rundeck
rundeck copied to clipboard
rundeck
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
As RunDeck only accepts SSH keys generated with "RSA" alg, newer openssh server are not accepting it anymore by default.
Which means that, when you update a SSH server to a newer version the configuration will start to drop these connections and will prevent RunDeck to connect on servers that were working before.
You will find on the target's log:
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Seen on:
- Rundeck version: 3.4.0-20210614
- install type: war
- OS Name/version: ArchLinux
To Reproduce Steps to reproduce the behavior: Use any RunDeck installation which will try to SSH to targets using a SSH key based on RSA.
Expected behavior Connection will be denied
Any other possible key on RunDeck fails with an error: (like dsa, ecdsa)
Failed: SSHProtocolFailure: invalid privatekey
Can we get some eyes on this? As it stands, Rundeck will not connect to any host running OpenSSH >8.8 without changing each and every one of their /etc/ssh/sshd_config files to re-enable ssh-rsa key types. This is massively encumbering if you have any host count whatsoever that you keep up to date.
Per the OpenSSH team's release notes for 8.8 (current release on Ubuntu is 8.9 btw):
Potentially-incompatible changes
================================
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.
Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:
Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf
If keys generated with OpenSSH 7.2+ are fine, just how old is the SSH client Rundeck uses?
FYI if I add PubkeyAcceptedKeyTypes=+ssh-rsa to /etc/ssh/sshd_config I can now connect just fine. This needs to get fixed as it's a security issue, and an ever-increasing functional issue as time moves on.
I too ran into this problem with Rundeck 3.4.10.20220118-1 and our nodes with Ubuntu 22.04.
The weird thing is: the key works on the command line when I use the OpenSSH client to login to the nodes. It just doesn't work for Rundeck.
have same issue w/ rundeck-4.1.0.20220420-1.noarch on centos 8 stream that is going to a ubuntu 22.04 node. i made a 4k rsa key and copied it everywhere and changed the ubuntu 22 servers to have: /etc/ssh/sshd_config: PubkeyAcceptedKeyTypes=+ssh-rsa
but it still didn't work...
then i came across this and at least the rsa 4096 key finally worked...
https://tech.davidfield.co.uk/2020/05/16/rundeck-3-install-setup-and-an-example-project/
`Convert your private key from SSH to RSA
Your private key will probably be in the format for openssh, Rundeck needs this to be converted to the RSA format
If you show the contents of your private key using
cat /path/to/openssh/key and the start and end of the key have the following
-----BEGIN OPENSSH PRIVATE KEY----------END OPENSSH PRIVATE KEY----- Then your private key is in the wrong format for Rundeck and you need to run
ssh-keygen -p -m PEM -f /path/to/openssh/key This will rewite the existing private key to the RSA format`
i'll try doing the same w/ the ed25519 key, but for now that will have to wait.
