Bug #87381 SSH Tunnel Fails Due to Crypto Signature
Submitted: 10 Aug 19:03 Modified: 7 Sep 12:57
Reporter: Brett Patterson Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Workbench Severity:S2 (Serious)
Version:6.3 OS:Mac OS X (10.12.6)
Assigned to:

[10 Aug 19:03] Brett Patterson
Description:
While attempting to establish an SSH tunnel, Workbench displays an error dialog with the following message:

-----
Authentication error, unhandled exception caught in
tunnel manager, please refer to logs for details
-----

Looking through the error logs shows the following:

-----
13:24:46 [INF][     SSH tunnel]: Opening SSH tunnel to myproxy.example.com
13:24:47 [ERR][sshtunnel.py:notify_exception_error:235]: Traceback (most recent call last):
  File "/Applications/MySQLWorkbench.app/Contents/Resources/sshtunnel.py", line 303, in _connect_ssh
    look_for_keys=has_key, allow_agent=has_key, timeout=SSH_CONNECTION_TIMEOUT)
  File "/Applications/MySQLWorkbench.app/Contents/Resources/libraries/paramiko/client.py", line 325, in connect
    t.start_client()
  File "/Applications/MySQLWorkbench.app/Contents/Resources/libraries/paramiko/transport.py", line 492, in start_client
    raise e
NotImplementedError: Use module Crypto.Signature.pkcs1_15 instead
-----

How to repeat:
Create Standard TCP/IP over SSH connection to linux server.
Attempt to test connection or connect.
[12 Aug 16:13] Brett Patterson
I tried replacing the bundled Paramiko with the latest release (2.2.1) and that caused a separate issue of not being able to open the SSH tunnel manager.
[12 Aug 16:15] Brett Patterson
Upping to serious because this means all "private" cloud databases which require an SSH tunnel require a separate program to generate the tunnel.  It's a work around, but the feature is generally broken.
[18 Aug 6:16] Umesh Shastry
Hello Brett,

Thank you for the report and feedback.
I tried few times to connecting various instances through connection method "Standard TCP/IP over SSH" but not seeing reported issue and able to connect instances easily.

####
11:20:17 [INF][      Workbench]: Starting up Workbench
11:20:17 [INF][   WBContext UI]: Initializing workbench context UI with these values:
	base dir: /Applications/MySQLWorkbench.app/Contents/Resources
	plugin path: /Applications/MySQLWorkbench.app/Contents/PlugIns
	struct path: /Applications/MySQLWorkbench.app/Contents/Resources/grt
	module path: /Applications/MySQLWorkbench.app/Contents/PlugIns:/Applications/MySQLWorkbench.app/Contents/Resources/plugins
	library path: /Applications/MySQLWorkbench.app/Contents/Resources/libraries
	user data dir: /Users/umshastr/Library/Application Support/MySQL/Workbench
	open at start: 
	open type: 
	run at startup: 
	run type: 
	Force SW rendering: No
	Force OpenGL: No
	quit when done: No
11:20:17 [INF][      WBContext]: WbContext::init
11:20:30 [INF][            WBA]: Looking for extension modules for WBA...
11:20:30 [INF][            WBA]: 0 extension modules found
11:20:31 [WRN][            grt]: /Users/umshastr/Library/Application Support/MySQL/Workbench/connections.xml:26: link '3D335875-2B25-4ABD-8ABE-677A0D31A013' <object GrtObject> key=owner could not be resolved
11:20:31 [INF][      WBContext]: System info:
 	MySQL Workbench Community (GPL) for Mac OS X version 6.3.9 CE build 10690321 (64 bit)
	Configuration Directory: /Users/umshastr/Library/Application Support/MySQL/Workbench
	Data Directory: /Applications/MySQLWorkbench.app/Contents/Resources
	Cairo Version: 1.10.2
	OS: macOS 10.12.x Sierra x86_64
	CPU: 8x Intel(R) Core(TM) i7-3615QM CPU @ 2.30GHz - 4.00GiB RAM
No video adapter info available

