"userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms"
vitobotta opened this issue · 12 comments
Hi! I built a tool to create Kubernetes clusters in Hetzner Cloud (https://github.com/vitobotta/hetzner-k3s) and I use your library to interact with servers :)
Some users are having problems with some SSH keys, and I tracked it down to Ubuntu 22.04 refusing some keys with old crypto and I see these lines in /var/log/auth.log
Jan 11 21:10:16 test-cpx11-master1 sshd[2296]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
The weird thing is that if I use the same SSH keys with the regular SSH client for example on Mac, I can SSH into the servers without any issue. But with the Crystal app using this library I cannot SSH into the servers because of that error.
Is there a workaround or does the library need to be updated somehow? Thanks!
Looks like this library still uses SHA-1 which is now deprecated
Line 204 in e2df13c
Thanks for letting me know, I'll look into it
Thanks for letting me know, I'll look into it
Awesome, thanks! I bet that many tools will break because of the SHA1 deprecation :)
yeah saw a bunch of similar issues in go projects
I've made a pull request #17 that should fix the issue
are you able to test with your project?
The docker image I had for testing has been removed from docker-hub and I'm still looking for the Dockerfile
Hi @stakach I am still new to Crystal in general. How do I test with the code in your PR? Can I specify it somehow in the shards file?
yeah, you can specify a branch in the shards yml
something like
ssh2.cr:
github: spider-gazelle/ssh2.cr
branch: upgrade-default-hash-alg
Hi! I just tried and I still get userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms
in the server's logs. With the regular SSH client I can log in with the same key. I actually tried basically the same change you made in a fork before, so same result. Any idea of what else might need to be updated?
For the time being to unblock users of my tool I am going to add PubkeyAcceptedKeyTypes=+ssh-rsa
to the SSH config for the servers it creates, which seems to work as a temporary workaround.
Hi @stakach I am trying again. Just to make sure I am not missing anything, is it enough to add the branch to shards.yaml and run shards update
or do I need to do something else? Thanks
Yeah I think so, can have a look at the files and make sure the changes in the branch are present
HI, sorry for the late reply. I tried but it didn't help unfortunately. What could be the problem? I am not familiar enough with how keys work etc
@stakach I'm still getting this same issue userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Update: I was able to fix my problems by updating the SSH configuration on the server I was trying to SSH into with this crystal library:
If you are trying to execute remote SSH commands and see
userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
in your logs, try this:
Edit: /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
Add the following line:
PubkeyAcceptedAlgorithms +ssh-rsa
Restart the ssh service:
sudo service ssh restart