Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support OpenSSH 8.8 #883

Closed
bwa- opened this issue Sep 29, 2021 · 11 comments
Closed

Support OpenSSH 8.8 #883

bwa- opened this issue Sep 29, 2021 · 11 comments
Milestone

Comments

@bwa-
Copy link

bwa- commented Sep 29, 2021

OpenSSH 8.8 has disabled RSA signatures made with SHA1 by default. This seems to make SSH.net incompatible with it. When trying to connect with an application using SSH.Net, I get the following error:

Permission denied (publickey).

On the destination machine, the following is logged for the sshd daemon:

userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms

In theory, regenerating keys with OpenSSH 8.8 should fix this problem, but in doing so, SSH.Net will no longer be able to read the new key, generating another error:

openssh key type: ssh-rsa is not supported

Sadly, I just have the stacktrace of the application I use for this, but maybe it helps:

Duplicati.Library.Interface.UserInformationException: Failed to parse the keyfile, check the key format and passphrase. Error message was openssh key type: ssh-rsa is not supported ---> Renci.SshNet.Common.SshException: openssh key type: ssh-rsa is not supported
Sep 29 20:31:18 htpc mono[1395173]:   at Renci.SshNet.PrivateKeyFile.ParseOpenSshV1Key (System.Byte[] keyFileData, System.String passPhrase) [0x000c3] in <8c66a76a693c4e52b456ec0712c863dd>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Renci.SshNet.PrivateKeyFile.Open (System.IO.Stream privateKey, System.String passPhrase) [0x00355] in <8c66a76a693c4e52b456ec0712c863dd>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Renci.SshNet.PrivateKeyFile..ctor (System.String fileName, System.String passPhrase) [0x00023] in <8c66a76a693c4e52b456ec0712c863dd>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Renci.SshNet.PrivateKeyFile..ctor (System.String fileName) [0x00000] in <8c66a76a693c4e52b456ec0712c863dd>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Library.Backend.SSHv2.ValidateKeyFile (System.String filename, System.String password) [0x0001f] in <64bc5fc0959e40abaaf59040a05bc63e>:0
Sep 29 20:31:18 htpc mono[1395173]:    --- End of inner exception stack trace ---
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Library.Backend.SSHv2.ValidateKeyFile (System.String filename, System.String password) [0x000ac] in <64bc5fc0959e40abaaf59040a05bc63e>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Library.Backend.SSHv2.CreateConnection () [0x0006e] in <64bc5fc0959e40abaaf59040a05bc63e>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Library.Backend.SSHv2+<List>d__42.MoveNext () [0x0002c] in <64bc5fc0959e40abaaf59040a05bc63e>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Library.Interface.BackendExtensions.TestList (Duplicati.Library.Interface.IBackend backend) [0x00017] in <0b09fcfcca1b440fab7c860158765270>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Library.Backend.SSHv2.Test () [0x00000] in <64bc5fc0959e40abaaf59040a05bc63e>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Server.WebServer.RESTMethods.RemoteOperation.TestConnection (System.String url, Duplicati.Server.WebServer.RESTMethods.RequestInfo info) [0x000b7] in <3752ce5d8337471da6b77129cfa4bdbe>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Server.WebServer.RESTMethods.RemoteOperation.POST (System.String key, Duplicati.Server.WebServer.RESTMethods.RequestInfo info) [0x00094] in <3752ce5d8337471da6b77129cfa4bdbe>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Server.WebServer.RESTHandler.DoProcess (Duplicati.Server.WebServer.RESTMethods.RequestInfo info, System.String method, System.String module, System.String key) [0x00289] in <3752ce5d8337471da6b77129cfa4bdbe>:0

See https://www.openssh.com/txt/release-8.8 as well

@darinkes
Copy link
Collaborator

darinkes commented Sep 30, 2021

Its already everything merged, just needs a new NuGet Release.
See #614

@bwa-
Copy link
Author

bwa- commented Sep 30, 2021

Its already everything merged, just needs a new NuGet Release. See #614

That's great news. Thanks!

@et1975
Copy link

et1975 commented Sep 30, 2021

Any chance of getting the package published? darkoperator/Posh-SSH#388 is held up because of it.

@darkoperator
Copy link

darkoperator commented Sep 30, 2021 via email

@chrisdanna
Copy link

Any chance of publishing the package with this update soon? Even if a prerelease?

@dotan2401
Copy link

Hi,
Is the fix to support OpenSSH 8.8 can be found in the branch develop?
Is it possible to compile the code and use the DLL with the fix?

