[Twisted-Python] conch bytes/str traceback when /etc/ssh/moduli is not present
Aloha should the case of a missing moduli file be handled more gracefully than with a traceback or is this a bug? I was running into this problem when installing on different OSs with OSX and FreeBSD not having an /etc/ssh/moduli file by default. Mahalo, Werner 2021-03-04T15:04:51+0100 [builtins.ConchSSHFactory#info] disabling non-fixed-group key exchange algorithms because we cannot find moduli file 2021-03-04T15:04:51+0100 [builtins.ConchSSHFactory] Unhandled Error Traceback (most recent call last): File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/python/log.py", line 85, in callWithContext return context.call({ILogContext: newCtx}, func, *args, **kw) File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/python/context.py", line 118, in callWithContext return self.currentContext().callWithContext(ctx, func, *args, **kw) File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/python/context.py", line 83, in callWithContext return func(*args, **kw) File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/internet/selectreactor.py", line 149, in _doReadOrWrite why = getattr(selectable, method)() --- <exception caught here> --- File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/internet/tcp.py", line 1403, in doRead protocol.makeConnection(transport) File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/internet/protocol.py", line 508, in makeConnection self.connectionMade() File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/conch/ssh/transport.py", line 512, in connectionMade self.sendKexInit() File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/conch/ssh/transport.py", line 535, in sendKexInit NS(b",".join(self.supportedPublicKeys)), builtins.TypeError: sequence item 0: expected a bytes-like object, str found 2021-03-04T15:04:51+0100 [twisted.conch.ssh.transport.SSHServerTransport#info] Disconnecting with error, code 3 reason: b"couldn't match all kex parts" 2021-03-04T15:04:51+0100 [twisted.conch.ssh.transport.SSHServerTransport#info] connection lost
Even if we want a traceback, a TypeError on str/bytes seems like the wrong kind to have. Please file a bug (and open a PR, if you can :-)). -g
On Mar 4, 2021, at 10:24 AM, Werner Thie <werner@thieprojects.ch> wrote:
Aloha
should the case of a missing moduli file be handled more gracefully than with a traceback or is this a bug?
I was running into this problem when installing on different OSs with OSX and FreeBSD not having an /etc/ssh/moduli file by default.
Mahalo, Werner
2021-03-04T15:04:51+0100 [builtins.ConchSSHFactory#info] disabling non-fixed-group key exchange algorithms because we cannot find moduli file 2021-03-04T15:04:51+0100 [builtins.ConchSSHFactory] Unhandled Error Traceback (most recent call last): File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/python/log.py", line 85, in callWithContext return context.call({ILogContext: newCtx}, func, *args, **kw) File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/python/context.py", line 118, in callWithContext return self.currentContext().callWithContext(ctx, func, *args, **kw) File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/python/context.py", line 83, in callWithContext return func(*args, **kw) File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/internet/selectreactor.py", line 149, in _doReadOrWrite why = getattr(selectable, method)() --- <exception caught here> --- File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/internet/tcp.py", line 1403, in doRead protocol.makeConnection(transport) File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/internet/protocol.py", line 508, in makeConnection self.connectionMade() File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/conch/ssh/transport.py", line 512, in connectionMade self.sendKexInit() File "/Users/anon/.pyenv/versions/3.7.10/lib/python3.7/site-packages/twisted/conch/ssh/transport.py", line 535, in sendKexInit NS(b",".join(self.supportedPublicKeys)), builtins.TypeError: sequence item 0: expected a bytes-like object, str found
2021-03-04T15:04:51+0100 [twisted.conch.ssh.transport.SSHServerTransport#info] Disconnecting with error, code 3 reason: b"couldn't match all kex parts" 2021-03-04T15:04:51+0100 [twisted.conch.ssh.transport.SSHServerTransport#info] connection lost
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
On 3/4/21 08:51, Glyph wrote:
Even if we want a traceback, a TypeError on str/bytes seems like the wrong kind to have. Please file a bug (and open a PR, if you can :-)).
