From c1f9f3610e9301977309273130500dc156c7f2cc Mon Sep 17 00:00:00 2001
From: Zygmunt Krynicki <me@zygoon.pl>
Date: Sun, 29 Jun 2025 20:49:30 +0200
Subject: [PATCH] Extend range of supported ssh algorithms

Update to the latest version of golang.org/x/crypto/ssh to add support
of latest algorithms. At the same time use ssh.InsecureAlgorithms to
support both ancient Ubuntu 14.04-era systems and daily Gentoo systems
equally.

Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
---
 go.mod              | 10 +++++-----
 go.sum              | 30 ++++++++++--------------------
 spread/client.go    | 30 ++++++++++++++++++++++++++----
 spread/openstack.go | 15 +++++++++++----
 4 files changed, 52 insertions(+), 33 deletions(-)

diff --git a/go.mod b/go.mod
index 92d3b231..cb4472b7 100644
--- a/go.mod
+++ b/go.mod
@@ -7,8 +7,8 @@ toolchain go1.24.3
 require (
 	github.com/go-goose/goose/v5 v5.0.0-20230421180421-abaee9096e3a
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e
-	golang.org/x/crypto v0.36.0
-	golang.org/x/net v0.38.0
+	golang.org/x/crypto v0.39.0
+	golang.org/x/net v0.41.0
 	golang.org/x/oauth2 v0.25.0
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637
@@ -16,13 +16,13 @@ require (
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 )
 
-require golang.org/x/term v0.30.0
+require golang.org/x/term v0.32.0
 
 require (
 	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 	github.com/juju/collections v0.0.0-20220203020748-febd7cad8a7a // indirect
 	github.com/kr/pretty v0.2.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/text v0.26.0 // indirect
 )
diff --git a/go.sum b/go.sum
index ee19e5a7..3364445f 100644
--- a/go.sum
+++ b/go.sum
@@ -33,28 +33,18 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
-golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
-golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
-golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
+golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
+golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
 golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
 golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
-golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
-golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
+golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
+golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
diff --git a/spread/client.go b/spread/client.go
index 9615d532..b12ce407 100644
--- a/spread/client.go
+++ b/spread/client.go
@@ -35,12 +35,34 @@ type Client struct {
 	killTimeout time.Duration
 }
 
+func allAlgorithms() ssh.Algorithms {
+	algos := ssh.SupportedAlgorithms()
+	insecure := ssh.InsecureAlgorithms()
+
+	// Old systems may require old, insecure crypto, to connect.
+	// Prefer a secure algorithms by placing them earlier in the list.
+	algos.KeyExchanges = append(algos.KeyExchanges, insecure.KeyExchanges...)
+	algos.Ciphers = append(algos.Ciphers, insecure.Ciphers...)
+	algos.MACs = append(algos.MACs, insecure.MACs...)
+	algos.HostKeys = append(algos.HostKeys, insecure.HostKeys...)
+	algos.PublicKeyAuths = append(algos.PublicKeyAuths, insecure.PublicKeyAuths...)
+
+	return algos
+}
+
 func Dial(server Server, username, password string) (*Client, error) {
+	algos := allAlgorithms()
 	config := &ssh.ClientConfig{
-		User:            username,
-		Auth:            []ssh.AuthMethod{ssh.Password(password)},
-		Timeout:         10 * time.Second,
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		Config: ssh.Config{
+			KeyExchanges: algos.KeyExchanges,
+			Ciphers:      algos.Ciphers,
+			MACs:         algos.MACs,
+		},
+		User:              username,
+		Auth:              []ssh.AuthMethod{ssh.Password(password)},
+		HostKeyCallback:   ssh.InsecureIgnoreHostKey(),
+		HostKeyAlgorithms: algos.HostKeys,
+		Timeout:           10 * time.Second,
 	}
 	addr := server.Address()
 	if !strings.Contains(addr, ":") {
diff --git a/spread/openstack.go b/spread/openstack.go
index 97c17fca..99512095 100644
--- a/spread/openstack.go
+++ b/spread/openstack.go
@@ -390,11 +390,18 @@ var openstackServerBootTimeout = 2 * time.Minute
 var openstackServerBootRetry = 5 * time.Second
 
 func (p *openstackProvider) waitServerBootSSH(ctx context.Context, s *openstackServer) error {
+	algos := allAlgorithms()
 	config := &ssh.ClientConfig{
-		User:            "root",
-		Auth:            []ssh.AuthMethod{ssh.Password(p.options.Password)},
-		Timeout:         10 * time.Second,
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		Config: ssh.Config{
+			KeyExchanges: algos.KeyExchanges,
+			Ciphers:      algos.Ciphers,
+			MACs:         algos.MACs,
+		},
+		User:              "root",
+		Auth:              []ssh.AuthMethod{ssh.Password(p.options.Password)},
+		HostKeyCallback:   ssh.InsecureIgnoreHostKey(),
+		HostKeyAlgorithms: algos.HostKeys,
+		Timeout:           10 * time.Second,
 	}
 	addr := s.address
 	if !strings.Contains(addr, ":") {