Postico
Postico copied to clipboard
jakob
SSH server rejecting private key - how to proceed
Love Postico. I'm a paid user. I'm having issues connecting via SSH and I'm not sure how to debug and correct. What should I look into fixing?
Postgres is running on AWS RDS in a private subnet. I have a bastion server AWS EC2 instance that is publicly available to connect to via SSH private key.
I have successfully used Mac's SSH with my private key and connected to the EC2 server. Then, on that EC2 server, I installed psql and using PSQL on that server, I can connect to the Postgres database on AWS in the private subnet. So:
- SSH allows me to EC2 server
- AWS RDS rules allow EC2 server to connect to Postgres
- Postgres is allowing the connection
It seems that outside Postico, things seem to work as I expect them.
What did you do?
Add New Favorite Picked "Connect via SSH" from "Options" dropdown Configure Host, User, Password, and Database for the AWS RDS Postgres server (validated above) Note that Host is a big long AWS resource string like myservername.awsidentifiernumber.us-west-2.rds.amazonaws.com
Used the IP address of the EC2 server for SSH Host. (validated above) Left User, Password blank. Used 22 (the default) for the Port
Used "Choose" button to choose the private key in ~/.ssh/keyname.pem. I validated that they key worked with command line SSH.
Then, clicked "Connect".
What did you expect to happen?
I expected to connect through the EC2 server and into the Postgres server running on AWS RDS.
What actually happened?
Got some sentences flashing in quick succession as the connection is being established, but ending with "The SSH server rejected the private key." I could not see the steps prior to I can't give any more details. If I knew if/where Postico might log stuff, I could look there.
What software versions are you using?
EC2 runs Amazon Linux 2 RDS running Postgres 14.1
Postico version:
Version 1.5.20 (8940)
macOS version:
Mac OS Mojave 10.14.6
PostgreSQL version:
RDS running 14.1
Unfortunately Postico does not log any data that would be useful for debugging this.
The first thing that sticks out to me is the ".pem" extension on the SSH key. None of my SSH keys have this extension, and I'm not sure if libssh2 (the SSH library that Postico uses) supports keys in PEM format. However, I would expect a different error message if that was the problem.
The first thing I would try is to connect to the EC2 server on the Terminal in verbose mode (ssh -v [email protected]....) and check which authentication methods and keys it uses, and double check which key is accepted by the server.
Finally, is there a way you could check the sshd server log, eg. using journalctl -u ssh.service? Maybe there's more details why the authentication attempt is rejected.
I have the same issue connecting to our RDS server using Postico. I was able to connect using SSH through an Ubuntu 16.04.7 bastion, but we just recently upgraded that to an Ubuntu 22.04 bastion host (I do not know the old OpenSSH version on the previous bastion). I believe this is because ssh-rsa is no longer accepted by newer versions of OpenSSH on the bastion.
I am able to connect to the bastion with this SSH key and user, and I am able to use the psql client to connect to the PostgreSQL database. However, when I connect through Postico, I get "The SSH server rejected the private key."
Here are the ssh.service log messages from the Postico connection attempt:
Jun 01 21:14:01 bastion-dev sshd[80517]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Jun 01 21:14:01 bastion-dev sshd[80517]: Received disconnect from ***.***.***.*** port 63282:11: Client disconnecting normally [preauth]
Jun 01 21:14:01 bastion-dev sshd[80517]: Disconnected from authenticating user fmanna ***.***.***.*** port 63282 [preauth]
When I run sshd -T on the bastion host, I see that ssh-rsa is, in fact, not in the pubkeyacceptedalgorithms. One of my colleagues was able to connect to our RDS instance via Postico using an ed25519 key with the same bastion.
I haven't figured out why I can successfully SSH to this bastion with my ssh-rsa key outside of Postico, but that likely has something to do with the ssh config on my machine. For now, I believe you can generate an ed25519 key and use that with Postico, or allow ssh-rsa on the bastion.
@fmannaixn Thanks for the additional details! I think I figured it out: OpenSSH stopped accepting ssh-rsa by default, but they added two new schemes to replace it that use the same RSA keys: rsa-sha2-256 and rsa-sha2-512
The version of libssh2 that I am using in Postico does not yet support these new schemes.
This is probably why it works with OpenSSH, but not with Postico.
libssh2 have added support for the two new methods back in January, but there hasn't been an official release since. I'll review the changes see if I can maybe use an unreleased version of libssh2 to add support for conencting to RDS with RSA keys again.
I think I've fixed the "The SSH server rejected the private key" problem. I've confirmed that Postico can now connect to SSH servers that reject ssh-rsa, but I haven't tested with RDS yet. Could you test if it works for AWS RDS as well?
I've upgraded libssh2 to a newer version in Postico 2 build 9411. If you are using Postico 2, just check for updates and you should be able to connect with RSA keys again.
I've also backported this fix to Postico 1.5, and it will be released in Postico 1.5.21. You can download a prerelease build here: https://eggerapps-downloads.s3-eu-west-1.amazonaws.com/postico-9412.zip
Please let me know if these new builds fix your issue!
Thank you! I've swapped to an id_ed25519 key, but I will see if any of my teammates still have their id_rsa keys to test.