@dotan2401
Copy link

OpenSSH 8.8 has disabled RSA signatures made with SHA1 by default. This seems to make SSH.net incompatible with it. When trying to connect with an application using SSH.Net, I get the following error:

Permission denied (publickey).

On the destination machine, the following is logged for the sshd daemon:

userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms

In theory, regenerating keys with OpenSSH 8.8 should fix this problem, but in doing so, SSH.Net will no longer be able to read the new key, generating another error:

openssh key type: ssh-rsa is not supported

Sadly, I just have the stacktrace of the application I use for this, but maybe it helps:

Duplicati.Library.Interface.UserInformationException: Failed to parse the keyfile, check the key format and passphrase. Error message was openssh key type: ssh-rsa is not supported ---> Renci.SshNet.Common.SshException: openssh key type: ssh-rsa is not supported
Sep 29 20:31:18 htpc mono[1395173]:   at Renci.SshNet.PrivateKeyFile.ParseOpenSshV1Key (System.Byte[] keyFileData, System.String passPhrase) [0x000c3] in <8c66a76a693c4e52b456ec0712c863dd>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Renci.SshNet.PrivateKeyFile.Open (System.IO.Stream privateKey, System.String passPhrase) [0x00355] in <8c66a76a693c4e52b456ec0712c863dd>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Renci.SshNet.PrivateKeyFile..ctor (System.String fileName, System.String passPhrase) [0x00023] in <8c66a76a693c4e52b456ec0712c863dd>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Renci.SshNet.PrivateKeyFile..ctor (System.String fileName) [0x00000] in <8c66a76a693c4e52b456ec0712c863dd>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Library.Backend.SSHv2.ValidateKeyFile (System.String filename, System.String password) [0x0001f] in <64bc5fc0959e40abaaf59040a05bc63e>:0
Sep 29 20:31:18 htpc mono[1395173]:    --- End of inner exception stack trace ---
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Library.Backend.SSHv2.ValidateKeyFile (System.String filename, System.String password) [0x000ac] in <64bc5fc0959e40abaaf59040a05bc63e>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Library.Backend.SSHv2.CreateConnection () [0x0006e] in <64bc5fc0959e40abaaf59040a05bc63e>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Library.Backend.SSHv2+<List>d__42.MoveNext () [0x0002c] in <64bc5fc0959e40abaaf59040a05bc63e>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Library.Interface.BackendExtensions.TestList (Duplicati.Library.Interface.IBackend backend) [0x00017] in <0b09fcfcca1b440fab7c860158765270>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Library.Backend.SSHv2.Test () [0x00000] in <64bc5fc0959e40abaaf59040a05bc63e>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Server.WebServer.RESTMethods.RemoteOperation.TestConnection (System.String url, Duplicati.Server.WebServer.RESTMethods.RequestInfo info) [0x000b7] in <3752ce5d8337471da6b77129cfa4bdbe>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Server.WebServer.RESTMethods.RemoteOperation.POST (System.String key, Duplicati.Server.WebServer.RESTMethods.RequestInfo info) [0x00094] in <3752ce5d8337471da6b77129cfa4bdbe>:0
Sep 29 20:31:18 htpc mono[1395173]:   at Duplicati.Server.WebServer.RESTHandler.DoProcess (Duplicati.Server.WebServer.RESTMethods.RequestInfo info, System.String method, System.String module, System.String key) [0x00289] in <3752ce5d8337471da6b77129cfa4bdbe>:0

See https://www.openssh.com/txt/release-8.8 as well

Is there any fix that we can use? Is there any workaround for the issue? Is there any way to create my keys in format which will be supported? Thanks :)

@lifeincha0s
Copy link

@dotan2401
OpenSSH only disabled the use of SHA-1 for signature algorithms by default. RSA keys are still allowable but must use a SHA-256/512 signature. The algorithms have been rebranded as "rsa-sha2-256" and "rsa-sha2-512" which essentially wrap the RSA public key inside of an "rsa-sha2-256" or "rsa-sha2-512" SSH_MSG_USERAUTH_REQUEST message. If you wish to know how the implementation works, refer to RFC-8332, Use of RSA Keys with SHA-256 and SHA512 in the Secure Shell (SSH) Protocol for more information.
A temporary solution can be found in #825 that does not require the library code to be modified.

@dotan2401
Copy link

@lifeincha0s, thanks it was very helpful

@ckdell
Copy link

ckdell commented Jun 27, 2023

I did not find the solution in #825 helpful for Client-side connections. I'm missing something apparently. I'm trying to add support for rsa-sha2-512, not rsa-sha2-256.

@WojciechNagorski
Copy link
Collaborator

Version 2023.0.0 has been published https://www.nuget.org/packages/SSH.NET/2023.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants