iOS / MacOS bVNC does not connect over SSH using RSA SSH keys to MacOS Ventura and newer servers

[cyberpower678]

I just purchased the bVNC app and tried to set up my SSH tunnel, but it's not handing off the key properly. I'm using the exact same openSSH key that I use everywhere else, but it doesn't work on the app.

[iiordanov]

Could you please paste a screenshot of the error the app displays?

On Mon, Mar 18, 2024, 5:20 p.m. cyberpower678 @.***> wrote:

I just purchased the bVNC app and tried to set up my SSH tunnel, but it's not handing off the key properly. I'm using the exact same openSSH key that I use everywhere else, but it doesn't work on the app.

— Reply to this email directly, view it on GitHub https://github.com/iiordanov/remote-desktop-clients/issues/540, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAK3EVZGVMD7H3VKNFD4TJ3YY5LCLAVCNFSM6AAAAABE4LY3J6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGE4TGMZUGU3TINA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[cyberpower678]

Initializing Remote Session instance: 0 Device reports screen resolution 1330.0x998.0 Ensuring buttons are initialized, and positioning them where they should be Setting up SSH forwarding initAndShowOrHideKeyboardButtonDueToExternalKeyboard() Creating keyboard button initializeKeyboardButtonIfNotInitialized() Initializing keyboard button Waiting for SSH forwarding to complete successfully showOrHideKeyboardButtonDueToExternalKeyboard() Checking GCKeyboard.coalesced: nil showOrHideKeyboardButtonDueToExternalKeyboard() Showing keyboard button because external keyboard was not found Successfully resolved hostname <REDACTED> to IP <REDACTED>

SSH Address is ipv4, will try to connect over ipv4!

SSH Setting socket options SO_NOSIGPIPE, TCP_NODELAY

SSH Attempting ipv4 connection

SSH Creating a session instance

SSH Session handshake

SHA1 Fingerprint: <REDACTED>

SHA256 Fingerprint: <REDACTED>

SSH Authentication methods: publickey

SSH Authentication by public key failed!

SSH Result of SSH forwarding: -3

SSH library is telling us it failed to set up SSH forwarding Connection failure, showing error with title SSH_TUNNEL_CONNECTION_FAILURE_TITLE. Scheduling disconnect Lazy disconnecting disconnect(sender:) called disconnect(wasDrawing:) called wasDrawing(): true Hiding keyboard.

[cyberpower678]

There's no docs I can find on how to properly set this up so I simply copy/pasted the OpenSSH private key into the text field when setting up the connection. It's the same key used on my main machine to SSH in.

[iiordanov]

That is not the right way. You have top the manage key button. The help (the (i) icon top right) refers to all of that. I don't want docs outside the app, ideally.

On Tue, Mar 19, 2024, 7:38 a.m. cyberpower678 @.***> wrote:

There's no docs I can find on how to properly set this up so I simply copy/pasted the OpenSSH private key into the text field when setting up the connection. It's the same key used on my main machine to SSH in.

— Reply to this email directly, view it on GitHub https://github.com/iiordanov/remote-desktop-clients/issues/540#issuecomment-2006953571, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAK3EV77XMJ6GYCFTGSKGGTYZAPR5AVCNFSM6AAAAABE4LY3J6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBWHE2TGNJXGE . You are receiving this because you commented.Message ID: @.***>

[cyberpower678]

I don't see such a button. "To use an SSH Key for authentication, paste it in the text box after the SSH Key label." Seems to be contrary what you are saying?

[iiordanov]

My apologies, I didn't realize you are talking about the iOS project. You are absolutely right, pasting it in the box is the right thing to do.

I'll need the command you used to generate your key so I can try with a key of the same format, then!

On Tue, Mar 19, 2024, 1:02 p.m. cyberpower678 @.***> wrote:

I don't see such a button. image.png (view on web) https://github.com/iiordanov/remote-desktop-clients/assets/1476075/651b7816-d853-4231-af32-d5a3ecfb0592 "To use an SSH Key for authentication, paste it in the text box after the SSH Key label." Seems to be contrary what you are saying?

— Reply to this email directly, view it on GitHub https://github.com/iiordanov/remote-desktop-clients/issues/540#issuecomment-2007695964, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAK3EV3QPZQ37ROGUI36NRDYZBVT3AVCNFSM6AAAAABE4LY3J6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBXGY4TKOJWGQ . You are receiving this because you commented.Message ID: @.***>

[cyberpower678]

Oh dear, I don't remember what I used. I believe I simply ran a basic ssh-keygen command on a macOS instance to generate this key. But this was a while ago.

[iiordanov]

Do you know whether it is a DSA, RSA, or ECDSA key? Thanks!

On Tue, Mar 19, 2024 at 1:14 PM cyberpower678 @.***> wrote:

Oh dear, I don't remember what I used. I believe I simply ran a basic ssh-keygen command on a macOS instance to generate this key. But this was a while ago.