11:21:08 [INF][     SSH tunnel]: Starting tunnel
11:21:08 [INF][     SSH tunnel]: Existing SSH tunnel not found, opening new one
11:21:12 [INF][     SSH tunnel]: Opening SSH tunnel to xxx.yy.oracle.com:22
11:21:15 [INF][     SSH tunnel]: TunnelManager.wait_connection returned OK
11:21:15 [INF][     SSH tunnel]: SSH tunnel connect executed OK

Could you please post exact screenshot(pls make it private after posting here) of "Standard TCP/IP over SSH Connection Method"? - https://dev.mysql.com/doc/workbench/en/wb-mysql-connections-methods-ssh.html 

Also, launch WB with debugging enabled and attempt to reproduce the issue and provide us unaltered WB log file to investigate further at our end?

MySQLWorkbench --log-level=debug3

regards,
umesh
[18 Aug 17:22] Brett Patterson
So I removed MySQL Workbench from my system, removed ~/Library/Application Support/MySQL/Workbench folder to "start fresh" just to verify that (a) I was using a clean install of MySQL Workbench and (b) to make sure it wasn't a cached connection setting issue.

Start Workbench with log-level "debug3" and received the following output:

=====
Logger set to level 'debug3'. '1111111'
Ready.

2017-08-18 13:20:17.218 MySQLWorkbench[7203:2073761] TODO: restore edit menu
Thread started
No handlers could be found for logger "paramiko.transport"
Thread started
=====
[18 Aug 17:27] Brett Patterson
wb.log entry:

=====
13:23:07 [WRN][            grt]: /Users/brett/Library/Application Support/MySQL/Workbench/connections.xml:27: link '4B4C6CDB-C6AA-4725-B29D-4A6418248C23' <object GrtObject> key=owner could not be resolved
13:23:07 [DB1][component_physical]: Loaded connection list, 1 connections found.
13:23:07 [INF][      WBContext]: System info:
 	MySQL Workbench Community (GPL) for Mac OS X version 6.3.9 CE build 10690321 (64 bit)
	Configuration Directory: /Users/brett/Library/Application Support/MySQL/Workbench
	Data Directory: /Applications/MySQLWorkbench.app/Contents/Resources
	Cairo Version: 1.10.2
	OS: macOS 10.12.x Sierra x86_64
	CPU: 8x Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz - 16.00GiB RAM
No video adapter info available

13:23:07 [DB1][     WQE native]: Setting up UI
13:23:07 [DB1][      Workbench]: Setup done
13:23:08 [DB2][      Workbench]: Adding new top panel
13:23:08 [DB1][      WBContext]: Saved connection list (MySQL: 1)
13:23:08 [DB1][      WBContext]: Calling SQLIDEUtils.initialize0()...
13:23:08 [DB1][      WBContext]: Calling WbAdmin.initialize()...
13:23:08 [DB2][      WBContext]: get_local_os_name() returned 'macOS 10.12.x Sierra x86_64'
13:23:08 [DB2][       WBModule]: OS 'macOS 10.12.x Sierra x86_64' is supported
13:23:15 [INF][     SSH tunnel]: Starting tunnel
13:23:15 [DB2][ python context]: About to pyrun '/Applications/MySQLWorkbench.app/Contents/Resources/sshtunnel.py'
13:23:15 [INF][     SSH tunnel]: Existing SSH tunnel not found, opening new one
13:23:15 [INF][     SSH tunnel]: Opening SSH tunnel to dbproxy.mydomain.com:22
13:23:15 [DB2][sshtunnel.py:do_run:119]: SSH Tunel 1 thread started
13:23:15 [DB2][sshtunnel.py:notify:230]: tunnel_1244: INFO Connecting to SSH server at dbproxy.mydomain.com:22 using key /Users/brett/.ssh/sqlproxy.id_rsa...
13:23:15 [DB1][     SSH tunnel]: Waiting on tunnel to connect...
13:23:15 [DB2][sshtunnel.py:notify:230]: tunnel_1244: ERROR Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details
13:23:15 [ERR][sshtunnel.py:notify_exception_error:235]: Traceback (most recent call last):
  File "/Applications/MySQLWorkbench.app/Contents/Resources/sshtunnel.py", line 303, in _connect_ssh
    look_for_keys=has_key, allow_agent=has_key, timeout=SSH_CONNECTION_TIMEOUT)
  File "/Applications/MySQLWorkbench.app/Contents/Resources/libraries/paramiko/client.py", line 325, in connect
    t.start_client()
  File "/Applications/MySQLWorkbench.app/Contents/Resources/libraries/paramiko/transport.py", line 492, in start_client
    raise e
NotImplementedError: Use module Crypto.Signature.pkcs1_15 instead

