"userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms"

[vitobotta]

Hi! I built a tool to create Kubernetes clusters in Hetzner Cloud (https://github.com/vitobotta/hetzner-k3s) and I use your library to interact with servers :)

Some users are having problems with some SSH keys, and I tracked it down to Ubuntu 22.04 refusing some keys with old crypto and I see these lines in /var/log/auth.log

Jan 11 21:10:16 test-cpx11-master1 sshd[2296]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

The weird thing is that if I use the same SSH keys with the regular SSH client for example on Mac, I can SSH into the servers without any issue. But with the Crystal app using this library I cannot SSH into the servers because of that error.

Is there a workaround or does the library need to be updated somehow? Thanks!

[vitobotta]

Looks like this library still uses SHA-1 which is now deprecated

ssh2.cr/src/session.cr

Line 204 in e2df13c

def hashkey(type : LibSSH2::HashType = LibSSH2::HashType::SHA1)

[stakach]

Thanks for letting me know, I'll look into it

[vitobotta]

Thanks for letting me know, I'll look into it

Awesome, thanks! I bet that many tools will break because of the SHA1 deprecation :)

[stakach]

yeah saw a bunch of similar issues in go projects
I've made a pull request #17 that should fix the issue

are you able to test with your project?
The docker image I had for testing has been removed from docker-hub and I'm still looking for the Dockerfile

[vitobotta]

Hi @stakach I am still new to Crystal in general. How do I test with the code in your PR? Can I specify it somehow in the shards file?

[stakach]

yeah, you can specify a branch in the shards yml
something like

  ssh2.cr:
    github: spider-gazelle/ssh2.cr
    branch: upgrade-default-hash-alg

[vitobotta]

Hi! I just tried and I still get userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms in the server's logs. With the regular SSH client I can log in with the same key. I actually tried basically the same change you made in a fork before, so same result. Any idea of what else might need to be updated?

For the time being to unblock users of my tool I am going to add PubkeyAcceptedKeyTypes=+ssh-rsa to the SSH config for the servers it creates, which seems to work as a temporary workaround.

[vitobotta]

Hi @stakach I am trying again. Just to make sure I am not missing anything, is it enough to add the branch to shards.yaml and run shards update or do I need to do something else? Thanks

[stakach]

Yeah I think so, can have a look at the files and make sure the changes in the branch are present

[vitobotta]

HI, sorry for the late reply. I tried but it didn't help unfortunately. What could be the problem? I am not familiar enough with how keys work etc

[GrantBirki]

@stakach I'm still getting this same issue userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

[GrantBirki]

Update: I was able to fix my problems by updating the SSH configuration on the server I was trying to SSH into with this crystal library:

If you are trying to execute remote SSH commands and see userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth] in your logs, try this:

Edit: /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Add the following line:

PubkeyAcceptedAlgorithms +ssh-rsa

Restart the ssh service:

sudo service ssh restart