— Reply to this email directly, view it on GitHub https://github.com/iiordanov/remote-desktop-clients/issues/540#issuecomment-2007719020, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAK3EV3KEHAHHEVLVDANZU3YZBW6DAVCNFSM6AAAAABE4LY3J6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBXG4YTSMBSGA . You are receiving this because you commented.Message ID: @.***>

-- The conscious mind has only one thread of execution.

[cyberpower678]

I’m pretty sure it’s an rsa key.

On Mar 20, 2024, at 09:38, iiordanov @.***> wrote:

Do you know whether it is a DSA, RSA, or ECDSA key? Thanks!

On Tue, Mar 19, 2024 at 1:14 PM cyberpower678 @.***> wrote:

Oh dear, I don't remember what I used. I believe I simply ran a basic ssh-keygen command on a macOS instance to generate this key. But this was a while ago.

— Reply to this email directly, view it on GitHub https://github.com/iiordanov/remote-desktop-clients/issues/540#issuecomment-2007719020, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAK3EV3KEHAHHEVLVDANZU3YZBW6DAVCNFSM6AAAAABE4LY3J6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBXG4YTSMBSGA . You are receiving this because you commented.Message ID: @.***>

-- The conscious mind has only one thread of execution. — Reply to this email directly, view it on GitHub https://github.com/iiordanov/remote-desktop-clients/issues/540#issuecomment-2009587325, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIL24JHIRZIDBJCRRYRATYZGGMFAVCNFSM6AAAAABE4LY3J6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBZGU4DOMZSGU. You are receiving this because you authored the thread.

[iiordanov]

Hi there, I just tested various combinations, and the results are in.

• RSA keys work fine when authenticating to Linux and to MacOS X Monterey and older
• RSA keys DO NOT work when authenticating to MacOS X Ventura and Sonoma
• DSA keys don't work even on the command-line authenticating to both Linux and MacOS, so don't bother
• ECDSA keys work fine authenticating to everywhere

Please confirm that a key generated like this: ssh-keygen -t ecdsa

works for you.

[iiordanov]

Hey, any update to this? Also, would you mind updating the review on the App Store to reflect my support? I am not feeling very motivated to fix issues that have a 1-star review attached to them.

[cyberpower678]

Sorry, I missed your last message. I'll give a different key a go later today or tomorrow. I'm overhauling my keys at the moment anyway.

[cyberpower678]

Sorry for the wait, the ECDSA key works fine, but the RSA does not. The target SSH server is a Debian machine though.

[cyberpower678]

ED25519, my current preference also works fine. RSA is the only also that needs to be fixed on bVNC.

[iiordanov]

Sounds good, I'll leave this bug report here for RSA.

On Tue, Apr 2, 2024 at 5:39 PM cyberpower678 @.***> wrote:

ED25519, my current preference also works fine. RSA is the only also that needs to be fixed on bVNC.

— Reply to this email directly, view it on GitHub https://github.com/iiordanov/remote-desktop-clients/issues/540#issuecomment-2033143564, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAK3EV5VSHFVSUEMRSQSY7TY3MQPVAVCNFSM6AAAAABE4LY3J6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZTGE2DGNJWGQ . You are receiving this because you commented.Message ID: @.***>

-- The conscious mind has only one thread of execution.

[iiordanov]

For whoever reported RSA keys not working with bVNC, aRDP or aSPICE, I found the root cause, and I suspected it's a server-side issue.

1. I checked /var/log/auth.log on an Ubuntu 22.04 machine which was reproducing the issue, and found:

May 19 21:33:18 subgenius sshd[3205570]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

2. Edited as user root the file /etc/ssh/sshd_config and I added to the bottom of it something like the following:

PubkeyAcceptedAlgorithms +ssh-rsa

I encourage you to read up on this option, security implications of it, etc.

3. I restarted the server with:

Ubuntu 22.04: systemctl restart ssh

MacOS Ventura and newer: launchctl stop ssh launchctl start ssh

4. Thereafter RSA keys worked again.

[iiordanov]

Hi Anthony, this workaround is only for people that absolutely MUST use RSA keys for some reason. If you are concerned about security, you can use ECDSA keys instead - they work out of the box with no workarounds.

Iordan

On Fri., Aug. 16, 2024, 1:28 a.m. Anthony Zhang, @.***> wrote:

Hi @iiordanov https://github.com/iiordanov!

Thanks for the workaround, aRDP is working great now. However, since ssh-rsa is vulnerable to chosen-prefix attacks (source: https://www.openssh.com/txt/release-8.2) and can be broken (relatively) easily - is there a plan to support algorithms like rsa-sha2-256/rsa-sha2-512 in aRDP?

— Reply to this email directly, view it on GitHub https://github.com/iiordanov/remote-desktop-clients/issues/540#issuecomment-2292398059, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAK3EV4KGC7IOIBSZ5ZGLNDZRUTQXAVCNFSM6AAAAABE4LY3J6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOJSGM4TQMBVHE . You are receiving this because you were mentioned.Message ID: @.***>