[NETCONF-408] unable to mount Cisco NSO from Boron/Carbon Created: 25/Apr/17  Updated: 15/Mar/19

Status: Confirmed
Project: netconf
Component/s: netconf
Affects Version/s: None
Fix Version/s: None

Type: Bug
Reporter: Giles Heron Assignee: Giles Heron
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

Attachments: Zip Archive karaf.zip    
External issue ID: 8297

 Description   

I can mount Cisco NSO 4.3.2 OK from Beryllium-SR4 using NETCONF/YANG

but with Boron or Carbon I get this error:

2017-04-25 14:10:38,843 | DEBUG | oupCloseable-3-3 | AsyncSshHandler | 180 - org.opendaylight.netconf.netty-util - 1.1.3.Boron-SR3 | SSH session connecting on channel [id: 0x334cae26]. promise: null
2017-04-25 14:10:38,844 | DEBUG | oupCloseable-3-3 | AsyncSshHandler | 180 - org.opendaylight.netconf.netty-util - 1.1.3.Boron-SR3 | Starting SSH to /192.168.52.133:2022 on channel: [id: 0x334cae26]
2017-04-25 14:10:38,845 | INFO | 7]-nio2-thread-2 | ClientSessionImpl | 30 - org.apache.sshd.core - 0.14.0 | Client session created
2017-04-25 14:10:38,845 | INFO | 7]-nio2-thread-2 | ClientSessionImpl | 30 - org.apache.sshd.core - 0.14.0 | Server version string: SSH-2.0-NCS-4.3.2
2017-04-25 14:10:38,850 | WARN | 7]-nio2-thread-4 | ClientSessionImpl | 30 - org.apache.sshd.core - 0.14.0 | Exception caught
java.security.InvalidAlgorithmParameterException: DH key size must be multiple of 64, and can only range from 512 to 2048 (inclusive). The specific key size 4096 is not supported
at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DHKeyPairGenerator.java:128)[sunjce_provider.jar:1.8.0_112]
at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:674)[:1.8.0_121]
at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:411)[:1.8.0_121]
at org.apache.sshd.common.kex.DH.getE(DH.java:65)[30:org.apache.sshd.core:0.14.0]
at org.apache.sshd.client.kex.DHGEX.next(DHGEX.java:118)[30:org.apache.sshd.core:0.14.0]
at org.apache.sshd.common.session.AbstractSession.doHandleMessage(AbstractSession.java:425)[30:org.apache.sshd.core:0.14.0]
at org.apache.sshd.common.session.AbstractSession.handleMessage(AbstractSession.java:326)[30:org.apache.sshd.core:0.14.0]
at org.apache.sshd.client.session.ClientSessionImpl.handleMessage(ClientSessionImpl.java:306)[30:org.apache.sshd.core:0.14.0]
at org.apache.sshd.common.session.AbstractSession.decode(AbstractSession.java:780)[30:org.apache.sshd.core:0.14.0]
at org.apache.sshd.common.session.AbstractSession.messageReceived(AbstractSession.java:308)[30:org.apache.sshd.core:0.14.0]
at org.apache.sshd.common.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:54)[30:org.apache.sshd.core:0.14.0]
at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:184)[30:org.apache.sshd.core:0.14.0]
at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:170)[30:org.apache.sshd.core:0.14.0]
at org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:32)
at java.security.AccessController.doPrivileged(Native Method)[:1.8.0_121]
at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:30)[30:org.apache.sshd.core:0.14.0]
at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)[:1.8.0_121]
at sun.nio.ch.Invoker$2.run(Invoker.java:218)[:1.8.0_121]
at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)[:1.8.0_121]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)[:1.8.0_121]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)[:1.8.0_121]
at java.lang.Thread.run(Thread.java:745)[:1.8.0_121]
2017-04-25 14:10:38,871 | TRACE | oupCloseable-3-3 | AsyncSshHandler | 180 - org.opendaylight.netconf.netty-util - 1.1.3.Boron-SR3 | SSH session created on channel: [id: 0x334cae26]

using the command line ssh client to connect to NSO (with "-v" enabled) I see:

OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to localhost [::1] port 2022.
debug1: connect to address ::1 port 2022: Connection refused
debug1: Connecting to localhost [127.0.0.1] port 2022.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/giheron/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/giheron/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/giheron/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/giheron/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/giheron/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/giheron/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/giheron/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/giheron/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: Remote protocol version 2.0, remote software version NCS-4.3.2
debug1: no match: NCS-4.3.2
debug1: Authenticating to localhost:2022 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:T0CzmYPZrypHYllwPBw+hlQCgZpQtuFRz9jiVu9roMU
debug1: Host '[localhost]:2022' is known and matches the RSA host key.
debug1: Found key in /home/giheron/.ssh/known_hosts:1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/giheron/.ssh/id_rsa
debug1: Trying private key: /home/giheron/.ssh/id_dsa
debug1: Trying private key: /home/giheron/.ssh/id_ecdsa
debug1: Trying private key: /home/giheron/.ssh/id_ed25519
debug1: Next authentication method: password

to check that key I can do:

giheron@ubuntu:~/.ssh$ ssh-keygen -l -f known_hosts
2048 SHA256:T0CzmYPZrypHYllwPBw+hlQCgZpQtuFRz9jiVu9roMU |1|J7r4YkXfp17Gb6mYhJPxNOT6qA0=|+MdnkIibfcJU5MW0yz0IV8v8A3k= (RSA)

so it looks like 2048 bits to me.

that seems to match the key NSO thinks it's sending:

giheron@ubuntu:/etc/ncs/ssh$ ssh-keygen -l -f ssh_host_rsa_key.pub
2048 SHA256:T0CzmYPZrypHYllwPBw+hlQCgZpQtuFRz9jiVu9roMU root@ubuntu (RSA)

any ideas?

 Comments   
Comment by Giles Heron [ 25/Apr/17 ]

Attachment karaf.zip has been added with description: zipped logs

Comment by Tomas Cere [ 27/Apr/17 ]

Are you loading the netconf features as initial-features? This seems awfully similar to a karaf issue we are already aware:

https://wiki.fd.io/view/Honeycomb/Releases/1609/Honeycomb_and_ODL

But theres not much we can do about it on netconf level, its a mina/karaf race.

Comment by Giles Heron [ 27/Apr/17 ]

yes - I'm loading netconf as an initial feature. Would it work if I loaded it later instead? Or could i change the ssh jar as per the doc you linked?

Comment by Tomas Cere [ 27/Apr/17 ]

either should work

Comment by Giles Heron [ 27/Apr/17 ]

cool - tried loading odl-netconf-all and odl-netconf-topology after startup and it works now.

thanks!

Comment by Vratko Polak [ 27/Apr/17 ]

> https://wiki.fd.io/view/Honeycomb/Releases/1609/Honeycomb_and_ODL

>> and replace it with:
>> org.bouncycast.openssl;version="[1.51,2)"

I think we can do such editing when building distributions.
Should we do that?

Comment by Giles Heron [ 27/Apr/17 ]

probably worth doing that Vratko? Certainly it's one more "gotcha" for people to be aware of if we don't fix it... And am guessing it might hit other platforms than NSO.

Comment by Vratko Polak [ 28/Apr/17 ]

>>> org.bouncycast.openssl;version="[1.51,2)"

>> editing when building distributions

> worth doing that

I do not have cycles for that this close to release.

But Odlparent is the place which can do such manipulations here [1].
Anyone can contribute a block for bouncycast (there and to karaf4-parent), and being related to security it might get merged quickly.

[1] https://github.com/opendaylight/odlparent/blob/master/karaf/karaf-parent/pom.xml#L382-L387

Comment by Robert Varga [ 28/Apr/17 ]

What is your JRE version?

https://bugs.openjdk.java.net/browse/JDK-8072452

Comment by Robert Varga [ 28/Apr/17 ]

Ah, right, that's for JRE9

Comment by Robert Varga [ 28/Apr/17 ]

https://bugs.openjdk.java.net/browse/JDK-8168015 tracks the backport.

Comment by Tomas Cere [ 06/Jul/17 ]

Reopening, bouncycastle in startup features does not help, guess we will have to do the rapackage in odlparent

Comment by Robert Varga [ 28/Aug/18 ]

giheron@cisco.com is this still happening?

Generated at Wed Feb 07 20:14:57 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.