oxidized icon indicating copy to clipboard operation
oxidized copied to clipboard
verified publisher icon ytti

SSH login failures to Fortigates caused by unsupported public key algorithms

Open ebarrett-Ocient opened this issue 1 year ago • 3 comments

When Oxidized logs into my Fortigate firewalls using SSH keys for authentication, there is always a single login failure before Oxidized successfully logs in and retrieves the configuration file. After running some debug logs on the Fortigate, it seems it has do with the fact that the Fortigate does not support rsa-sha2-256 for public key authentication.

SSH: userauth_pubkey: unsupported public key algorithm: rsa-sha2-256

Is there anyway to limit the public key algorithms used by Oxidized so that rsa-sha2-256 isn't used and we don't experience this failed login?

I'm experiencing this issue with the latest docker image running Oxidized version 0.30.1-23-g37c4d8d.

ebarrett-Ocient avatar Aug 01 '24 21:08 ebarrett-Ocient

From what I am seeing and understanding, Oxidized does not provide a direct configuration option to limit or specify the public key algorithms used for SSH authentication. You can try to modify the SSH key or generate a new ssh key pair that uses an older algorithm like RSA? (ssh-keygen -t rsa -b 2048)

MLyszyk avatar Aug 02 '24 20:08 MLyszyk

From what I am seeing and understanding, Oxidized does not provide a direct configuration option to limit or specify the public key algorithms used for SSH authentication. You can try to modify the SSH key or generate a new ssh key pair that uses an older algorithm like RSA? (ssh-keygen -t rsa -b 2048)

That could be a potential workaround. After doing some further research, it sounds like rsa-sha2-256 is available in FortiOS 7.28 and 7.0.14 (I'm on 7.0.13). I believe I'll test that out first and see if the issue goes away. Honestly, it seems pretty silly to me that the Fortigate is reporting login failures here when oxidized is eventually able to authenticate successfully.

ebarrett-Ocient avatar Aug 02 '24 21:08 ebarrett-Ocient

see

  • https://github.com/ytti/oxidized/issues/3124
  • https://github.com/ytti/oxidized/issues/3123

systeembeheerder avatar Aug 16 '24 10:08 systeembeheerder

This issue is stale because it has been open 90 days with no activity.

github-actions[bot] avatar Nov 15 '24 02:11 github-actions[bot]

Has this been fixed by 6920e33a068dab67d0a948a3e483d73cce647023 ?

robertcheramy avatar Nov 15 '24 19:11 robertcheramy

It appears I haven't experienced this issue in some time. I did upgrade my Fortigates to 7.2.10 a while back, though, so that may be the reason.

ebarrett-Ocient avatar Nov 15 '24 21:11 ebarrett-Ocient

OK, I'm closing the issue then.

robertcheramy avatar Nov 16 '24 18:11 robertcheramy

For some reason, we couldn't connect to our Fortigates after upgrade to 7.4.x series, through SSH anymore due to 'Closed connection by the server.' This was solved by regenerating the SSH-keys on the fortigate itself. [execute ssh-regen-keys]

This is probably due to some versions of FortiOS that delivered incompatible keys which came to the surface after the upgrade. (from original 7.2.x series it broke, while an older 6.4 > 7.0 > 7.2 > 7.4 kept working)

This was done besides this fix, which also was needed.

(running on version 0.32.1, and previously on 0.30.1)

rob-on-git avatar Mar 06 '25 09:03 rob-on-git