-g
Investigating I would say that with all the possibilities to configure for the moduli file to be found it is my fault to not have configured it properly for all the platforms I wanted to deploy to. On the other hand the basic assumption that moduli lives on BSDs in the /usr/local/etc/ssh directory seems now to become outdated, so the only change would be changing the default search location for the moduli file which again seems not to be warranted. Mahalo, Werner
On Mar 4, 2021, at 3:02 PM, Werner Thie <werner@thieprojects.ch> wrote:
On 3/4/21 08:51, Glyph wrote:
Even if we want a traceback, a TypeError on str/bytes seems like the wrong kind to have. Please file a bug (and open a PR, if you can :-)).
-g
Investigating I would say that with all the possibilities to configure for the moduli file to be found it is my fault to not have configured it properly for all the platforms I wanted to deploy to. On the other hand the basic assumption that moduli lives on BSDs in the /usr/local/etc/ssh directory seems now to become outdated, so the only change would be changing the default search location for the moduli file which again seems not to be warranted.
Mahalo, Werner
There are a bunch of tickets you could file here: Fixing the search path to comport with modern standards Automatically generating a new one in a writable location if none exists Better handle the case where it really truly doesn't exist and can't be generated (read-only filesystem or no readily discoverable, secure read/write locations) and in fact probably all of these are valid :) -g
On Thu, Mar 04, 2021 at 04:16:59PM -0800, Glyph wrote:
There are a bunch of tickets you could file here:
Fixing the search path to comport with modern standards Automatically generating a new one in a writable location if none exists Better handle the case where it really truly doesn't exist and can't be generated (read-only filesystem or no readily discoverable, secure read/write locations)
and in fact probably all of these are valid :)
Probably not the second. Generating a new set of suitable DH moduli takes a while (IIRC hours) - it's not something you'd want to do as part of any kind of interactive process. -- Colin Watson (he/him) [cjwatson@debian.org]
On Mar 5, 2021, at 3:24 AM, Colin Watson <cjwatson@debian.org> wrote:
On Thu, Mar 04, 2021 at 04:16:59PM -0800, Glyph wrote:
There are a bunch of tickets you could file here:
Fixing the search path to comport with modern standards Automatically generating a new one in a writable location if none exists Better handle the case where it really truly doesn't exist and can't be generated (read-only filesystem or no readily discoverable, secure read/write locations)
and in fact probably all of these are valid :)
Probably not the second. Generating a new set of suitable DH moduli takes a while (IIRC hours) - it's not something you'd want to do as part of any kind of interactive process.
For what it's worth, `ssh-keygen -G` on my laptop took 2 and a half minutes, `ssh-keygen -T` took 5. It's slow, maybe even too slow for interactive use, but not quite "hours". -g
On 3/5/21 13:54, Glyph wrote:
On Mar 5, 2021, at 3:24 AM, Colin Watson <cjwatson@debian.org> wrote:
On Thu, Mar 04, 2021 at 04:16:59PM -0800, Glyph wrote:
There are a bunch of tickets you could file here:
Fixing the search path to comport with modern standards Automatically generating a new one in a writable location if none exists Better handle the case where it really truly doesn't exist and can't be generated (read-only filesystem or no readily discoverable, secure read/write locations)
and in fact probably all of these are valid :) Probably not the second. Generating a new set of suitable DH moduli takes a while (IIRC hours) - it's not something you'd want to do as part of any kind of interactive process. For what it's worth, `ssh-keygen -G` on my laptop took 2 and a half minutes, `ssh-keygen -T` took 5. It's slow, maybe even too slow for interactive use, but not quite "hours".
Just reporting back that conch is now working for me, it was entirely my fault configuring the server. There is quite a mixture of bytes and strings to configure, now the mix is right and sessions come up ok no problem. Mahalo, Werner
participants (3)
-
Colin Watson
-
Glyph
-
Werner Thie