13:23:15 [DB1][sshtunnel.py:do_run:227]: Leaving tunnel thread 1244
=====
[18 Aug 17:32] Brett Patterson
And to verify the identity is correct, I was able to successfully SSH to the server using the same key and username as defined within the connection of Workbench.

=====
$ ssh -i ~/.ssh/sqlproxy.id_rsa sqlproxy@dbproxy.mydomain.com
Last login: Fri Aug 11 13:57:48 2017 from <my_isp>.net

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2017.03-release-notes/
=====
[23 Aug 14:11] Umesh Shastry
Thank you for the feedback.
I'm still not seeing the issue, with the SSH keys I'm able to connect without any issues. Here are the quick steps I attempted while trying to reproduce:

— Client box - SSH keygen and copy over pub key to server

umshastr:.ssh umshastr$ ssh -V
OpenSSH_7.4p1, LibreSSL 2.5.0

umshastr:.ssh umshastr$ hostname
client0001.idc.oracle.com

umshastr:.ssh umshastr$ pwd
/Users/umshastr/.ssh
umshastr:.ssh umshastr$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/umshastr/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/umshastr/.ssh/id_rsa.
Your public key has been saved in /Users/umshastr/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:dE7aDaz/Im+l25FrCIqGa6Pc0VpLnggzScI5clzx0h4 umshastr@client0001.idc.oracle.com
The key's randomart image is:
+---[RSA 2048]----+
|    .            |
|     +   .       |
|    o E . =      |
|.... o o B o     |
|o=o   . S o .    |
|+.o .   ..  ..   |
| = o = . ..+o    |
|. O X + . =o.o   |
|.+.B +   +o++    |
+----[SHA256]-----+
umshastr:.ssh umshastr$ 

umshastr:.ssh umshastr$ ls -l
total 16
-rw-------  1 umshastr  staff  1679 Aug 23 19:08 id_rsa
-rw-r--r--  1 umshastr  staff   414 Aug 23 19:08 id_rsa.pub

— Copy pro key to Server

umshastr:.ssh umshastr$ scp id_rsa.pub umshastr@myproxy0001.no.oracle.com:/tmp/
The authenticity of host 'myproxy0001.no.oracle.com (xx.xxx.xxx.xxx)' can't be established.
ECDSA key fingerprint is SHA256:aXNepD4Z6wD5ubnY0W1Cp3lPOjdMf8nunNMITtQP/dQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'myproxy0001.no.oracle.com,xx.xxx.xxx.xxx' (ECDSA) to the list of known hosts.
umshastr@myproxy0001.no.oracle.com's password: 
id_rsa.pub                                                                                                                                       100%  414     0.7KB/s   00:00    
umshastr:.ssh umshastr$ 
umshastr:.ssh umshastr$ 

umshastr:.ssh umshastr$ 
umshastr:.ssh umshastr$ ssh umshastr@myproxy0001.no.oracle.com
umshastr@myproxy0001.no.oracle.com's password: 
Last login: Wed Aug 23 15:32:01 2017 from client0001.idc.oracle.com
[umshastr@hod03]~: 
[umshastr@hod03]~: cd ~/.ssh/
[umshastr@hod03]~/.ssh: ll
total 0
[umshastr@hod03]~/.ssh: cat /tmp/id_rsa.pub > authorized_keys
[umshastr@hod03]~/.ssh: 
[umshastr@hod03]~/.ssh: exit
logout
Connection to myproxy0001.no.oracle.com closed.
umshastr:.ssh umshastr$ 

umshastr:.ssh umshastr$ ssh -i id_rsa umshastr@myproxy0001.no.oracle.com
Last login: Wed Aug 23 15:42:59 2017 from client0001.idc.oracle.com
[umshastr@hod03]~: 
[umshastr@hod03]~: 

## Attempted to connect instance running on server with SSH key “id_rsa” generated in previous steps
## WB connects using SSH key without any issues

## WB log

9:20:08 [INF][      Workbench]: Starting up Workbench
19:20:08 [INF][   WBContext UI]: Initializing workbench context UI with these values:
	base dir: /Applications/MySQLWorkbench.app/Contents/Resources
	plugin path: /Applications/MySQLWorkbench.app/Contents/PlugIns
	struct path: /Applications/MySQLWorkbench.app/Contents/Resources/grt
	module path: /Applications/MySQLWorkbench.app/Contents/PlugIns:/Applications/MySQLWorkbench.app/Contents/Resources/plugins
	library path: /Applications/MySQLWorkbench.app/Contents/Resources/libraries
	user data dir: /Users/umshastr/Library/Application Support/MySQL/Workbench
	open at start: 
	open type: 
	run at startup: 
	run type: 
	Force SW rendering: No
	Force OpenGL: No
	quit when done: No
19:20:08 [INF][      WBContext]: WbContext::init
19:20:19 [INF][            WBA]: Looking for extension modules for WBA...
19:20:19 [INF][            WBA]: 0 extension modules found
19:20:20 [WRN][            grt]: /Users/umshastr/Library/Application Support/MySQL/Workbench/connections.xml:30: link '31F5D51C-51B7-4D60-9F3C-ACDD67E970A5' <object GrtObject> key=owner could not be resolved
19:20:20 [INF][      WBContext]: System info:
 	MySQL Workbench Community (GPL) for Mac OS X version 6.3.9 CE build 10690321 (64 bit)
	Configuration Directory: /Users/umshastr/Library/Application Support/MySQL/Workbench
	Data Directory: /Applications/MySQLWorkbench.app/Contents/Resources
	Cairo Version: 1.10.2
	OS: macOS 10.12.x Sierra x86_64
	CPU: 8x Intel(R) Core(TM) i7-3615QM CPU @ 2.30GHz - 4.00GiB RAM
No video adapter info available

19:20:37 [INF][     SSH tunnel]: Starting tunnel
19:20:37 [INF][     SSH tunnel]: Existing SSH tunnel not found, opening new one
19:20:37 [INF][     SSH tunnel]: Opening SSH tunnel to myproxy0001.no.oracle.com:22
19:20:43 [INF][     SSH tunnel]: TunnelManager.wait_connection returned OK
19:20:43 [INF][     SSH tunnel]: SSH tunnel connect executed OK
19:21:01 [INF][SQL Editor Form]: Opened connection 'myproxy0001.no.oracle.com' to MySQL Community Server (GPL) version 5.7.19

====

Anything else you are attempting other than above steps? Is SSL enabled for MySQL instance? Please let us know.

regards,
umesh
[23 Aug 14:54] Brett Patterson
SSL is not being utilized to connect to the proxy.  I can correctly connect using SSH and the key set up in MySQL Workbench.  Still get the "Unhandled error in tunnel manager" popup.  WB log and my connection configuration screenshot(s) are attached.

