Paramiko broken on Mac M1 (using x86_64 dmg) with ssh key password

[aerusso]

Describe the bug
Having a password on an ssh key seems to prevent paramiko from properly connecting to the remote server. --ssh=ssh resolves these issues.

Additionally, paramiko complains about legacy cryptography used in OpenSSL 3.0. setting CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 resolves it (but I think you already know about this, since the normal launcher appears to already address this).

To Reproduce
Steps to reproduce the behavior:

1. /usr/bin/xpra start-desktop :68 --daemon=no --systemd-run=no --start-child=/usr/bin/startplasma-x11 --exit-with-children --resize-display=1920x1280, but it doesn't matter
2. ./Xpra attach ssh://$NAME@$SERVER/$DISPLAY
3. I'm trying to use an ed25519 ssh key.
4. This fails, complaining about CRYPTOGRAPHY_OPENSSL_NO_LEGACY not being set. If I set this, presumably paramiko opens a window for me enter the ssh key password. Typing this in leads to an apparent hang on the client. The server eventually (after 5-10 seconds) shows a successful ssh login from the client (and /usr/bin/xpra _proxy :$DISPLAY spawn), but there is no visible change on the client.

more complete log

2024-02-17 19:42:20,165 Error: cannot enable SSH socket upgrades
2024-02-17 19:42:20,165 OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.
2024-02-17 19:42:20,183 created unix domain socket '/Users/$REDACTED'
2024-02-17 19:42:20,734 Unable to import OpenGL.arrays.numpymodule.NumpyHandler: No numpy module present: No module named 'numpy'

(Xpra:8817): Gdk-WARNING **: 19:42:20.738: losing last reference to undestroyed window
2024-02-17 19:42:20,738 OpenGL enabled on 'Apple M1 Pro'
2024-02-17 19:42:20,750 removing unix domain socket '/Users/$REDACTED'
xpra main error:
Traceback (most recent call last):
File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 121, in main
return run_mode(script_file, cmdline, err, options, args, mode, defaults)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 455, in run_mode
return do_run_mode(script_file, cmdline, error_cb, options, args, mode, defaults)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 541, in do_run_mode
return run_client(script_file, cmdline, error_cb, options, args, mode)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 1310, in run_client
app = get_client_app(cmdline, error_cb, opts, extra_args, mode)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 1483, in get_client_app
display_desc = do_pick_display(dotxpra, error_cb, opts, extra_args, cmdline)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 897, in do_pick_display
return parse_display_name(error_cb, opts, extra_args[0], cmdline, find_session_by_name=find_session_by_name)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/parsing.py", line 516, in parse_display_name
ssh_desc = get_ssh_display_attributes(args, opts.ssh)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/parsing.py", line 629, in get_ssh_display_attributes
ssh = parse_ssh_option(ssh_option)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/parsing.py", line 613, in parse_ssh_option
import paramiko
File "/Applications/Xpra.app/Contents/Resources/lib/python/paramiko/__init__.py", line 22, in <module>
from paramiko.transport import (
File "/Applications/Xpra.app/Contents/Resources/lib/python/paramiko/transport.py", line 138, in <module>
class Transport(threading.Thread, ClosingContextManager):
File "/Applications/Xpra.app/Contents/Resources/lib/python/paramiko/transport.py", line 212, in Transport
if KexCurve25519.is_available():
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Applications/Xpra.app/Contents/Resources/lib/python/paramiko/kex_curve25519.py", line 30, in is_available
X25519PrivateKey.generate()
File "cryptography/hazmat/primitives/asymmetric/x25519.pyc", line 59, in generate
File "cryptography/hazmat/backends/openssl/init.pyc", line 7, in <module>
File "cryptography/hazmat/backends/openssl/backend.pyc", line 27, in <module>
File "cryptography/hazmat/bindings/openssl/binding.pyc", line 167, in <module>
File "cryptography/hazmat/bindings/openssl/binding.pyc", line 134, in init_static_locks
File "cryptography/hazmat/bindings/openssl/binding.pyc", line 123, in _ensure_ffi_initialized
File "cryptography/hazmat/bindings/openssl/binding.pyc", line 43, in _legacy_provider_error
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.

5. If I use --ssh=ssh, the connection works fine. (Actually, there are other things not working, but I don't want to bother you with that until I can figure out the issue.)
6. Similarly, if I remove the password from ssh-key, it also works fine.

System Information (please complete the following information):

• Server OS: Debian 1w (but is not relevant)
• Client OS: Mac OS (M1)
• Xpra Server Version 5.0.5
• Xpra Client Version x86 64 dmg from https://xpra.org/dists/MacOS/x86_64/Xpra.dmg downloaded just now.

gpg signature of the file, I don't know how else to definitely identify this besides the date and url

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtJk7VzIxSON5d+XYcyVMrReXj68FAmXCQQYACgkQcyVMrReX
j6/ZRw//f/xDssJr3clZYFQcdzMUd+PGtlw1dxPpD/xFEqzR06WRA9R0Kov6WvnE
dxBaNR8TFE5HqSvdk9pZrPT/8XTNX8OGID7JuGjV9oDCvOZ6A+6X8GBQgAd08anA
Z7V/4p0Uc3p2J2SgYvrFbXUpLBtC4DvPU6odutMvxxwc8m27YqTM3WpVOLyiVwUS
5Lg7tvt9PZ7gf3ktyV9inz4bniuxw2gxjEgwPEWCSqv5pI7a8J0IgVRc4tfeweXP
Bwl1T7YAX18l/SIRaTGnHAD8BVnc/yh9y0ZNYGS4HMYSR1MEyX1wJfo+mJNE2feV
qepkBO1VnJLJdeIRd9YoKoK/Q8E+P2m7Tes9+VCz5qTMZVqo2tAuxaIvZizh9327
YSYkg/ydW9zVHSTJh3ftUxi21hBn9qUCQWArpCXkA4I7JwO5qPO915M794sRS16o
a/mSU+gnKx7ydaaagHv7jguiMZ3euvW/tEMoR3srpVMAqR+Wj4ldWksembJ/Jqo8
QnJk+ADSXAghb+a94TelIHLZyebwJkanTm2EiukQ2YUBltdyYjergwiCdB623kOA
1pcfrOiY92zjRY6xnQWTRiONEf2/kI8WyfyIgrIRacP/ooiYBfw0tXfj/xi+Om0H
KP/KT8yy/HIXdsr+yuSv666gkRkXnZQ31lt8/eiedzt/vPvTymk=
=Zqhq
-----END PGP SIGNATURE-----

Additional context
The main issue "smells" like the beginning of the xpra interaction isn't getting sent because paramiko misses it while waiting for the ssh key password to be entered.

[totaam]

There are many known issues with the stable builds - please try the latest beta build instead.

gpg signature of the file, I do..

A checksum (ie: sha256sum) would be a lot smaller and easier to handle.

---

CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 is meant to be set right at the start in the platform initialization code:

xpra/xpra/platform/darwin/__init__.py

Lines 24 to 25 in 7777ba4

	if os.environ.get("CRYPTOGRAPHY_OPENSSL_NO_LEGACY") is None:
	os.environ["CRYPTOGRAPHY_OPENSSL_NO_LEGACY"] = "1"

[aerusso]

This also showed up in the latest beta when I tried about a week ago.

[totaam]

@aerusso can you post the output with -d ssh?

[aerusso]

I will, but I don't control the Mac in question (it will takes ~weeks before I get the chance to).

[totaam]

Likely the same problem as #4162

[totaam]

Bump.

[totaam]

Not heard back.