done

Debugging on-target using a verbose SSH connection, I see that the problem is the format of the key:

debug1: Skipping ssh-dss key ./var/id_dsa - not in PubkeyAcceptedKeyTypes
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Next authentication method: password
debian@localhost's password:

I'm guessing it's because of the disabling of ssh-dss keys: http://www.openssh.com/legacy.html.

I worked around it by changing the key type to ecdsa in make-base-vm:

-  ssh-keygen -t dsa -f var/id_dsa -N ""
+  ssh-keygen -t ecdsa -f var/id_dsa -N ""

Child Tickets

Change History (8)

comment:1 Changed 3 years ago by gk

Keywords: tbb-gitian added
Status: newneeds_information

What commit is your gitian-builder repo at?

comment:2 in reply to:  1 Changed 3 years ago by dcf

Replying to gk:

What commit is your gitian-builder repo at?

15d166d65d006f564bf3c7dbb8780ed0649352ba. I'm not sure why, because the versions file has GITIAN_TAG=tor-browser-builder-3.x-8-gpgsux, which is 2 commits back.

comment:3 Changed 3 years ago by gk

This is tor-browser-builder-3.x-9 which is used in our alpha builds. But this in turn did not work until recently (#18127) for LXC builds. Your issue might be due to this. So, my first idea would be to test tor-browser-bundle master to see if this works. You need to create new VMs, though.

comment:4 in reply to:  3 Changed 3 years ago by dcf

Replying to gk:

This is tor-browser-builder-3.x-9 which is used in our alpha builds. But this in turn did not work until recently (#18127) for LXC builds. Your issue might be due to this. So, my first idea would be to test tor-browser-bundle master to see if this works. You need to create new VMs, though.

I did make vmclean and tried a new build from master. tor-browser-bundle is at bc9d708e1f0617050fe5572732b7a812f62936c1 and gitian-builder is at tor-browser-builder-3.x-8-gpgsux. It fails because tor-browser-builder-3.x-8-gpgsux doesn't have the Debian stuff. Here I did set -x in make-vms.sh to show what commands are being run:

$ make build TORSOCKS=
...
+ DISTRO=debian
+ ./bin/make-base-vm --distro debian --suite wheezy --arch i386
unrecognized option --distro
+ make-clean-vm --suite wheezy --arch i386
qemu-img: target-wheezy-i386.qcow2: Could not open 'base-wheezy-i386.qcow2': No such file or directory
+ '[' 1 -ne 0 ']'
+ echo 'i386 wheezy VM creation failed'
i386 wheezy VM creation failed
+ exit 1
Makefile:16: recipe for target 'build' failed
make: *** [build] Error 1

I'll try make alpha from master.

comment:5 Changed 3 years ago by gk

That should work on a box using KVM. For LXC you'd probably need make nightly.

comment:6 Changed 3 years ago by dcf

make alpha doesn't work. I think I'm using KVM

+ make-clean-vm --suite wheezy --arch i386
Formatting 'target-wheezy-i386.qcow2', fmt=qcow2 size=17179869184 backing_file=base-wheezy-i386.qcow2 encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16
+ '[' 0 -ne 0 ']'
+ stop-target 32 wheezy
+ for i in 1 2 3
+ sleep 2
+ start-target 32 wheezy-i386
+ on-target /bin/true
debian@localhost's password: 

Besides changing the key type to ecdsa, you can also do this in on-target:

-    ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -i ${GITIAN_BASE:-.}/var/id_dsa -p $VM_SSH_PORT $TUSER@localhost $*
+    ssh -oConnectTimeout=30 -oNoHostAuthenticationForLocalhost=yes -oPubkeyAcceptedKeyTypes=+ssh-dss -i ${GITIAN_BASE:-.}/var/id_dsa -p $VM_SSH_PORT $TUSER@localhost $*

I'm pretty sure this has to do with the ssh on the host; i.e., it's the ssh on my laptop that is refusing to use ssh-dss by default.

comment:7 Changed 3 years ago by gk

I just realized make nightly is what you need as we don't have bumped the versions for the alphe series yet, sorry. We should have the relevant changes in gitian-builder used for the nightlies. See the commits mentioned in #18181. To be more specific you want commit 262ad8f15fc870023b4cfc7399f6908f11056342 on tor-browser-builder-4.

comment:8 Changed 3 years ago by dcf

Resolution: duplicate
Status: needs_informationclosed

My mistake. You are right. This is already done by #18181 and #18127.

Note: See TracTickets for help on using tickets.