Uploaded image for project: 'MINA SSHD'
  1. MINA SSHD
  2. SSHD-1154

userauth_pubkey: unsupported public key algorithm: rsa-sha2-512

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Duplicate
    • 2.6.0
    • 2.7.0
    • None

    Description

      Environment details:

      Server OS : CentOS release 6.9 (Final)

      $ ssh -V

       

      OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

       

      $ sshd -T

       

      port 22
      protocol 2
      addressfamily any
      listenaddress 0.0.0.0:22
      listenaddress [::]:22
      usepam yes
      serverkeybits 1024
      logingracetime 120
      keyregenerationinterval 3600
      x11displayoffset 10
      maxauthtries 6
      maxsessions 10
      clientaliveinterval 0
      clientalivecountmax 3
      permitrootlogin yes
      ignorerhosts yes
      ignoreuserknownhosts no
      rhostsrsaauthentication no
      hostbasedauthentication no
      hostbasedusesnamefrompacketonly no
      rsaauthentication yes
      pubkeyauthentication yes
      kerberosauthentication no
      kerberosorlocalpasswd yes
      kerberosticketcleanup yes
      gssapiauthentication yes
      gssapikeyexchange no
      gssapicleanupcredentials yes
      gssapistrictacceptorcheck yes
      gssapistorecredentialsonrekey no
      gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
      passwordauthentication yes
      kbdinteractiveauthentication no
      challengeresponseauthentication no
      printmotd yes
      printlastlog yes
      x11forwarding yes
      x11uselocalhost yes
      strictmodes yes
      tcpkeepalive yes
      permitemptypasswords no
      permituserenvironment no
      uselogin no
      compression delayed
      gatewayports no
      showpatchlevel no
      usedns yes
      allowtcpforwarding yes
      allowagentforwarding yes
      useprivilegeseparation yes
      kerberosusekuserok yes
      pidfile /var/run/sshd.pid
      xauthlocation /usr/bin/xauth
      ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
      macs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
      kexalgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
      banner none
      authorizedkeysfile .ssh/authorized_keys
      authorizedkeysfile2 .ssh/authorized_keys2
      loglevel DEBUG
      syslogfacility AUTHPRIV
      hostkey /etc/ssh/ssh_host_rsa_key
      hostkey /etc/ssh/ssh_host_dsa_key
      acceptenv LANG
      acceptenv LC_CTYPE
      acceptenv LC_NUMERIC
      acceptenv LC_TIME
      acceptenv LC_COLLATE
      acceptenv LC_MONETARY
      acceptenv LC_MESSAGES
      acceptenv LC_PAPER
      acceptenv LC_NAME
      acceptenv LC_ADDRESS
      acceptenv LC_TELEPHONE
      acceptenv LC_MEASUREMENT
      acceptenv LC_IDENTIFICATION
      acceptenv LC_ALL
      acceptenv LANGUAGE
      acceptenv XMODIFIERS
      subsystem sftp /usr/libexec/openssh/sftp-server
      maxstartups 10:30:100
      permittunnel no
      permitopen any

      sshd-common : 2.6.0

      sshd-core : 2.6.0

      I am using Client protocol version 2.0; client software version APACHE-SSHD-2.6.0

      I am trying to ssh my server(RHEL6) using APACHE-SSHD-2.6.0 using below code snippet.

       String send = "HOST:" + host + " " + command;
                      InputStream inputStream = new ByteArrayInputStream(send.getBytes());
                      SshClient client = SshClient.setUpDefaultClient();
                      client.start();
                      ConnectFuture cf = client.connect(username, host, port);
                      try (ClientSession session = cf.verify().getSession();) {
                              session.addPublicKeyIdentity(loadKeypair(privateKey.getAbsolutePath()));
                              session.auth().verify(defaultTimeoutSeconds, TimeUnit.SECONDS);
      

      This is working fine with RHEL8, Ubuntu14, Ubuntu16, Ubuntu18 but not working with RHEL6 and RHEL7, getting below exception. 

      unsupported public key algorithm: rsa-sha2-512 in sshd log

       

