Ssh knownhosts not updating

6854933580_2c8b688306_z

X:22 [INF][ SSH tunnel]: Tunnel Manager.wait_connection authentication error: Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details [ERR][ SSH tunnel]: Authentication error opening SSH tunnel: Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details [ERR][sshtunnel.py:notify_exception_error:233]: Traceback (most recent call last): File "/Applications/My SQLWorkbench.app/Contents/Resources/sshtunnel.py", line 265, in _connect_ssh look_for_keys=has_key, allow_agent=has_key) File "/Applications/My SQLWorkbench.app/Contents/Resources/libraries/paramiko/client.py", line 301, in connect t.start_client() File "/Applications/My SQLWorkbench.app/Contents/Resources/libraries/paramiko/transport.py", line 461, in start_client raise e SSHException: Incompatible ssh peer (no acceptable kex algorithm) [INF][ WBContext]: Connection to Helle Wolke cancelled by user: Tunnel connection cancelled Windows 8.1: [DB1][sshtunnel.py:wait_connection:446]: INFO: Connecting to SSH server at X. A workaround for anyone looking: sudo yum downgrade python-paramiko On fedora this produces: Installing : python-paramiko-1.10.1-2.fc20.noarch 1/2 Cleanup : python-paramiko-1.15.1-1.fc20.noarch 2/2 Verifying : python-paramiko-1.10.1-2.fc20.noarch 1/2 Verifying : python-paramiko-1.15.1-1.fc20.noarch So downgrading from python-paramiko-1.15.1-1 to 1.10.1-2 enables ssh tunnels to work again, without having to downgrade openssh openssh-clients openssh-server from 6.7 to 5.3. Suggested fix: update to the latest paramiko (1.15)I can confirm this is happing for me running Fedora 20 once all updates have been applied on a fresh OS install with workbench 6.2.3.12321 64 bit.If you do not specify a username the username that you are logged in as on the local client machine is passed to the remote machine.If you want to specify a different username, use the following command: Note: This documentation is provided by Red Hat®, Inc. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder.The authenticity of host '(104.192.143.3)' can't be established.RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa::7c:40. Are you sure you want to continue connecting (yes/no)?

If you only have the fingerprint, you will have to write an extra step which verifies the downloaded public key with your fingerprint...--- # ansible playbook that adds ssh fingerprints to known_hosts - hosts: all connection: local gather_facts: no tasks: - command: /usr/bin/ssh-keyscan -T 10 register: keyscan - lineinfile: name=~/.ssh/known_hosts create=yes line= with_items: '' This is simply dumps output of a keyscan, yes.I did find a PDF that indicates the following though it was for Unix.There didn't seem to be a matching Windows document with the same information.As a workaround, you can add the following to your /etc/ssh/sshd_config on the server to disable ECDH (which is not really a nice longterm solution, as there are many reason to use EC over RSA): Kex Algorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1And a real fix: - replace the included version of paramiko by a new (HEAD) version from https://github.com/paramiko/paramiko (in case of OSX, it goes into /Applications/My SQLWorkbench.app/Contents/Resources/libraries/paramiko) - add the python-ecdsa library from https://github.com/warner/python-ecdsa to the "libraries" dir - patch the file wb_admin_as follows: --- ./wb.admin/backend/wb_admin_2014-09-15 .000000000 0200 /Applications/My SQLWorkbench.app/Contents/Resources/plugins/wb_admin_2014-11-06 .000000000 0100 @@ -73,20 73,22 @@ import threading OPEN_CHANNEL_TIMEOUT = 15 - def wba_open_channel(self, kind, dest_addr=None, src_addr=None, timeout = None): def wba_open_channel(self, kind, dest_addr=None, src_addr=None, window_size=None, max_packet_size=None): chan = None if not self.active: # don't bother trying to allocate a channel return None acquire() try: window_size = self._sanitize_window_size(window_size) max_packet_size = self._sanitize_packet_size(max_packet_size) chanid = self._next_channel() m = Message() m.add_byte(chr(MSG_CHANNEL_OPEN)) m.add_string(kind) m.add_int(chanid) - m.add_int(self.window_size) - m.add_int(self.max_packet_size) m.add_int(window_size) m.add_int(max_packet_size) if (kind == 'forwarded-tcpip') or (kind == 'direct-tcpip'): m.add_string(dest_addr[0]) m.add_int(dest_addr[1]) @@ -100,11 102,10 @@ self.channel_events[chanid] = event = threading.Event() self.channels_seen[chanid] = True chan._set_transport(self) - chan._set_window(self.window_size, self.max_packet_size) chan._set_window(window_size, max_packet_size) finally: release() self._send_user_message(m) - ts = time.time() OPEN_CHANNEL_TIMEOUT if (timeout is None) else timeout while True: event.wait(0.1); if not self.active: and voila, it works again with recent versions of openssh.So in effect it's the same as Strict Host Key Checking=no, just with silent known_hosts updating without fiddling with ssh options.

You must have an account to comment. Please register or login here!