OpenSSH Compatibility with Teleport

[gwellington]

Description

What happened:
When using OpenSSH (OpenSSH_8.8p1, OpenSSL 1.1.1m 14 Dec 2021), SSH fails to proxy via the Teleport proxy server with the following error:

UpdateHostkeys is disabled because the host key is not trusted.
[email protected]: Permission denied (publickey).

When using a non-OpenSSL/older version (OpenSSH_8.1p1, LibreSSL 2.7.3) of SSH, everything connects fine.

What you expected to happen:
Teleport to support multiple version of OpenSSH versions.

Reproduction Steps

As minimally and precisely as possible, describe step-by-step how to reproduce the problem.

1. brew install openssh
2. ssh -o "ProxyCommand ssh -o StrictHostKeyChecking=no -p 3023 teleport.proxy.com -s proxy:%h:%p" -i ssh-key user@address
3. Receive error

Server Details

• Teleport version (run teleport version): 7.3.13
• Server OS (e.g. from /etc/os-release): CentOS 7
• Where are you running Teleport? (e.g. AWS, GCP, Dedicated Hardware): AWS
• Additional details:

Client Details

• Tsh version (tsh version): Teleport v7.1.0 git:v7.1.0-0-gb52a7d89f go1.16.2
• Computer OS (e.g. Linux, macOS, Windows): Mac
• Browser version (for UI-related issues):
• Installed via (e.g. apt, yum, brew, website download): website download
• Additional details:

Debug Logs

Please include or attach debug logs, when appropriate. Obfuscate sensitive information!

• Start Teleport with --debug flag (teleport --debug)
• Run tsh with --debug flag (tsh --debug)

 gwellington  ~  ssh -vvv -o "ProxyCommand ssh -o StrictHostKeyChecking=no -p 3023 teleport.proxy.com -s proxy:%h:%p" -i ~/Downloads/key user@address
OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021
debug1: Reading configuration data /Users/gwellington/.ssh/config
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 0.0.0.0 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/gwellington/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/gwellington/.ssh/known_hosts2'
debug1: Executing proxy command: exec ssh -o StrictHostKeyChecking=no -p 3023 teleport.proxy.com -s proxy:1.1.1.1:22
debug1: identity file /Users/gwellington/Downloads/key type 0
debug1: identity file /Users/gwellington/Downloads/key type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:merp.
Please contact your system administrator.
Add correct host key in /Users/gwellington/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/gwellington/.ssh/known_hosts:2
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
UpdateHostkeys is disabled because the host key is not trusted.
[email protected]: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

[marcoandredinis]

There's a workaround for this:
we can either add the flag [email protected] to the ssh command or to its config as described here: #10918

[zmb3]

@jakule is this still an issue?

[jakule]

@jakule is this still an issue?

I'll retest on Tuesday and let you know.

[zmb3]

Tested today and appears to still be an issue.

[jakule]

CC @r0mant

[jakule]

@zmb3 Can you share more details about the environment you were testing "today"?

[fghamsary]

The compatibility with newer type of certificates should be implemented if not yet done, and if it's done clearly point on documentation how can we change the server or client configuration to use newer version of certificates and not obsolete RSA-CERT please.