=========================

brett@mycomputer|~$ ssh -V
OpenSSH_7.4p1, LibreSSL 2.5.0

brett@mycomputer|~$ hostname
mycomputer.example.com

brett@mycomputer|~$ cat .ssh/stage-sqlproxy.id_rsa.pub 
ssh-rsa AAA<truncated for security>LZ3Ka1b brett@mycomputer.example.com
brett@mycomputer|~$ 

brett@mycomputer|~$ ssh -i ~/.ssh/stage-sqlproxy.id_rsa sqlproxy@dbproxy.stage.example.net
Last login: Fri Aug 18 17:28:49 2017 from static-192.168.0.0.my.isp.com

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2017.03-release-notes/
[sqlproxy@ip-192.168.1.2 ~]$ exit
logout
Connection to dbproxy.stage.example.net closed.

#########################

brett@mycomputer|~$ /Applications/MySQLWorkbench.app/Contents/MacOS/MySQLWorkbench --log-level=debug3
Logger set to level 'debug3'. '1111111'
Ready.

2017-08-23 10:39:09.200 MySQLWorkbench[7036:2854678] TODO: restore edit menu
Thread started
No handlers could be found for logger "paramiko.transport"
[24 Aug 13:13] Brett Patterson
Just want to add the supported Key Exchanges on the proxy server are:

[sqlproxy@ip-192.168.1.2 ~]$ ssh -Q kex server
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group1-sha1
curve25519-sha256@libssh.org
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-
[7 Sep 10:29] Umesh Shastry
Hello Brett,

Sorry for the delayed response, I have tried exactly as you are but I'm not seeing the issue at my end. I discussed with WB developer who asked me to suggest you  to check paramiko version 2.1.3.  Also, looking at https://github.com/paramiko/paramiko/issues/776 this seems to have resulted when using cryptodome instead of pycrypto.

Thanks,
Umesh
[7 Sep 10:35] Umesh Shastry
In continuation with earlier note, WB dev confirmed that for paramiko 2.1.3, you will also need these python modules: cryptography, bcrypt, nacl
[7 Sep 12:42] Brett Patterson
Installing Paramiko 2.2.1 via pip and removing the paramiko directory from /Applications/MySQLWorkbench.app/Contents/Resources/libraries.  Then launching with debug enabled and connections worked just fine.  Below is the output from the pip paramiko installation:

Collecting paramiko
  Downloading paramiko-2.2.1-py2.py3-none-any.whl (176kB)
    100% |████████████████████████████████| 184kB 1.3MB/s 
Requirement already satisfied: pynacl>=1.0.1 in /Library/Python/2.7/site-packages (from paramiko)
Requirement already satisfied: bcrypt>=3.1.3 in /Library/Python/2.7/site-packages (from paramiko)
Requirement already satisfied: cryptography>=1.1 in /Library/Python/2.7/site-packages (from paramiko)
Collecting pyasn1>=0.1.7 (from paramiko)
  Downloading pyasn1-0.3.4-py2.py3-none-any.whl (63kB)
    100% |████████████████████████████████| 71kB 2.4MB/s 
Requirement already satisfied: six in /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python (from pynacl>=1.0.1->paramiko)
Requirement already satisfied: cffi>=1.4.1 in /Library/Python/2.7/site-packages (from pynacl>=1.0.1->paramiko)
Requirement already satisfied: ipaddress in /Library/Python/2.7/site-packages (from cryptography>=1.1->paramiko)
Requirement already satisfied: asn1crypto>=0.21.0 in /Library/Python/2.7/site-packages (from cryptography>=1.1->paramiko)
Requirement already satisfied: enum34 in /Library/Python/2.7/site-packages (from cryptography>=1.1->paramiko)
Requirement already satisfied: idna>=2.1 in /Library/Python/2.7/site-packages (from cryptography>=1.1->paramiko)
Requirement already satisfied: pycparser in /Library/Python/2.7/site-packages (from cffi>=1.4.1->pynacl>=1.0.1->paramiko)
Installing collected packages: pyasn1, paramiko
Successfully installed paramiko-2.2.1 pyasn1-0.3.4
[7 Sep 12:57] Umesh Shastry
Thank you Brett for confirming that after reinstalling you are able to connect now. For now, I'll close this issue but feel free to open if you encounter any related issues further.

Thank you for your interest in MySQL.

Thanks,
Umesh