[jira] [Resolved] (SSHD-1154) userauth_pubkey: unsupported public key algorithm: rsa-sha2-512

[Thomas Wolf (Jira)]

     [ 
https://issues.apache.org/jira/browse/SSHD-1154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Thomas Wolf resolved SSHD-1154.
-------------------------------
    Fix Version/s: 2.7.0
       Resolution: Duplicate

Closed as duplicate of SSHD-1105/SSHD-1141.

> userauth_pubkey: unsupported public key algorithm: rsa-sha2-512
> ---------------------------------------------------------------
>
>                 Key: SSHD-1154
>                 URL: https://issues.apache.org/jira/browse/SSHD-1154
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.6.0
>            Reporter: UmaShankar Avagadda
>            Priority: Blocker
>             Fix For: 2.7.0
>
>
> *Environment details:*
> *Server OS* : CentOS release 6.9 (Final)
> $ ssh -V
>  
> {code:java}
> OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013{code}
>  
> $ sshd -T
>  
> {code:java}
> port 22
> protocol 2
> addressfamily any
> listenaddress 0.0.0.0:22
> listenaddress [::]:22
> usepam yes
> serverkeybits 1024
> logingracetime 120
> keyregenerationinterval 3600
> x11displayoffset 10
> maxauthtries 6
> maxsessions 10
> clientaliveinterval 0
> clientalivecountmax 3
> permitrootlogin yes
> ignorerhosts yes
> ignoreuserknownhosts no
> rhostsrsaauthentication no
> hostbasedauthentication no
> hostbasedusesnamefrompacketonly no
> rsaauthentication yes
> pubkeyauthentication yes
> kerberosauthentication no
> kerberosorlocalpasswd yes
> kerberosticketcleanup yes
> gssapiauthentication yes
> gssapikeyexchange no
> gssapicleanupcredentials yes
> gssapistrictacceptorcheck yes
> gssapistorecredentialsonrekey no
> gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
> passwordauthentication yes
> kbdinteractiveauthentication no
> challengeresponseauthentication no
> printmotd yes
> printlastlog yes
> x11forwarding yes
> x11uselocalhost yes
> strictmodes yes
> tcpkeepalive yes
> permitemptypasswords no
> permituserenvironment no
> uselogin no
> compression delayed
> gatewayports no
> showpatchlevel no
> usedns yes
> allowtcpforwarding yes
> allowagentforwarding yes
> useprivilegeseparation yes
> kerberosusekuserok yes
> pidfile /var/run/sshd.pid
> xauthlocation /usr/bin/xauth
> ciphers 
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
> macs 
> hmac-md5,hmac-sha1,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
> kexalgorithms 
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> banner none
> authorizedkeysfile .ssh/authorized_keys
> authorizedkeysfile2 .ssh/authorized_keys2
> loglevel DEBUG
> syslogfacility AUTHPRIV
> hostkey /etc/ssh/ssh_host_rsa_key
> hostkey /etc/ssh/ssh_host_dsa_key
> acceptenv LANG
> acceptenv LC_CTYPE
> acceptenv LC_NUMERIC
> acceptenv LC_TIME
> acceptenv LC_COLLATE
> acceptenv LC_MONETARY
> acceptenv LC_MESSAGES
> acceptenv LC_PAPER
> acceptenv LC_NAME
> acceptenv LC_ADDRESS
> acceptenv LC_TELEPHONE
> acceptenv LC_MEASUREMENT
> acceptenv LC_IDENTIFICATION
> acceptenv LC_ALL
> acceptenv LANGUAGE
> acceptenv XMODIFIERS
> subsystem sftp /usr/libexec/openssh/sftp-server
> maxstartups 10:30:100
> permittunnel no
> permitopen any{code}
> sshd-common : 2.6.0
> sshd-core : 2.6.0
> I am using Client protocol version 2.0; client software version 
> APACHE-SSHD-2.6.0
> I am trying to ssh my server(RHEL6) using APACHE-SSHD-2.6.0 using below code 
> snippet.
> {code:java}
>  String send = "HOST:" + host + " " + command;
>                 InputStream inputStream = new 
> ByteArrayInputStream(send.getBytes());
>                 SshClient client = SshClient.setUpDefaultClient();
>                 client.start();
>                 ConnectFuture cf = client.connect(username, host, port);
>                 try (ClientSession session = cf.verify().getSession();) {
>                         
> session.addPublicKeyIdentity(loadKeypair(privateKey.getAbsolutePath()));
>                         session.auth().verify(defaultTimeoutSeconds, 
> TimeUnit.SECONDS);
> {code}
> This is working fine with RHEL8, Ubuntu14, Ubuntu16, Ubuntu18 but not working 
> with RHEL6 and RHEL7, getting below exception. 
> *unsupported public key algorithm: rsa-sha2-512* in sshd log
>  
> {code:java}
> Caused by: org.apache.sshd.common.SshException: No more authentication 
> methods available
>         at 
> org.apache.sshd.common.future.AbstractSshFuture.verifyResult(AbstractSshFuture.java:126)
>         at 
> org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:39)
>         at 
> org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:32)
>         at 
> org.apache.sshd.common.future.VerifiableFuture.verify(VerifiableFuture.java:56)
>         at 
> com.zimbra.cs.rmgmt.RemoteManager.executeRemoteCommand(RemoteManager.java:170)
>         at com.zimbra.cs.rmgmt.RemoteManager.execute(RemoteManager.java:147)
>         ... 70 more
> Caused by: org.apache.sshd.common.SshException: No more authentication 
> methods available
>         at 
> org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:342)
>         at 
> org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:277)
>         at 
> org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:224)
>         at 
> org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:502)
>         at 
> org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:428)
>         at 
> org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1463)
>         at 
> org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:388)
>         at 
> org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64)
>         at 
> org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:358)
>         at 
> org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:335)
>         at 
> org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:332)
>         at 
> org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
>         at 
> java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
>         at 
> org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
>         at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127)
>         at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219)
>         at 
> java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
>         at 
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>         at 
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
> {code}
> {code:java}
> broken-relay2:# /usr/sbin/sshd -d
> debug1: sshd version OpenSSH_5.3p1
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> debug1: rexec_argv[0]='/usr/sbin/sshd'
> debug1: rexec_argv[1]='-d'
> Set /proc/self/oom_score_adj from 0 to -1000
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> debug1: Bind to port 22 on ::.
> Server listening on :: port 22.
> debug1: Server will not fork when running in debugging mode.
> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
> debug1: inetd sockets after dupping: 3, 3
> Connection from X.X.X.X port 55874
> debug1: Client protocol version 2.0; client software version APACHE-SSHD-2.6.0
> debug1: no match: APACHE-SSHD-2.6.0
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.3
> debug1: permanently_set_uid: 74/74
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: client->server aes128-ctr hmac-sha2-256 none
> debug1: kex: server->client aes128-ctr hmac-sha2-256 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user zimbra service ssh-connection method none
> debug1: attempt 0 failures 0
> debug1: PAM: initializing for "zimbra"
> debug1: PAM: setting PAM_RHOST to "mail.example.com"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug1: userauth-request for user zimbra service ssh-connection method 
> publickey
> debug1: attempt 1 failures 0
> userauth_pubkey: unsupported public key algorithm: rsa-sha2-512
> Connection closed by X.X.X.X
> debug1: do_cleanup
> debug1: do_cleanup
> debug1: PAM: cleanup{code}
> I found 2 solutions.
> *Solution 1:*
> I upgraded ssh on RHEL6 , it's working fine now.
> Before upgrade ssh version:
> $ ssh -V
> {code:java}
> OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013{code}
> After upgrade ssh version:
> $ ssh -V
> {code:java}
> OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017{code}
> *Solution 2:*
> I changed the order of *SignatureFactoriesNameList*, it's working fine now.
> Changed order of rsa-sha2-512, rsa-sha2-256, ssh-rsa
> *Actual order:* 
> ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp...@openssh.com,*rsa-sha2-512,rsa-sha2-256,ssh-rsa*
> *Changed order:*
> ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp...@openssh.com,*ssh-rsa,rsa-sha2-512,rsa-sha2-256*
>  
> {code:java}
> SshClient client = SshClient.setUpDefaultClient();
> client.setSignatureFactoriesNameList("ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp...@openssh.com,ssh-rsa,rsa-sha2-512,rsa-sha2-256");
>       
> {code}
> *Solution 1* is good but not acceptable in my case, we can't ask our 
> customers to upgrade server/system packages to make compatible with Java SSH 
> client.  
> Please let me know the *solution 2* is better approach or not, If not why and 
> what are issues I am going to face it with this change. 
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org