Problem will trying to authenticate to Ubuntu 20.04

Question

Problem will trying to authenticate to Ubuntu 20.04

HammerZ3it opened this issue 4 years ago · 5 comments

As mentioned in the title, there is a problem when we try to authenticate any OpenSSH Server on a Ubuntu 20.04 release.
This is due to OpenSSH 8.2 which do not support SHA-1 based RSA certificate algorithm anymore as they no longer considered it secure.

Logs :
userauth_pubkey: certificate signature algorithm ssh-rsa: signature algorithm not supported [preauth]

There is an actual workaround :
Add this to you sshd_config on the server side :
CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

It is something I will not personally do as if it is disable by default, I'd rather follow the recommendation.

https://man.openbsd.org/sshd_config#CASignatureAlgorithms

Thing is that it is not necessary to generate a new CA.
We only need to generate a new certificat with the option -t of ssh-keygen command.
ssh-keygen ... -t rsa-sha2-256 id_rsa.pub

This will likely resolve this issue but it seems it not have backwards compatibility.
sha2 is not available on all Open-SSH server versions.

Regards,

Answer 1 · 2020-06-24T14:29:19.000Z

This issue will normally be corrected in Vault 1.4.3, patch has been merged to introduce a new signing algorithm option

see: hashicorp/vault#9096

Note that Vault 1.4.3 is not released yet.

Answer 2 · 2020-07-07T11:37:40.000Z

Vault 1.4.3 is out and everything is working with the new algorithm_signer option.

However you can't use the webUI to update the role, you need to use command line:

echo '{
  "algorithm_signer": "rsa-sha2-256",
  "allow_user_certificates": true,
  "allowed_users": "*",
  "allow_user_key_ids": true,
  "default_extensions": [
    {
      "permit-pty": ""
    }
  ],
  "key_type": "ca",
  "default_user": "root",
  "max_ttl": "12h" ,
  "ttl": "30m"
}' > sign-user-role.json

vault write ssh/roles/sign-user-role @sign-user-role.json

Answer 3 · 2020-07-27T16:33:02.000Z

Made the update 1.4.3 and even 1.5.0 but it seems there is a problem with my set up.
I can't find the "algorithm_signer" key when I read the role :

vault read ssh/roles/sign-user-role

Will try to find the issue

Answer 4 · 2020-07-27T17:51:35.000Z

Using 1.4.3, I'm able to retrieve the option using

vault read -field=algorithm_signer ssh/roles/sign-user-role

and the output is:

rsa-sha2-256

Answer 5 · 2020-07-27T21:29:04.000Z

Seems that there was an issue with consul as a backend, I had to restart the service for the field to appear.
Thx for your help @c35sys .

Regards.

PS : Solved in 1.4.3 and 1.5.0 tested both.