Infinite loading when deleting a run

Tests ongoing for the following:

Project SATI-1 (id 2017), Run SATI-1 (id 20284)

Project -> Select a run -> Delete -> ng6 credentials

added Bug label

assigned to @rtherville

When calling "https://ng6.toulouse.inra.fr/index.php?eID=tx_nG6&type=delete&del_level=run&[...]", nG6 responds with a "503 Oops, an error occurred!"

Error found, not in /var/log/httpd, but in typo3's backoffice(https://ng6.toulouse.inra.fr/typo3/module/system/BelogLog)

Core: Exception handler (WEB): Uncaught TYPO3 Exception: ssh2_auth_password() expects parameter 1 to be resource, bool given | TypeError thrown in file /usr/local/bioinfo/src/ng6_sources/ng6-V3.4/ui/nG6/Classes/Controller/ng6.php in line 157. Requested URL: https://ng6.toulouse.inra.fr/index.php?eID=tx_nG6&type=delete&del_level=run&data_folder=/var/www/html/ng6/fileadmin&user_login=ng6&user_pwd=8b-jTk6H%3Ep&user_id=4&ids=17721

Looks like the following returns a boolean, not a ressource:

ng6\ui\nG6\Classes\Controller\ng6.php

$connection = ssh2_connect('127.0.0.1', 22);

That's weird, I can't get the content of this variable :

file_put_contents('/work/ng6/jflow/ng6.log', '\r\n in delete, connection='.print_r($connection,TRUE)."\r\n", FILE_APPEND);

returns:

in delete, connection=

Test script here: /work/ng6/jflow/tmp/ng6_ssh_test.php

[root@ng6-slurm tmp]# php /work/ng6/jflow/tmp/ng6_ssh_test.php

Warning: ssh2_connect(): Failed overriding HOSTKEY method in /work/ng6/jflow/tmp/ng6_ssh_test.php on line 3

Warning: ssh2_connect(): Error starting up SSH connection(-5): Unable to exchange encryption keys in /work/ng6/jflow/tmp/ng6_ssh_test.php on line 3

Warning: ssh2_connect(): Unable to connect to 127.0.0.1 in /work/ng6/jflow/tmp/ng6_ssh_test.php on line 3

Looks like OpenSSH doesn't support RSA keys anymore (since October 2022 apparently)... I found some nice leads here: https://stackoverflow.com/questions/45882200/unable-to-exchange-encryption-keys

"OpenSSH has disabled DH SHA1 by default"

Option 1: Update libssh2 -> libssh2 1.7 and up supports DH SHA256 and ECDH key exchange. These will work with the latest OpenSSH. 1.x releases require PHP 7.

libssh2 might already be installed...

[root@ng6-slurm ssh]# locate libssh2.so
/opt/remi/libssh2/lib64/libssh2.so.1
/opt/remi/libssh2/lib64/libssh2.so.1.0.1
/usr/lib64/libssh2.so
/usr/lib64/libssh2.so.1
/usr/lib64/libssh2.so.1.0.1

it is related to the modifications done after vulnerabilities scans on our VM : cf \tls-gps-dfs.inra.local\home\plage\transfert\Info-Bioinfo\4-Info\SSI\scanner_vulnerabilites_INRAE_suivi_action.xlsm > Weak Key Exchange (KEX) Algorithm(s) Supported (SSH)

not finalized due to problems induced by java update

[root@ng6-slurm ~]# vi /etc/ssh/sshd_config

KexAlgorithms was set to curve25519-sha256@libssh.org  

I added old weak algorithms  
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

[root@ng6-slurm ~]# systemctl restart sshd
[root@ng6-slurm ~]# php /work/ng6/jflow/tmp/ng6_ssh_test.php
connection=  Resource id #4

now OK for ng6-slurm

Try to reproduce the problem on ng6-test if same problem occurs, try to solve the problem so that we can deactivate again weak algorithm

Tested on ng6-test:

/work/ng6-test/jflow_rtherville/ng6_ssh_test.php

<?php
$connection = ssh2_connect('ng6-test.toulouse.inra.fr', 22);

echo("connection=  ".$connection."\n");

if ($connection === TRUE) { echo("connection===TRUE \n"); }
if ($connection === FALSE) { echo("connection===FALSE \n"); }
?>

ng6-test@ng6-test: /work/ng6-test/jflow_rtherville $php ./ng6_ssh_test.php

Warning: ssh2_connect(): Error starting up SSH connection(-5): Unable to exchange encryption keys in /work/ng6-test/jflow_rtherville/ng6_ssh_test.php on line 3

Warning: ssh2_connect(): Unable to connect to ng6-test.toulouse.inra.fr in /work/ng6-test/jflow_rtherville/ng6_ssh_test.php on line 3
connection=
connection===FALSE

Same error, we can test on ng6-test.

I found a nice source here : https://www.ietf.org/archive/id/draft-ietf-curdle-ssh-kex-sha2-12.html#RFC6234

I tested "diffie-hellman-group1-sha1", it works but it's not recommanded.

I also tested "diffie-hellman-group14-sha1", it works AND it is recommanded as a replacement to every other sha1 KEX.

Quotation here : "It is reasonable to retain the diffie-hellman-group14-sha1 exchange for interoperability with legacy implementations. Therefore, diffie-hellman-group14-sha1 SHOULD be implemented and all other *-sha1 key exchanges SHOULD NOT be implemented. "

I applied this conf to nG6, it also works.

I hope the source is correct and this KEX is not depreciated.

Apparently, the following MUST be implemented:

diffie-hellman-group14-sha256

Tested on ng6-test:

KexAlgorithms diffie-hellman-group14-sha256 -> doesn't work

KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group14-sha256 -> works

KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 -> works

seems difficult to update libssh2/ssh2 for php.

Try to use phpseclib which can do the same thing : https://phpseclib.com/docs/auth

mentioned in commit f9f3333a

mentioned in merge request !145 (merged)

mentioned in commit dd504f0f