      Caused by: org.apache.sshd.common.SshException: No more authentication methods available
              at org.apache.sshd.common.future.AbstractSshFuture.verifyResult(AbstractSshFuture.java:126)
              at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:39)
              at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:32)
              at org.apache.sshd.common.future.VerifiableFuture.verify(VerifiableFuture.java:56)
              at com.zimbra.cs.rmgmt.RemoteManager.executeRemoteCommand(RemoteManager.java:170)
              at com.zimbra.cs.rmgmt.RemoteManager.execute(RemoteManager.java:147)
              ... 70 more
      Caused by: org.apache.sshd.common.SshException: No more authentication methods available
              at org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:342)
              at org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:277)
              at org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:224)
              at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:502)
              at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:428)
              at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1463)
              at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:388)
              at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64)
              at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:358)
              at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:335)
              at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:332)
              at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
              at java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
              at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
              at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127)
              at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219)
              at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
              at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
              at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
      
      broken-relay2:# /usr/sbin/sshd -d
      debug1: sshd version OpenSSH_5.3p1
      debug1: read PEM private key done: type RSA
      debug1: private host key: #0 type 1 RSA
      debug1: read PEM private key done: type DSA
      debug1: private host key: #1 type 2 DSA
      debug1: rexec_argv[0]='/usr/sbin/sshd'
      debug1: rexec_argv[1]='-d'
      Set /proc/self/oom_score_adj from 0 to -1000
      debug1: Bind to port 22 on 0.0.0.0.
      Server listening on 0.0.0.0 port 22.
      debug1: Bind to port 22 on ::.
      Server listening on :: port 22.
      debug1: Server will not fork when running in debugging mode.
      debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
      debug1: inetd sockets after dupping: 3, 3
      Connection from X.X.X.X port 55874
      debug1: Client protocol version 2.0; client software version APACHE-SSHD-2.6.0
      debug1: no match: APACHE-SSHD-2.6.0
      debug1: Enabling compatibility mode for protocol 2.0
      debug1: Local version string SSH-2.0-OpenSSH_5.3
      debug1: permanently_set_uid: 74/74
      debug1: list_hostkey_types: ssh-rsa,ssh-dss
      debug1: SSH2_MSG_KEXINIT sent
      debug1: SSH2_MSG_KEXINIT received
      debug1: kex: client->server aes128-ctr hmac-sha2-256 none
      debug1: kex: server->client aes128-ctr hmac-sha2-256 none
      debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
      debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
      debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
      debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
      debug1: SSH2_MSG_NEWKEYS sent
      debug1: expecting SSH2_MSG_NEWKEYS
      debug1: SSH2_MSG_NEWKEYS received
      debug1: KEX done
      debug1: userauth-request for user zimbra service ssh-connection method none
      debug1: attempt 0 failures 0
      debug1: PAM: initializing for "zimbra"
      debug1: PAM: setting PAM_RHOST to "mail.example.com"
      debug1: PAM: setting PAM_TTY to "ssh"
      debug1: userauth-request for user zimbra service ssh-connection method publickey
      debug1: attempt 1 failures 0
      userauth_pubkey: unsupported public key algorithm: rsa-sha2-512
      Connection closed by X.X.X.X
      debug1: do_cleanup
      debug1: do_cleanup
      debug1: PAM: cleanup

      I found 2 solutions.

      Solution 1:

      I upgraded ssh on RHEL6 , it's working fine now.

      Before upgrade ssh version:

      $ ssh -V

      OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

      After upgrade ssh version:

      $ ssh -V

      OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

      Solution 2:

      I changed the order of SignatureFactoriesNameList, it's working fine now.

      Changed order of rsa-sha2-512, rsa-sha2-256, ssh-rsa

      Actual order: 

      ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa

      Changed order:

      ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-rsa,rsa-sha2-512,rsa-sha2-256

       

      SshClient client = SshClient.setUpDefaultClient();
      client.setSignatureFactoriesNameList("ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-rsa,rsa-sha2-512,rsa-sha2-256");
      	
      

      Solution 1 is good but not acceptable in my case, we can't ask our customers to upgrade server/system packages to make compatible with Java SSH client.  

      Please let me know the solution 2 is better approach or not, If not why and what are issues I am going to face it with this change. 

       

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              umashankar.avagadda UmaShankar Avagadda
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: