SSH Crypto issues on CentOS 8
I've tried this on CentOS 8.
# cat /etc/centos-release
CentOS Linux release 8.1.1911 (Core)
I've used this RPM (python-haas_proxy.spec
) to compile and install:
%global srcname haas_proxy
Name: python-%{srcname}
Version: 1.9
Release: 1%{?dist}
Summary: Redirects SSH traffic to Honeypot as a Service (HaaS) by cz.nic
License: GPLv3
URL: https://gitlab.labs.nic.cz/haas/proxy
Source0: %{url}/-/archive/master/proxy-master.tar.gz
Source1: %{srcname}.service
Source2: %{srcname}.sysconfig
BuildArch: noarch
BuildRequires: systemd
%description
%summary
%package -n python3-%{srcname}
Summary: %{summary}
BuildRequires: python3-devel
BuildRequires: %{py3_dist bcrypt}
BuildRequires: %{py3_dist cffi}
BuildRequires: %{py3_dist pyOpenSSL}
BuildRequires: %{py3_dist pytest}
BuildRequires: %{py3_dist twisted}
BuildRequires: %{py3_dist cachetools}
Requires: %{py3_dist bcrypt}
Requires: %{py3_dist cffi}
Requires: %{py3_dist pyOpenSSL}
Requires: %{py3_dist pytest}
Requires: %{py3_dist twisted}
Requires: %{py3_dist cachetools}
%{?python_provide:%python_provide python3-%{srcname}}
%description -n python3-%{srcname}
%summary - python3 version
%prep
%autosetup -n proxy-master
%build
%py3_build
%install
%py3_install
install -Dpm 0644 %{SOURCE1} %{buildroot}%{_unitdir}/python3-%{srcname}.service
install -Dpm 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/python3-%{srcname}
%check
python3 -m pytest test_haas_proxy.py
%files -n python3-%{srcname}
%license LICENSE
%doc README.md CHANGELOG.txt
%{python3_sitelib}/%{srcname}-*.egg-info/
%{python3_sitelib}/%{srcname}/
%{_unitdir}/python3-%{srcname}.service
%{_sysconfdir}/sysconfig/python3-%{srcname}
%changelog
* Sun Apr 19 2020 fuero - 1.9-1
- initial packaging
haas_proxy.systemd
[Unit]
Description=HaaS proxy daemon for SSH, python3
After=syslog.target network.target local-fs.target remote-fs.target nss-lookup.target
[Service]
Type=simple
EnvironmentFile=/etc/sysconfig/python3-haas_proxy
ExecStart=/usr/bin/python3 -m haas_proxy --nodaemon haas_proxy --device-token $DEVICE_TOKEN
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitIntervalSec=60
StartLimitBurst=3
[Install]
WantedBy=multi-user.target
haas_proxy.sysconfig
DEVICE_TOKEN=<your_device_token>
When connecting to it, I get this:
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [-] Unable to write to plugin cache /usr/lib/python3.6/site-packages/haas_proxy/twisted/plugins/dropin.cache: error number 30
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 19.10.0 (/usr/bin/python3 3.6.8) starting up.
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [-] ProxySSHFactory starting on 2222
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [haas_proxy.proxy.ProxySSHFactory#info] Starting factory <haas_proxy.proxy.ProxySSHFactory object at 0x7f85760ce438>
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [haas_proxy.proxy.ProxySSHFactory] disabling non-fixed-group key exchange algorithms because we cannot find moduli file
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] kex alg, key alg: b'ecdh-sha2-nistp256' b'ssh-rsa'
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] outgoing: b'aes256-ctr' b'hmac-sha2-256' b'none'
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] incoming: b'aes256-ctr' b'hmac-sha2-256' b'none'
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] Unhandled Error
Apr 19 15:33:42 router python3[23278]: Traceback (most recent call last):
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/python/log.py", line 103, in callWithLogger
Apr 19 15:33:42 router python3[23278]: return callWithContext({"system": lp}, func, *args, **kw)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/python/log.py", line 86, in callWithContext
Apr 19 15:33:42 router python3[23278]: return context.call({ILogContext: newCtx}, func, *args, **kw)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/python/context.py", line 122, in callWithContext
Apr 19 15:33:42 router python3[23278]: return self.currentContext().callWithContext(ctx, func, *args, **kw)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/python/context.py", line 85, in callWithContext
Apr 19 15:33:42 router python3[23278]: return func(*args,**kw)
Apr 19 15:33:42 router python3[23278]: --- <exception caught here> ---
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
Apr 19 15:33:42 router python3[23278]: why = selectable.doRead()
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/internet/tcp.py", line 243, in doRead
Apr 19 15:33:42 router python3[23278]: return self._dataReceived(data)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/internet/tcp.py", line 249, in _dataReceived
Apr 19 15:33:42 router python3[23278]: rval = self.protocol.dataReceived(data)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/conch/ssh/transport.py", line 703, in dataReceived
Apr 19 15:33:42 router python3[23278]: self.dispatchMessage(messageNum, packet[1:])
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/conch/ssh/transport.py", line 721, in dispatchMessage
Apr 19 15:33:42 router python3[23278]: f(payload)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/conch/ssh/transport.py", line 1405, in ssh_KEX_DH_GEX_REQUEST_OLD
Apr 19 15:33:42 router python3[23278]: return self._ssh_KEX_ECDH_INIT(packet)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/conch/ssh/transport.py", line 1300, in _ssh_KEX_ECDH_INIT
Apr 19 15:33:42 router python3[23278]: serialization.Encoding.X962,
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/enum.py", line 326, in __getattr__
Apr 19 15:33:42 router python3[23278]: raise AttributeError(name) from None
Apr 19 15:33:42 router python3[23278]: builtins.AttributeError: X962
Apr 19 15:33:42 router python3[23278]:
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] connection lost
Seems to me it has problems with sshd
's crypto settings on CentOS 8.
Here's how sshd
is invoked (due to crypto-policies, DEFAULT profile):
/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa