Bug 20249 - python-paramiko-1.15.2-1 broke duplicity
Summary: python-paramiko-1.15.2-1 broke duplicity
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-02-06 19:04 CET by Nicolas Pomarède
Modified: 2017-03-17 12:13 CET (History)
7 users (show)

See Also:
Source RPM: python-paramiko-1.15.2-1.mga5
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Pomarède 2017-02-06 19:04:32 CET 
As reported on cauldron ML, the backup tool "duplicity" (version duplicity-0.6.25-2.mga5) doesn't work anymore due to some changes in the crypto functions.

this is the output when running fro ma console :

Duplicity 0.6 series is being deprecated:
See http://www.nongnu.org/duplicity/

ssh: Unknown exception: CTR mode needs counter parameter, not IV
ssh: Traceback (most recent call last):
ssh:   File "/usr/lib/python2.7/site-packages/paramiko/transport.py", line 1610, in run
ssh:     self.kex_engine.parse_next(ptype, m)
ssh:   File "/usr/lib/python2.7/site-packages/paramiko/kex_group1.py", line 74, in parse_next
ssh:     return self._parse_kexdh_reply(m)
ssh:   File "/usr/lib/python2.7/site-packages/paramiko/kex_group1.py", line 111, in _parse_kexdh_reply
ssh:     self.transport._activate_outbound()
ssh:   File "/usr/lib/python2.7/site-packages/paramiko/transport.py", line 1909, in _activate_outbound
ssh:     engine = self._get_cipher(self.local_cipher, key_out, IV_out)
ssh:   File "/usr/lib/python2.7/site-packages/paramiko/transport.py", line 1524, in _get_cipher
ssh:     return self._cipher_info[name]['class'].new(key, self._cipher_info[name]['mode'], iv, counter)
ssh:   File "/usr/lib64/python2.7/site-packages/Crypto/Cipher/AES.py", line 95, in new
ssh:     return AESCipher(key, *args, **kwargs)
ssh:   File "/usr/lib64/python2.7/site-packages/Crypto/Cipher/AES.py", line 59, in __init__
ssh:     blockalgo.BlockAlgo.__init__(self, _AES, key, *args, **kwargs)
ssh:   File "/usr/lib64/python2.7/site-packages/Crypto/Cipher/blockalgo.py", line 141, in __init__
ssh:     self._cipher = factory.new(key, *args, **kwargs)
ssh: ValueError: CTR mode needs counter parameter, not IV
ssh:
BackendException: ssh connection to root@172.18.24.66:22 failed: CTR mode needs counter parameter, not IV 


Suggestion : update to duplicity 0.7 as it was done recently for cauldron / next mga 6 (although I didn't check if 0.7 is compatible with lastest pycrypto)
Comment 1 Marja Van Waes 2017-02-08 10:20:14 CET 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => makowski.mageia

Comment 2 Philippe Makowski 2017-02-08 11:55:12 CET 
(In reply to Marja van Waes from comment #1)
> Assigning to the registered maintainer.

wally, can you help ?

CC: (none) => jani.valimaa

Comment 3 Jani Välimaa 2017-02-08 16:56:49 CET 
It's really python-paramiko which is broken and causes issues in duplicity.

Pushed new python-paramiko [1] with a patch from upstream via Fedora to core/updates_testing. Please test.

[1] python-paramiko-1.15.2-1.1.mga5

Source RPM: duplicity-0.6.25-2.mga5 => python-paramiko-1.15.2-1.mga5

Jani Välimaa 2017-02-08 17:01:12 CET

Assignee: makowski.mageia => qa-bugs

Comment 4 Jani Välimaa 2017-02-08 17:02:33 CET 
SRPM:
python-paramiko-1.15.2-1.1.mga5

RPMS:
python-paramiko-1.15.2-1.1.mga5
python3-paramiko-1.15.2-1.1.mga5
Comment 5 Nicolas Pomarède 2017-02-08 17:08:53 CET 
Hi
I just installed python-paramiko-1.15.2-1.1.mga5.noarch.rpm from core/update/testing and I confirm this fixes the error in duplicity.
Looks good to be pushed to update.

thanks
Dave Hodgins 2017-02-11 23:11:37 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 6 Lewis Smith 2017-02-26 21:42:53 CET 
Changed the package ID in the title from
 python-pycrypto-2.6.1-6.1 to python-paramiko-1.15.2-1
according to Comments 3 & 4.

Summary: python-pycrypto-2.6.1-6.1.mga5 update broke duplicity => python-paramiko-1.15.2-1 broke duplicity
CC: (none) => lewyssmith

Comment 7 Lewis Smith 2017-03-13 11:53:07 CET 
I looked at length into deploying Duplicity, but it seems a quagmire of scp/ssh stuff at both ends.
@Nicolas Can you suggest a way of installing/configuring it on a stand-alone box with the necessary scp/ssh stuff? It looks really easy to use once everything is set up at both ends.
Lewis Smith 2017-03-13 11:54:07 CET

CC: (none) => npomarede

Comment 8 Nicolas Pomarède 2017-03-13 12:12:31 CET 
@Lewis : usage is rather easy in fact ; on the remote server, you just need an ssh account and a directory to store the backups.
On the local machine I run for example :

duplicity --allow-source-mismatch --volsize 500 --progress /home ssh://user@remote/backup/home

