Public Key Auth fails with MacOS Ventura

Question

Public Key Auth fails with MacOS Ventura

developedsoftware opened this issue 2 years ago · 10 comments

https://superuser.com/questions/1749364/git-ssh-permission-denied-in-macos-13-ventura

I am using v0 of the software (v1 doesnt work for our needs at the moment)

Would you expect OpenSSL issues with Ventura?

macOS 13 (Ventura) ships with OpenSSH_9.0p1. According to the OpenSSH release notes:

This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USD$50K [1]

Is there any way of fixing it? I assume its something to do with the key exchange (man in the middle)

The same key under Ventura seems to work on other servers (linux out of the box). But it fails on sshpiper.

Answer 1 · 2022-12-07T12:24:57.000Z

sshpiper supports ed25519
you can set with -i

I will make sshpiper default key to ed25519

Answer 2 · 2022-12-07T12:31:46.000Z

I am running it from a docker container. So do I just need to change

CMD ["/sshpiperd" "daemon"] to CMD ["/sshpiperd" "-i" "daemon"]

Or can I enable ed25519 via /etc/ssh/sshd_config?

This is the image we are currently using https://hub.docker.com/layers/farmer1992/sshpiperd/v0.7.42/images/sha256-820ac13d806c89f77e17978c797b20058dc455eeb60cd3486e689929c1824819?context=explore

Answer 3 · 2022-12-07T12:35:08.000Z

sshpiperd -i /path/to/ssh_host_ed25519_key

Answer 4 · 2022-12-07T12:39:08.000Z

Thanks, can you confirm this will work in v0.7.42 (I appreciate its 6 months old)

Answer 5 · 2022-12-07T12:40:00.000Z

Can the path to the ed25519_key be set in the sshd_config like every other parameter?

Answer 6 · 2022-12-07T14:45:20.000Z

you do not have to change anything in sshd as it is behind the sshpiper
ssh will not know what algo sshd is using

Answer 7 · 2022-12-07T17:25:40.000Z

Ok I think I might be getting confused in that case.

Is the issue with the key on the sshpiper service or on the client ?

Apologises if I am getting confused. I am not sure how I’d fix this via a docker container….

Answer 8 · 2022-12-08T12:16:42.000Z

the sshpiper by default is using rsa which is deprecated in newer openssh client (>8.6 maybe)

Answer 9 · 2022-12-08T13:12:52.000Z

Thanks. For anybody else I got this working again in Docker by changing

-v /etc/ssh/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key

to

-v /etc/ssh/ssh_host_rsa_key:/etc/ssh/ssh_host_dsa_key:ro \
-v /etc/ssh/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key:ro \
-v /etc/ssh/ssh_host_ecdsa_key:/etc/ssh/ssh_host_ecdsa_key:ro \
-v /etc/ssh/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key:ro \

And SSHPiper started working again.

Do you want me to close this issue or keep it open until the fix is implemented?

Answer 10 · 2022-12-08T13:19:09.000Z

thanks
i will close it after default to ed25519