Use different signature algorithm for SSH host key

[heroin-moose]

Currently this plugin generates RSA keys:

packer-plugin-ansible/provisioner/ansible/provisioner.go

Line 993 in 97b6b77

key, err := rsa.GenerateKey(rand.Reader, 2048)

However, RSA/SHA-1 was deprecated in the latest OpenSSH release (changelog) and my builds fail with the following error:

qemu.example-vm: fatal: [default]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Unable to negotiate with 127.0.0.1 port 37115: no matching host key type
found. Their offer: ssh-rsa", "unreachable": true}

Please, consider changing the algorithm to something newer.

[klausenbusk]

I did some research and switching to something else (ex:Ed25519) is more difficult than anticipated, as Go doesn't support the relevant key format (golang/go#37132).

See also this issue: golang/go#37278 for RFC8332 support.

Related issue: hashicorp/packer#8609

[klausenbusk]

I was too fast, this work and is supported by OpenSSH since release 5.7:

diff --git a/provisioner/ansible/provisioner.go b/provisioner/ansible/provisioner.go
index 076f25e..21876aa 100644
--- a/provisioner/ansible/provisioner.go
+++ b/provisioner/ansible/provisioner.go
@@ -7,8 +7,9 @@ import (
 	"bufio"
 	"bytes"
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
@@ -934,7 +935,7 @@ func newUserKey(pubKeyFile string) (*userKey, error) {
 		return userKey, nil
 	}
 
-	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, errors.New("Failed to generate key pair")
 	}
@@ -945,9 +946,12 @@ func newUserKey(pubKeyFile string) (*userKey, error) {
 
 	// To support Ansible calling back to us we need to write
 	// this file down
-	privateKeyDer := x509.MarshalPKCS1PrivateKey(key)
+	privateKeyDer, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return nil, errors.New("Failed to marshal private key")
+	}
 	privateKeyBlock := pem.Block{
-		Type:    "RSA PRIVATE KEY",
+		Type:    "PRIVATE KEY",
 		Headers: nil,
 		Bytes:   privateKeyDer,
 	}
@@ -990,7 +994,7 @@ func newSigner(privKeyFile string) (*signer, error) {
 		return signer, nil
 	}
 
-	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, errors.New("Failed to generate server key pair")
 	}

[yasn77]

Issue is also reported here #53

I am facing a similar problem with Arch Linux, I am getting around it right now by using docker to run packer, but it's pretty annoying :)

[klausenbusk]

x/crypto supports RSA SHA-2 (golang/crypto@b4de73f) now. So updating golang.org/x/crypto should fix this issue.

[NHAS]

I am also effected by this issue. Has there been any movement on this?

[ispirals]

I reached this as I'm facing the same issue with new versions of OS, is there any plan to fix this?

[ankitwal]

Not a complete solution but if you do not need a proxy adapter, toggling off use_proxy = false, avoids this issue.

[NHAS]

Another way you can get around this, which I think is rather clean is re-enabling the weak rsa-sha1 algorithm within your ssh client.

@ispirals

E.g Add this to your packer json/hcl

 "ansible_ssh_extra_args": [
                "-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa"
]

To be fair, this is only for the ansible connection itself, as that will use your local ssh client & configuration

[adds68]

Issue is also reported here #53

I am facing a similar problem with Arch Linux, I am getting around it right now by using docker to run packer, but it's pretty annoying :)

Hey, interested to know how this workaround is used, do you have any examples?

[stefangweichinger]

same here: could use a working example, fails here with virtualbox-iso

==> debian.virtualbox-iso.bullseye: Executing Ansible: ansible-playbook -e packer_build_name="base-debian-amd64" -e packer_builder_type=virtualbox-iso -e packer_http_addr=10.0.2.2:8873 --ssh-extra-args '-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa' -e ansible_ssh_private_key_file=/tmp/ansible-key43104058 -i /tmp/packer-provisioner-ansible2143489858 /home/sgw/projects/packer/my-work/packer_sgw_builds/ansible/*****-debian-11-guest-additions.yml
    debian.virtualbox-iso.bullseye:
    debian.virtualbox-iso.bullseye: PLAY [all] *********************************************************************
    debian.virtualbox-iso.bullseye:
    debian.virtualbox-iso.bullseye: TASK [Gathering Facts] *********************************************************
    debian.virtualbox-iso.bullseye: fatal: [default]: FAILED! => {"msg": "failed to transfer file to /home/sgw/.ansible/tmp/ansible-local-124735o9cwss1j/tmpe8pwoul3 /home/vagrant/.ansible/tmp/ansible-tmp-1651577057.3591588-124739-192345091164490/AnsiballZ_setup.py:\n\n"}
    debian.virtualbox-iso.bullseye:
    debian.virtualbox-iso.bullseye: PLAY RECAP *********************************************************************
    debian.virtualbox-iso.bullseye: default                    : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
    debian.virtualbox-iso.bullseye:
==> debian.virtualbox-iso.bullseye: Provisioning step had errors: Running the cleanup provisioner, if present...
==> debian.virtualbox-iso.bullseye: Cleaning up floppy disk...
==> debian.virtualbox-iso.bullseye: Deregistering and deleting VM...
==> debian.virtualbox-iso.bullseye: Deleting output directory...
Build 'debian.virtualbox-iso.bullseye' errored after 6 minutes 40 seconds: Error executing Ansible: Non-zero exit status: exit status 2

I have this in my "debian-improved.pkr.hcl":

provisioner "ansible" {                                                       
  playbook_file = "ansible/vagrant-debian-11-guest-additions.yml"             
  user          = "${var.ssh_username}"                                       
  ansible_ssh_extra_args = [                                                    
                "-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa"
 ]                                                                               
   }        

This is Packer 1.8.0

[adrianlzt]

I'm using this configuration in the .ssh/config file to avoid the error (no need for the ansible_ssh_extra_args config):

Host 127.0.0.1
      HostKeyAlgorithms +ssh-rsa
      PubkeyAcceptedKeyTypes +ssh-rsa