Skip to content

Paramiko 2.9.x breaking SSH operator for some OpenSSH configurations #22194

New issue
New issue
Closed
Closed
Paramiko 2.9.x breaking SSH operator for some OpenSSH configurations#22194
Labels
area:coreinvalidkind:bugThis is a clearly a bug
@talnicolas

Description

@talnicolas
talnicolas
opened on Mar 11, 2022

Apache Airflow version

2.2.4 (latest released)

What happened

After upgrading from 2.2.3 to 2.2.4 the Paramiko library upgraded from 2.8.1 to 2.9.2. After that change one of our SSH connections started to fail with the following error:

File "/usr/local/lib/python3.9/site-packages/airflow/models/taskinstance.py", line 1334, in _run_raw_task
self._execute_task_with_callbacks(context)
File "/usr/local/lib/python3.9/site-packages/airflow/models/taskinstance.py", line 1460, in _execute_task_with_callbacks
result = self._execute_task(context, self.task)
File "/usr/local/lib/python3.9/site-packages/airflow/models/taskinstance.py", line 1516, in _execute_task
result = execute_callable(context=context)
File "/usr/local/lib/python3.9/site-packages/airflow/providers/ssh/operators/ssh.py", line 175, in execute
raise AirflowException(f"SSH operator error: {str(e)}")
airflow.exceptions.AirflowException: SSH operator error: encountered RSA key, expected OPENSSH key

After looking at Paramiko changelog we saw that since 2.9.0 they have made non-backward compatible changes to the way they manage algorithms. In our case we are trying to connect to a server that has the following version of openssh and openssl : OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013.

What you expected to happen

Our existing SSH connections to keep working regardless of the version of OpenSSH used.

How to reproduce

Connect through the 2.2.4 SSHOperator to a server that do not support either RSA2 or the server-sig-algs protocol extension.

Operating System

Debian GNU/Linux 11 (bullseye)

Versions of Apache Airflow Providers

apache-airflow-providers-ssh==1!2.4.0

Deployment

Astronomer

Deployment details

No response

Anything else

In their changelog Paramiko indicates that to workaround that issue it is possible to specify disabled_algorithms={'keys': ['rsa-sha2-256', 'rsa-sha2-512']} in either SSHClient <paramiko.client.SSHClient.init> or Transport <paramiko.transport.Transport.init>.

I'm wondering what could be the impact to add this to the SSHClient?

Are you willing to submit PR?

  • Yes I am willing to submit a PR!

Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:coreinvalidkind:bugThis is a clearly a bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions