Zenoss 2.4.5 SSH collector not working with keys using different algorithm than SHA1

5 posts / 0 new
Last post
Floridop
Floridop's picture
Offline
Last seen: 1 week 17 hours ago
Joined: 03/14/2017 - 12:55
Posts: 4
Zenoss 2.4.5 SSH collector not working with keys using different algorithm than SHA1

Hi all

I have a Zenoss Core 2.4.5 community edition that has happily served me until now. Recently I updated few machines to Ubuntu 16.04 that does not accept anymore SHA1 keys when handshaking SSH connections. No matter what I change in the collectors, the remote machine returns:

no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth] : 1 time(s)

I am now updating Zenoss using zenup with the latest patches. Is there a way to change the key used for the handshake?

Cheers,

Florido

Tags: 
Roberte
Roberte's picture
Offline
Last seen: 1 week 2 days ago
Joined: 03/14/2017 - 01:46
Posts: 14
It's rather related with this

It's rather related with this issue:

ZEN-22748 Zenoss Core 5.1.1 SSH incompatible with OpenSSH 7.x

Kind regards,
Robert E.
zenoss@webhostingspace.net
Zenoss Core/Service Dynamics 5.2.2 High Availability - the missing guide is here

Floridop
Floridop's picture
Offline
Last seen: 1 week 17 hours ago
Joined: 03/14/2017 - 12:55
Posts: 4
Any chance fix ZEN-22748 will

Any chance fix ZEN-22748 will be backported?

After this I am also a bit worried about the overall security approach. The flaws in SHA1 were known for very long time. I guess I'll have to look into the code...

Floridop
Floridop's picture
Offline
Last seen: 1 week 17 hours ago
Joined: 03/14/2017 - 12:55
Posts: 4
A quick look into the code didn't help

The code seems faily complicated. I think the problem is in

 

$ cat /opt/zenoss/lib/python/twisted/python/hashlib.py
# -*- test-case-name: twisted.python.test.test_hashlib -*-
# Copyright (c) Twisted Matrix Laboratories.
# See LICENSE for details.

"""
L{twisted.python.hashlib} presents a subset of the interface provided by
U{hashlib<http://docs.python.org/library/hashlib.html>}.  The subset is the
interface required by various parts of Twisted.  This allows application code
to transparently use APIs which existed before C{hashlib} was introduced or to
use C{hashlib} if it is available.
"""


try:
    _hashlib = __import__("hashlib")
except ImportError:
    from md5 import md5
    from sha import sha as sha1
else:
    md5  = _hashlib.md5
    sha1 = _hashlib.sha1


__all__ = ["md5", "sha1"]

only these two are imported from hashlib but it supports more schemes. However I could not find where the connection is established to fix. Any hints where to look?

Thanks in advance

Florido

Floridop
Floridop's picture
Offline
Last seen: 1 week 17 hours ago
Joined: 03/14/2017 - 12:55
Posts: 4
I'll try snmp then

Since this is taking too long to respond and the zenoss people doesn't seem to be concerned about security I'll try out snmp for linux. The last experience was painful and useless. I hope the patch for Zenoss 5.x will be backported... Or at least somebody can clarify where to hack the code.

Log in to post comments