This will backup /home into the directory /backup/home on "remote".
Comment 9 Len Lawrence 2017-03-13 12:46:31 CET 
@lewis: I had been intending to have a look at this.  I could take this because I have several machines on the network.  Not backing up /home though (160GB) :-)

CC: (none) => tarazed25

Comment 10 Len Lawrence 2017-03-13 16:22:06 CET 
x86_64 with Mate
Installed duplicity and used it to test python-paramiko-1.15.2-1.mga5
 
$ duplicity --allow-source-mismatch --volsize 500 --progress /home/lcl/ruby ssh://lcl@vega/data/ruby
Duplicity 0.6 series is being deprecated:
See http://www.nongnu.org/duplicity/

ssh: Unknown exception: CTR mode needs counter parameter, not IV
ssh: Traceback (most recent call last):
ssh:   File "/usr/lib/python2.7/site-packages/paramiko/transport.py", line 1610, in run
ssh:     self.kex_engine.parse_next(ptype, m)
ssh:   File "/usr/lib/python2.7/site-packages/paramiko/kex_group1.py", line 74, in parse_next

.... etc ....

Updated python-paramiko
$ rpm -qa | grep paramiko
python-paramiko-1.15.2-1.1.mga5
$ duplicity --allow-source-mismatch --volsize 500 --progress /home/lcl/ruby ssh://lcl@vega/data/ruby

Duplicity 0.6 series is being deprecated:
See http://www.nongnu.org/duplicity/

Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib64/python2.7/threading.py", line 810, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/site-packages/paramiko/transport.py", line 1645, in run
    emsg = '%s (%d)' % (e.args[1], e.args[0])
IndexError: tuple index out of range


askpass was triggered twice, first for the user password on the remote machine and then the password on the private key of the local machine (I think).
After the traceback the command hung.

A second attempt bypassed the user password and then failed:
$ duplicity --allow-source-mismatch --volsize 100 --progress /home/lcl/ruby ssh://lcl@vega/data/ruby

Duplicity 0.6 series is being deprecated:
See http://www.nongnu.org/duplicity/

BackendException: ssh connection to lcl@vega:22 failed: Private key file is encrypted

It looks like it is not so easy after all, on a LAN.
Comment 11 Len Lawrence 2017-03-14 12:28:37 CET 
Tried the update on another machine:
$ duplicity --allow-source-mismatch --volsize 500 --progress /home/lcl/ruby ssh://lcl@vega/data/ruby

Duplicity 0.6 series is being deprecated:
See http://www.nongnu.org/duplicity/

BackendException: ssh connection to lcl@vega:22 failed: No authentication methods available

Note that a remote login to vega succeeds without any problem at all so there is nothing wrong with the connection.  duplicity does not even ask for a password.
Comment 12 Len Lawrence 2017-03-14 12:37:56 CET 
From the duplicity man pages:
      ssh paramiko backend (enabled by default)
              paramiko (SSH2 for python) -
              http://pypi.python.org/pypi/paramiko (downloads);
              http://github.com/paramiko/paramiko (project page)
              pycrypto (Python Cryptography Toolkit) -
              http://www.dlitz.net/software/pycrypto/

$ rpm -qa | grep pycrypto
python-pycrypto-2.6.1-6.1.mga5

What is SSH2?
Comment 13 Len Lawrence 2017-03-14 13:43:50 CET 
duplicity certainly looks like the easiest approach to testing this update; all the others have a learning curve or are more relevant to developers.
Comment 14 Dave Hodgins 2017-03-17 03:21:47 CET 
Testing on a system where I have ssh setup such that ssh mine opens a bash
session on a second system ...

[dave@x5v Desktop]$ duplicity /home/dave/Desktop/ ssh://dave@mine/testduplicity

Duplicity 0.6 series is being deprecated:
See http://www.nongnu.org/duplicity/

Local and Remote metadata are synchronized, no sync needed.
Last full backup date: none
GnuPG passphrase: 
Retype passphrase to confirm: 
No signatures found, switching to full backup.
--------------[ Backup Statistics ]--------------
StartTime 1489716645.94 (Thu Mar 16 22:10:45 2017)
EndTime 1489716645.95 (Thu Mar 16 22:10:45 2017)
ElapsedTime 0.01 (0.01 seconds)
SourceFiles 6
SourceFileSize 18253 (17.8 KB)
NewFiles 6
NewFileSize 18253 (17.8 KB)
DeletedFiles 0
ChangedFiles 0
ChangedFileSize 0 (0 bytes)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 6
RawDeltaSize 14113 (13.8 KB)
TotalDestinationSizeChange 6895 (6.73 KB)
Errors 0
-------------------------------------------------

On the dest system, in the directory it created, ran
gpg duplicity-full.20170317T021038Z.vol1.difftar.gpg
to create the unencrypted diff file.

Then ran tar-xf on he difftar file and confirmed the files were present in
the snapshot/ directory.

Both the source and dest systems are running Mageia 5 x86_64.

I'll test from a Mageia 5 i586 vb guest shortly.

Whiteboard: advisory => advisory MGA5-64-OK

Comment 15 Dave Hodgins 2017-03-17 03:28:23 CET 
Same testing ok with an i586 vb guest, but with a different dest directory.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2017-03-17 12:13:31 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGAA-2017-0010.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.