Guac SSH key auth fails on Debian 11 & Raspbian Bullseye ( libssh2-1-dev issue )

Question

Guac SSH key auth fails on Debian 11 & Raspbian Bullseye ( libssh2-1-dev issue )

Closed this issue a year ago · 8 comments

Recent updates of Debian 11 & Raspbian bullseye both exhibit the same broken behavior (as at mid July 2023).

Answering my own question for future reference and hopefully to save others future pain:

Issue:
Guac SSH connections with password auth all work fine, but using sshkey auth with Guac, regardless of newer or legacy RSA/OPENSSH sshkey format all fail despite:

a: HostKeyAlgorithms +ssh-rsa & PubkeyAcceptedKeyTypes +ssh-rsa being added to /etc/ssh/sshd_config
b: Putty/OpenSSH client connections made outside of Guacamole work fine with the same RSA ssh keys

Logs may show errors below, (but these mislead as they relate to SSH key format or algorithm issues, which is not the case) :

See auth log:
tail -f /var/log/auth.log

Unable to extract public key from private key
no matching host key type found. Their offer: ssh-rsa,ssh-dss

See guacd debug mode:
sudo systemctl stop guacd && sudo /usr/local/sbin/guacd -L debug -f

SSH hanshake failed

Conclusion & fix:
The current stable version of libssh2-1-dev (1.9.0-2) seems to break RSA sshkey auth. Switching to the Debian Testing repo and running sudo apt update && sudo apt-get install --only-upgrade libssh2-1-dev incremented libssh2-1-dev 1.11.0-2 and this fixed all issues.

I also tested a set of EdDSA keys with this new libssh2 version under Guacamole. Both RSA (and EdDSA!) keys now work fine.

The current Ubuntu 22.x does not exhibit this problem as it currently uses a newer stable version (1.10.0-3)

Answer 1 · 2023-07-19T10:17:00.000Z

Solved my own question above. Closing

Answer 2 · 2024-08-19T08:34:55.000Z

Dear @itiligent,
I can't seem to use your fix with using debian 11 testing repo to upgrade libssh2-1.
Currently, i have to mark these paquets on hold or it break the SSH RSA authentification for a running guacamole.
Can you share how to do it please ?
Best regards.
Ben.

Answer 3 · 2024-08-19T12:16:40.000Z

not a lot of backgroud into to go on there. ( Guacamole debug log and syslog are your friends!)
Can you authenticate with an rsa key via putty outside of guacamole? Best to confirm if ssh is workong first.
What version of guac?
Have you successfully added the testing repo and.can you upgrade other packages from there?
Have you added the correct lines in the sshd_conf
what do logs show when you try to connect ?

have you tried recreating your guacamole connection object in thr console (this can fix a lot of issues)
another option is to migrate away from rsa and go to something less deprecated like EDdsa (elliptical curves) as from memory rsa is not supported by default in later debian variants .

Answer 4 · 2024-08-19T13:39:02.000Z

Dear @itiligent ,
I have a guacamole 1.5.4 running on Debian 11 and working just fine with RSA keys.
When i'm updating the server, it propose :
libssh2-1-dev/oldstable 1.9.0-2+deb11u1 amd64
libssh2-1/oldstable 1.9.0-2+deb11u1 amd64
If i upgrade these, my RSA keys do not work anymore.
I ve put guacamole in debug mode and it says "SSH handshake failed" (that s how i did find your page by lookup on Google).

Then i did add the testing repo and use an apt update && apt install --only-upgrade libssh2-1-dev but i think it install the main (should i remove the main while adding the testing repo ?).

Best regards.

Answer 5 · 2024-08-19T15:32:11.000Z

First, restore the default Bullseye sources list - looks like this:

deb http://deb.debian.org/debian/ bullseye main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye main contrib non-free

deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye-updates main contrib non-free

deb http://security.debian.org/ bullseye/updates main contrib non-free
deb-src http://security.debian.org/ bullseye/updates main contrib non-free

The steps I fixed this last year were:

sudo apt update && sudo apt upgrade -y
sudo cp /etc/apt/sources.list sources.list.backup # Backup the default sources list 
sudo sed -i 's/bullseye/testing/g' /etc/apt/sources.list # Switch repo references from bullseye to testing

# Now manually edit:
sudo nano /etc/apt/sources.list
comment out all lines having "security.debian.org" 
comment out all lines that end with "updates"
add this line: deb http://security.debian.org testing-security main
sudo apt update && sudo apt-get install --only-upgrade libssh2-1-dev # update an individual package

test to make sure ssh works
now put your default sources list back to default

Answer 6 · 2024-08-20T10:10:33.000Z

libc6 : Breaks: chrony (< 4.2-3~) but 4.0-8+deb11u2 is to be installed
libc6-dev : Break: libglib2.0-dev (<= 2.72.3-1) but 2.66.8-1+deb11u4 is to be installed
E: Error, pkgProblem::Resolve

I tried apt --fix-broken install, it does not repair the problem.
Had to apt purge chrony and libglib, then install the libssh2, restore the original source.list and reinstall the purged packages.

Libssh2 is now up to date :
root@srvguacamole:~# apt show libssh2-1*
Package: libssh2-1
Version: 1.9.0-2+deb11u1

And guacamole is still working !
Thanks a lot for your assistance <3

Answer 7 · 2024-08-20T14:49:20.000Z

Im glad you got it working
To be clear, did the steps I gave you work?
If not, for the benefit of others, please share the steps you took Also I want to understnad why you had to purge the other packages?

Answer 8 · 2024-08-20T15:05:36.000Z

The steps u gave did the job, like i said i just had to purge the two packages else it won t install (see the errors that says it breaks others packages so it stop the installer).
May be i should have tried apt install -f --only-upgrade libssh2-1-dev
I choose to purge the two packages (chrony and libglib2.0-dev), then install the libssh2-1-dev and finally reinstall the purged packages after restoring the correct sources.list