Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/ssh: can't establish ssh connection using signed key #54027

Open
kt97679 opened this issue Jul 24, 2022 · 11 comments
Open

x/crypto/ssh: can't establish ssh connection using signed key #54027

kt97679 opened this issue Jul 24, 2022 · 11 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unreleased

Comments

@kt97679
Copy link

kt97679 commented Jul 24, 2022

What version of Go are you using (go version)?

$ go version
go version go1.18.4 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

ubuntu 18.04 amd64

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/XXX/.cache/go-build"
GOENV="/home/XXX/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/var/tmp/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/var/tmp/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/home/XXX/bin/go1.18.4"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/home/XXX/bin/go1.18.4/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.18.4"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/XXX/work/go/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2094095442=/tmp/go-build -gno-record-gcc-switches"

What did you do?

$ go run 001-ssh-test.go 127.0.0.1:22
2022/07/24 08:44:16 Connecting to 127.0.0.1:22
2022/07/24 08:44:16 We've got a live session!
$ go run 001-ssh-test.go 10.19.197.10:22
2022/07/24 08:44:25 Connecting to 10.19.197.10:22
2022/07/24 08:44:28 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
exit status 1
$ cat 001-ssh-test.go 
package main

import (
        "log"
        "net"
        "os"
        "os/user"

        "golang.org/x/crypto/ssh"
        "golang.org/x/crypto/ssh/agent"
)

func logFatal(err error) {
        if err != nil {
                log.Fatal(err)
        }
}

func main() {

        sock, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK"))
        logFatal(err)

        u, err := user.Current()
        logFatal(err)

        cfg := &ssh.ClientConfig{
                User: u.Username,
                Auth: []ssh.AuthMethod{ssh.PublicKeysCallback(agent.NewClient(sock).Signers)},
                HostKeyCallback: ssh.InsecureIgnoreHostKey(),
        }

        log.Printf("Connecting to %s\n", os.Args[1])
        client, err := ssh.Dial("tcp", os.Args[1], cfg)
        logFatal(err)

        _, err = client.NewSession()
        logFatal(err)

        log.Println("We've got a live session!")
}
$ cat go.mod 
module test
require golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
require golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
go 1.18
$

What did you expect to see?

Connection is established using signed key.

What did you see instead?

Connection is not established with an error message:

ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

Additional information

I have 2 keys in the agent and I can connect ok via ssh command to 127.0.0.1 (accepts only unsigned keys) and 10.19.197.10 (accepts only signed keys):

$ ssh-add -l
4096 SHA256:m+Hthc93TjF0wcAoq8OyrKZjDl8LE5ddhQwzwnBA02c /home/XXX/.ssh/id_rsa (RSA)
4096 SHA256:m+Hthc93TjF0wcAoq8OyrKZjDl8LE5ddhQwzwnBA02c /home/XXX/.ssh/id_rsa (RSA-CERT)
$ ssh 127.0.0.1 "dpkg -l|grep openssh"
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
ii  openssh-client                        1:7.6p1-4ubuntu0.7                     amd64        secure shell (SSH) client, for secure access to remote machines
ii  openssh-server                        1:7.6p1-4ubuntu0.7                     amd64        secure shell (SSH) server, for secure access from remote machines
ii  openssh-sftp-server                   1:7.6p1-4ubuntu0.7                     amd64        secure shell (SSH) sftp server module, for SFTP access from remote machines
$ ssh 10.19.197.10 "dpkg -l|grep openssh"
ii  openssh-client                        1:7.6p1-4ubuntu0.6                  amd64        secure shell (SSH) client, for secure access to remote machines
ii  openssh-server                        1:7.6p1-4ubuntu0.6                  amd64        secure shell (SSH) server, for secure access from remote machines
ii  openssh-sftp-server                   1:7.6p1-4ubuntu0.6                  amd64        secure shell (SSH) sftp server module, for SFTP access from remote machines
$

Versions of the ssh components are in the output above.
@gopherbot gopherbot added this to the Unreleased milestone Jul 24, 2022
@kt97679
Copy link
Author

kt97679 commented Jul 24, 2022

Hi @FiloSottile , here is an issue I filed per your request. Thanks!

