Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Server doesn't accept RSA SHA-2 keys. #77

Closed
thepixelmonk opened this issue Mar 16, 2022 · 23 comments
Closed

Server doesn't accept RSA SHA-2 keys. #77

thepixelmonk opened this issue Mar 16, 2022 · 23 comments
Labels
bug Something isn't working

Comments

@thepixelmonk
Copy link

I'm getting a permission denied error even though I have a public key generated. Any ideas?

λ ssh [email protected]
[email protected]: Permission denied (publickey).

λ ls ~/.ssh
id_rsa  id_rsa.pub  known_hosts  known_hosts.old
@Arkaeriit
Copy link
Collaborator

This is mentioned in the Readme, you should use the command ssh-keygen to get a public key and be able to log in.

Alternatively, you can log to the port 443 which doesn't require a public key.

@thepixelmonk
Copy link
Author

thepixelmonk commented Mar 16, 2022
edited
Loading

This is mentioned in the Readme, you should use the command ssh-keygen to get a public key and be able to log in.

I already have a public key though. Am I missing something?

@thepixelmonk
Copy link
Author

Found a hacker news post which I think is relevant. It just doesn't like RSA. https://news.ycombinator.com/item?id=30690988

@quackduck
Copy link
Owner

quackduck commented Mar 19, 2022
edited
Loading

Yeah this is a known issue with some crypto libs: see golang/crypto#197, gliderlabs/ssh#145 & charmbracelet/soft-serve#48

@quackduck
Copy link
Owner

This problem hasn't been solved, reopening.

@quackduck quackduck reopened this Mar 22, 2022
@quackduck quackduck changed the title Unable to login Server doesn't accept RSA 2 keys. Mar 22, 2022
@quackduck quackduck changed the title Server doesn't accept RSA 2 keys. Server doesn't accept RSA SHA-2 keys. Mar 22, 2022
@quackduck quackduck mentioned this issue Mar 22, 2022
Closed
@kuquay
Copy link

kuquay commented Mar 23, 2022

Not sure if this is a related error, but I've also been unable to log on to the server, although only recently, as of the beginning of this week. My error is Unable to negotiate with 150.136.142.44 port 22: no matching host key type found. Their offer: ssh-rsa
Generating new keys of both RSA and ED25519 variety does not work, as the server does not offer a (working) host key.

@quackduck
Copy link
Owner

Did you get the same error as @thepixelmonk before this week? I wonder if simply changing the server’s ssh key would fix this.

@kuquay
Copy link

kuquay commented Mar 23, 2022
edited
Loading

@quackduck I got no errors before this week.
If you want to try changing the server's key, try it! Also you should post the fingerprint alongside the other server information.

@quackduck
Copy link
Owner

quackduck commented Mar 23, 2022
edited
Loading

changing the server key will have all old user clients complaining about a possible man in the middle attack lol

I could try and set up another instance with a new host key...

@kuquay
Copy link

kuquay commented Mar 23, 2022

@quackduck If no one can reproduce the issue, it's probably not worth it, I don't want to cause all those issues just because I maybe have something on my end.

@quackduck
Copy link
Owner

No this is a legitimate issue a lot of people face: I have to tell them to use port 443.

We're mostly waiting on the libs here to add support: #77 (comment)

@kuquay
Copy link

kuquay commented Mar 23, 2022
edited
Loading

For the record, I fixed it by restarting. The RSA SHA-2 issue is unrelated.
I should add that when I had that issue, Port 443 did not work.
EDIT: Client simply was not accepting the host's ssh-rsa key. In hindsight, it was pretty obvious based on the error message, but was missed due to a typo. This does mean that the server should be sending SHA-2 RSA host keys, however.

@quackduck
Copy link
Owner

Hey @thepixelmonk could you run ssh -v devzat.hackclub.com and let me know what it says?

@thepixelmonk
Copy link
Author 

λ ssh -v devzat.hackclub.com
OpenSSH_8.8p1, OpenSSL 1.1.1l  24 Aug 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to devzat.hackclub.com [150.136.142.44] port 22.
debug1: Connection established.
debug1: identity file /c/Users/Chris/.ssh/id_rsa type 0
debug1: identity file /c/Users/Chris/.ssh/id_rsa-cert type -1
debug1: identity file /c/Users/Chris/.ssh/id_dsa type -1
debug1: identity file /c/Users/Chris/.ssh/id_dsa-cert type -1
debug1: identity file /c/Users/Chris/.ssh/id_ecdsa type -1
debug1: identity file /c/Users/Chris/.ssh/id_ecdsa-cert type -1
debug1: identity file /c/Users/Chris/.ssh/id_ecdsa_sk type -1
debug1: identity file /c/Users/Chris/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /c/Users/Chris/.ssh/id_ed25519 type 3
debug1: identity file /c/Users/Chris/.ssh/id_ed25519-cert type -1
debug1: identity file /c/Users/Chris/.ssh/id_ed25519_sk type -1
debug1: identity file /c/Users/Chris/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /c/Users/Chris/.ssh/id_xmss type -1
debug1: identity file /c/Users/Chris/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version Go
debug1: compat_banner: no match: Go
debug1: Authenticating to devzat.hackclub.com:22 as 'Chris'
debug1: load_hostkeys: fopen /c/Users/Chris/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 150.136.142.44 port 22: no matching host key type found. Their offer: ssh-rsa

~/.ssh
λ ls
id_ed25519  id_ed25519.pub  id_rsa  id_rsa.pub  known_hosts  known_hosts.old

@quackduck
Copy link
Owner

For comparison, this is mine:

[~]  ssh -v devzat.hackclub.com
OpenSSH_8.6p1, LibreSSL 2.8.3
debug1: Reading configuration data /Users/ishan/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to devzat.hackclub.com port 22.
debug1: Connection established.
debug1: identity file /Users/ishan/.ssh/id_rsa type 0
debug1: identity file /Users/ishan/.ssh/id_rsa-cert type -1
debug1: identity file /Users/ishan/.ssh/id_dsa type -1
debug1: identity file /Users/ishan/.ssh/id_dsa-cert type -1
debug1: identity file /Users/ishan/.ssh/id_ecdsa type -1
debug1: identity file /Users/ishan/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/ishan/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/ishan/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/ishan/.ssh/id_ed25519 type -1
debug1: identity file /Users/ishan/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/ishan/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/ishan/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/ishan/.ssh/id_xmss type -1
debug1: identity file /Users/ishan/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version Go
debug1: compat_banner: no match: Go
debug1: Authenticating to devzat.hackclub.com:22 as 'ishan'
debug1: load_hostkeys: fopen /Users/ishan/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ssh-rsa

@quackduck
Copy link
Owner

After updating openssh I get the same issue:

OpenSSH_8.9p1, OpenSSL 1.1.1n  15 Mar 2022
debug1: Reading configuration data /Users/ishan/.ssh/config
debug1: Reading configuration data /opt/homebrew/etc/ssh/ssh_config
debug1: Connecting to devzat.hackclub.com [150.136.142.44] port 22.
debug1: Connection established.
debug1: identity file /Users/ishan/.ssh/id_rsa type 0
debug1: identity file /Users/ishan/.ssh/id_rsa-cert type -1
debug1: identity file /Users/ishan/.ssh/id_ecdsa type -1
debug1: identity file /Users/ishan/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/ishan/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/ishan/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/ishan/.ssh/id_ed25519 type -1
debug1: identity file /Users/ishan/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/ishan/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/ishan/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/ishan/.ssh/id_xmss type -1
debug1: identity file /Users/ishan/.ssh/id_xmss-cert type -1
debug1: identity file /Users/ishan/.ssh/id_dsa type -1
debug1: identity file /Users/ishan/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9
debug1: Remote protocol version 2.0, remote software version Go
debug1: compat_banner: no match: Go
debug1: Authenticating to devzat.hackclub.com:22 as 'ishan'
debug1: load_hostkeys: fopen /Users/ishan/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 150.136.142.44 port 22: no matching host key type found. Their offer: ssh-rsa

@quackduck
Copy link
Owner

We could solve this by using a third-party fork of x/crypto but that isn't optimal:

https://github.com/replicatedhq/kots/pull/2613/files

@quackduck
Copy link
Owner

Okay here's a tracking issue for this problem: golang/go#49952

@quackduck
Copy link
Owner

quackduck commented Mar 29, 2022
edited
Loading

I updated some dependencies and the verbose messages have now changed. It appears it goes a bit further this time:

OpenSSH_8.9p1, OpenSSL 1.1.1n  15 Mar 2022
debug1: Reading configuration data /Users/ishan/.ssh/config
debug1: Reading configuration data /opt/homebrew/etc/ssh/ssh_config
debug1: Connecting to devzat.hackclub.com [150.136.142.44] port 22.
debug1: Connection established.
debug1: identity file /Users/ishan/.ssh/id_rsa type 0
debug1: identity file /Users/ishan/.ssh/id_rsa-cert type -1
debug1: identity file /Users/ishan/.ssh/id_ecdsa type -1
debug1: identity file /Users/ishan/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/ishan/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/ishan/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/ishan/.ssh/id_ed25519 type -1
debug1: identity file /Users/ishan/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/ishan/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/ishan/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/ishan/.ssh/id_xmss type -1
debug1: identity file /Users/ishan/.ssh/id_xmss-cert type -1
debug1: identity file /Users/ishan/.ssh/id_dsa type -1
debug1: identity file /Users/ishan/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9
debug1: Remote protocol version 2.0, remote software version Go
debug1: compat_banner: no match: Go
debug1: Authenticating to devzat.hackclub.com:22 as 'ishan'
debug1: load_hostkeys: fopen /Users/ishan/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:0NFbqn9ACSQBVVjvqcVsGl0vtVUq9n//nJgEwB25UFk
debug1: load_hostkeys: fopen /Users/ishan/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'devzat.hackclub.com' is known and matches the RSA host key.
debug1: Found key in /Users/ishan/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /Users/ishan/.ssh/id_rsa RSA SHA256:/30Vhs3sufvZ/NTJVIUiSTwpFyvDEh10bIOyiZO9cj4
debug1: Will attempt key: /Users/ishan/.ssh/id_ecdsa
debug1: Will attempt key: /Users/ishan/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/ishan/.ssh/id_ed25519
debug1: Will attempt key: /Users/ishan/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/ishan/.ssh/id_xmss
debug1: Will attempt key: /Users/ishan/.ssh/id_dsa
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/ishan/.ssh/id_rsa RSA SHA256:/30Vhs3sufvZ/NTJVIUiSTwpFyvDEh10bIOyiZO9cj4
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /Users/ishan/.ssh/id_ecdsa
debug1: Trying private key: /Users/ishan/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/ishan/.ssh/id_ed25519
debug1: Trying private key: /Users/ishan/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/ishan/.ssh/id_xmss
debug1: Trying private key: /Users/ishan/.ssh/id_dsa
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).

Diff:

29,31c29,66
< debug1: kex: algorithm: [email protected]
< debug1: kex: host key algorithm: (no match)
< Unable to negotiate with 150.136.142.44 port 22: no matching host key type found. Their offer: ssh-rsa
---
> debug1: kex: algorithm: curve25519-sha256
> debug1: kex: host key algorithm: rsa-sha2-512
> debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
> debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: SSH2_MSG_KEX_ECDH_REPLY received
> debug1: Server host key: ssh-rsa SHA256:0NFbqn9ACSQBVVjvqcVsGl0vtVUq9n//nJgEwB25UFk
> debug1: load_hostkeys: fopen /Users/ishan/.ssh/known_hosts2: No such file or directory
> debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts: No such file or directory
> debug1: load_hostkeys: fopen /opt/homebrew/etc/ssh/ssh_known_hosts2: No such file or directory
> debug1: Host 'devzat.hackclub.com' is known and matches the RSA host key.
> debug1: Found key in /Users/ishan/.ssh/known_hosts:1
> debug1: rekey out after 134217728 blocks
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: rekey in after 134217728 blocks
> debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
> debug1: Will attempt key: /Users/ishan/.ssh/id_rsa RSA SHA256:/30Vhs3sufvZ/NTJVIUiSTwpFyvDEh10bIOyiZO9cj4
> debug1: Will attempt key: /Users/ishan/.ssh/id_ecdsa
> debug1: Will attempt key: /Users/ishan/.ssh/id_ecdsa_sk
> debug1: Will attempt key: /Users/ishan/.ssh/id_ed25519
> debug1: Will attempt key: /Users/ishan/.ssh/id_ed25519_sk
> debug1: Will attempt key: /Users/ishan/.ssh/id_xmss
> debug1: Will attempt key: /Users/ishan/.ssh/id_dsa
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey
> debug1: Next authentication method: publickey
> debug1: Offering public key: /Users/ishan/.ssh/id_rsa RSA SHA256:/30Vhs3sufvZ/NTJVIUiSTwpFyvDEh10bIOyiZO9cj4
> debug1: send_pubkey_test: no mutual signature algorithm
> debug1: Trying private key: /Users/ishan/.ssh/id_ecdsa
> debug1: Trying private key: /Users/ishan/.ssh/id_ecdsa_sk
> debug1: Trying private key: /Users/ishan/.ssh/id_ed25519
> debug1: Trying private key: /Users/ishan/.ssh/id_ed25519_sk
> debug1: Trying private key: /Users/ishan/.ssh/id_xmss
> debug1: Trying private key: /Users/ishan/.ssh/id_dsa
> debug1: No more authentication methods to try.
> [email protected]: Permission denied (publickey).

This looks like a result of golang/crypto@3147a52

@quackduck quackduck added the bug Something isn't working label Apr 28, 2022
@quackduck
Copy link
Owner

Fixed in 486eb4e by switching to a fork of https://github.com/golang/crypto: https://github.com/cli/crypto

🎉

@quackduck
Copy link
Owner

Okay nvm that was a bit premature; I tested the fix wrong.

@quackduck quackduck reopened this May 3, 2022
@quackduck
Copy link
Owner

OKAY ACTUALLY FIXED NOW IN 93dfd63 🎉

@Arkaeriit
Copy link
Collaborator

Yay!

@quackduck quackduck mentioned this issue Jul 19, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@thepixelmonk @quackduck @Arkaeriit @kuquay