For zfs replication, what ssh kex algorithms are supported?

Entelin

Cadet
Joined
Aug 13, 2021
Messages
2
The destination (non truenas) ssh server will accept curve25519-sha256 kex which the truenas system's ssh -Q kex includes, and works fine connecting manually from the shell. However it looks like the zfs replication feature uses some kind of ssh integrated in python or something? What does it support?

Thanks.

----- Error from the web gui:

[EACCES] SSHException('Incompatible ssh peer (no acceptable kex algorithm)')

Error: Traceback (most recent call last): File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/zettarepl.py", line 651, in _handle_ssh_exceptions yield File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/zettarepl.py", line 406, in list_datasets datasets = await self.middleware.run_in_thread(list_datasets, shell) File "/usr/local/lib/python3.9/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs)) File "/usr/local/lib/python3.9/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run result = self.fn(*self.args, **self.kwargs) File "/usr/local/lib/python3.9/site-packages/zettarepl/dataset/list.py", line 13, in list_datasets return [dataset["name"] for dataset in list_datasets_with_properties(shell, dataset, recursive)] File "/usr/local/lib/python3.9/site-packages/zettarepl/dataset/list.py", line 30, in list_datasets_with_properties output = shell.exec(args) File "/usr/local/lib/python3.9/site-packages/zettarepl/transport/interface.py", line 88, in exec return self.exec_async(args, encoding, stdout).wait(timeout) File "/usr/local/lib/python3.9/site-packages/zettarepl/transport/interface.py", line 92, in exec_async async_exec.run() File "/usr/local/lib/python3.9/site-packages/zettarepl/transport/base_ssh.py", line 27, in run client = self.shell.get_client() File "/usr/local/lib/python3.9/site-packages/zettarepl/transport/base_ssh.py", line 123, in get_client client.connect( File "/usr/local/lib/python3.9/site-packages/paramiko/client.py", line 406, in connect t.start_client(timeout=timeout) File "/usr/local/lib/python3.9/site-packages/paramiko/transport.py", line 660, in start_client raise e File "/usr/local/lib/python3.9/site-packages/paramiko/transport.py", line 2083, in run self._handler_table[ptype](self, m) File "/usr/local/lib/python3.9/site-packages/paramiko/transport.py", line 2198, in _negotiate_keys self._parse_kex_init(m) File "/usr/local/lib/python3.9/site-packages/paramiko/transport.py", line 2354, in _parse_kex_init raise SSHException( paramiko.ssh_exception.SSHException: Incompatible ssh peer (no acceptable kex algorithm) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 137, in call_method result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self, File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1198, in _call return await methodobj(*prepared_call.args) File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 973, in nf return await f(*args, **kwargs) File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/replication.py", line 642, in list_datasets return await self.middleware.call("zettarepl.list_datasets", transport, ssh_credentials) File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1241, in call return await self._call( File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1198, in _call return await methodobj(*prepared_call.args) File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/zettarepl.py", line 406, in list_datasets datasets = await self.middleware.run_in_thread(list_datasets, shell) File "/usr/local/lib/python3.9/contextlib.py", line 193, in __aexit__ await self.gen.athrow(typ, value, traceback) File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/zettarepl.py", line 654, in _handle_ssh_exceptions raise CallError(repr(e).replace("[Errno None] ", ""), errno=errno.EACCES) middlewared.service_exception.CallError: [EACCES] SSHException('Incompatible ssh peer (no acceptable kex algorithm)')
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,176
Interesting question... The safe answer is RSA, of course, though I'm surprised ed25519 isn't supported.
 

Entelin

Cadet
Joined
Aug 13, 2021
Messages
2
Interesting question... The safe answer is RSA, of course, though I'm surprised ed25519 isn't supported.
I was going to start doing some trial and error adding additional kex, but I'd also like to know what's going on there. Does this feature not use the same ssh as what is in the path on the shell? Is there a separate ssh config somewhere breaking this? etc
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,176
Yeah, it seems that this thing is used by zettarepl and thus TrueNAS. ed25519 support seems to require some additional dependencies which may or may not be present in TrueNAS (they seem to be nominally mandatory, but I can imagine it not being quite the case in controlled environments).

It's not too surprising that the devs would go with a more pythonic solution to get SSH working, although it is somewhat unusual to see this done for SSH in addition to "library for random task X". Seems to be using OpenSSL under the hood for the crypto heavy-lifting.
 
Top