keepass2android icon indicating copy to clipboard operation
keepass2android copied to clipboard

Published 20 hours ago verified publisher icon PhilippC

Keepass2Android uses SSH-RSA which is no longer allowed by default

Open quickishfm opened this issue 2 years ago • 8 comments

I try to use public key authentication to connect to my Linux server via SFTP but recently it has not worked. The SSH logs show this:

Oct 08 14:10:35 HOSTNAME sshd[48375]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Oct 08 14:10:35 HOSTNAME sshd[48375]: error: Received disconnect from 192.168.1.80 port 48222:3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Oct 08 14:10:35 HOSTNAME sshd[48375]: Disconnected from authenticating user penguin 192.168.1.80 port 48222 [preauth]

I have no option to change the public key or which algorithm keepass2android gives to me. Can this be changed to a more secuer algorithm or an ability to choose my own public key? This issue is also documented here https://bbs.archlinux.org/viewtopic.php?id=270005 which indicates sshd was changed recently to no longer allow ssh-rsa by default.

Workaround currently in place: Setting SSHD to accept ssh-rsa. Adding the following lines of code to /etc/ssh/sshd and then restarting sshd works.

PubkeyAuthentication yes
PubkeyAcceptedKeyTypes=+ssh-rsa

sudo systemctl restart sshd   #Only on systemd systems, obviously

quickishfm avatar Oct 08 '21 13:10 quickishfm

I am having this same issue. May I suggest switching to ed25519? Much more secure and won't be phased out for quite some time.

rwinkhart avatar Oct 08 '21 19:10 rwinkhart

note to myself: ed25519 doesn't seem to be supported by JSch at the moment (https://sourceforge.net/p/jsch/feature-requests/7/), but some forks seem to support it (https://github.com/subhra74/snowflake/issues/16)

PhilippC avatar Oct 11 '21 09:10 PhilippC

Same issue here. Another solution would be SHA2. This wouldn't even need new keys, just an updated SSH client with SHA2 support.

functionpointer avatar Nov 17 '21 18:11 functionpointer

I have the same issue, also applied the workaround. Is there any progress with this issue?

snIP3r23 avatar Jan 10 '22 08:01 snIP3r23

Is there an update for this? I want to remove the RSA workaround from my server, but I still have clients using Keepass2Android. Not here to rush, just wondering what the status of this is.

rwinkhart avatar Jan 26 '22 20:01 rwinkhart

looking at https://sourceforge.net/p/jsch/feature-requests/7/ I don't see an update in JSch

PhilippC avatar Jan 31 '22 08:01 PhilippC

@PhilippC Thanks for the great app, sorry jsch has been a thorn; it looks like jsch is not being maintained, and the fork you listed above isn't maintained either. This fork: https://github.com/mwiede/jsch is being actively maintained, rolling fixes, features, and releases... FAQ. Would you consider switching from the jcraft jsch to the Matthias Wiedemann fork? Looks like he's actively addressing entered issues, and provides more settings/options, without requiring that they are used.

For people with very dated ssh servers... Could have a checkbox for legacy ssh settings to cover old + current ssh servers? ( https://github.com/mwiede/jsch/wiki/Jsch-Configuration ) Though I'd be happy just with modern settings/interop... :)

ryantig avatar Apr 11 '22 22:04 ryantig

Ubuntu 22.04 now ships with an sshd version that disallows ssh-rsa by default. The workaround in the first post works fine.

WinterSolstice8 avatar Apr 29 '22 20:04 WinterSolstice8