https://bugzilla.mindrot.org/show_bug.cgi?id=3506
--- Comment #4 from andy klier <[email protected]> --- (In reply to Darren Tucker from comment #1) > Comment on attachment 3627 [details] > verbose output of ssh attempt > > The handling of -i hasn't changed as far as I know. > > [...] > >debug1: identity file > >/Users/steve/.config/zaccess/penguin.randomhostname.com.cert type 4 > >debug1: identity file > >/Users/steve/.config/zaccess/penguin.randomhostname.com.cert-cert type -1 > >debug1: identity file /Users/steve/.ssh/vault type 0 > >debug1: identity file /Users/steve/.ssh/vault-cert type -1 > > This doesn't exactly match the example invocation, but it indicates > that two keys were loaded. > > [...] > >debug1: Offering public key: > >/Users/steve/.config/zaccess/penguin.randomhostname.com.cert RSA-CERT > >SHA256:v1zotU9ug24hc109SJwmsnWA0JQHABY/t2NjMn/SDVM explicit > >debug1: send_pubkey_test: no mutual signature algorithm > > I think this is your problem: ssh-rsa was disabled by default in 8.8 > (https://www.openssh.com/releasenotes.html#8.8). You can test this > by adding "-oPubkeyAcceptedAlgorithms=+ssh-rsa" to your command > line. I'm not sure why it didn't try one of the stronger RSA > SHA256/512 variants. > > >debug1: Offering public key: /Users/steve/.ssh/vault RSA > >SHA256:v1zotU9ug24hc109SJwmsnWA0JQHABY/t2NjMn/SDVM explicit > >debug3: send packet: type 50 > >debug2: we sent a publickey packet, wait for reply > >debug3: receive packet: type 51 > >debug1: Authentications that can continue: publickey > > This key is not in the server's authorized_keys. TBC the example command is from the vault docs. the command we are running is: ssh -i /Users/steve/.config/zaccess/penguin.randomhostname.com.cert -i /Users/steve/.ssh/vault [email protected] the pub key for the CA is in `TrustedUserCAKeys` in `/etc/ssh/sshd_config`. we sign a cert using `/Users/steve/.ssh/vault.pub` and then ssh with the cert and it's private key. with -oPubkeyAcceptedAlgorithms=+ssh-rsa also fails. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