@kt97679 kt97679 mentioned this issue Jul 24, 2022
Closed
@cherrymui
Copy link
Member

cc @FiloSottile @golang/security

@cherrymui cherrymui added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jul 25, 2022
@cherrymui cherrymui changed the title x/crypto: can't establish ssh connection using signed key x/crypto/ssh: can't establish ssh connection using signed key Jul 25, 2022
@kt97679 kt97679 mentioned this issue Aug 8, 2022
Open
@kt97679
Copy link
Author

kt97679 commented Sep 2, 2022

Folks, do you have any news on this by any chance?

@kt97679
Copy link
Author

kt97679 commented Oct 19, 2022

Any help with resolving this issue will be very much appreciated.

@shuLhan
Copy link
Contributor

shuLhan commented Oct 19, 2022
edited

@kt97679 Can you run ssh-agent with -d option and test running your program again?

$ ssh-agent -d -a $SSH_AUTH_SOCK
...
$ go run 001-ssh-test.go 10.19.197.10:22
# wait until exit

and copy-paste the output once the program exit.

@kt97679
Copy link
Author

kt97679 commented Oct 20, 2022

@shuLhan please find output below. Please let me know if there is anything else I can do to help with debugging.

# shell session 1
$ ssh-agent -d -a /tmp/test-agent
SSH_AUTH_SOCK=/tmp/test-agent; export SSH_AUTH_SOCK;
echo Agent pid 5944;
debug2: fd 3 setting O_NONBLOCK
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 17
debug1: process_message: socket 1 (fd=4) type 17
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11

# shell session 2
$ SSH_AUTH_SOCK=/tmp/test-agent; export SSH_AUTH_SOCK;
$ ssh-add -L
The agent has no identities.
$ ssh-add
Enter passphrase for /home/XXX/.ssh/id_rsa:
Identity added: /home/XXX/.ssh/id_rsa (/home/XXX/.ssh/id_rsa)
Certificate added: /home/XXX/.ssh/id_rsa-cert.pub (midway)
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCuXW2Nc1St7rocbyi3RCOvkxRazi3cmt7oOjHbYciq4/ZkC5kDx/n/xG5k9OOL90pQ3kaIwqHeJZ5ET6nJ1sQAy7i2BlPHbSipX4wJkzBOZfEeQUzNu6U8owdO0MZEfOnez7bhT0lHlh1DCUq0bj07gfKxpxTICqqlBJ3Z9oCfQTeFmVLX/b/GOvVlU9l9XaEy6VTszecdyj8H08PNpVzyKpzbD58b1oKvLLtoVlsZQJahj9ZGe6F+Qb6wUNKUhdb7qyy7/FoDQBNjwZEG1WuNbE1UtwWdiCT7x0Amv/k+weEqlha50iUnqCAurituQBWenl7vMVSoU//PZsNw7H5qVqwNGJdNr+XHZkw9invUbcCT/GSDRA33teW8xRYxB/cZlEITG4sXYUjJJXCMbybaVhCr1Iarb1giVSQVmuAiHdnCByiEU3nXkw1gNbUDOLnqUJDJWi9KbPT1RpHpDTzVWBgb6igyr4txWq6EDdtwJ4nBvcJFwuzdhis6RIdTVpokyor3zvfZRPpPA/wahtUy09SKps97wf8dNiYWId7dbx/2NcEpk8gDGUgE403JbkwyZZOEZojxmQ1h0K6CgjfD8rkcx4kO2DEkomkMaGDZtm8a/84RpoiH2LJ9KRVtiE267hQckFrv2kf+/5qPr2ATKiwDBiB8S7g1sDdWHLb3mw== /home/XXX/.ssh/id_rsa
ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgxrMEpOWf7tnCerqWi4QL83pVLStKQ1aKcY3DB9bXpkIAAAADAQABAAACAQCuXW2Nc1St7rocbyi3RCOvkxRazi3cmt7oOjHbYciq4/ZkC5kDx/n/xG5k9OOL90pQ3kaIwqHeJZ5ET6nJ1sQAy7i2BlPHbSipX4wJkzBOZfEeQUzNu6U8owdO0MZEfOnez7bhT0lHlh1DCUq0bj07gfKxpxTICqqlBJ3Z9oCfQTeFmVLX/b/GOvVlU9l9XaEy6VTszecdyj8H08PNpVzyKpzbD58b1oKvLLtoVlsZQJahj9ZGe6F+Qb6wUNKUhdb7qyy7/FoDQBNjwZEG1WuNbE1UtwWdiCT7x0Amv/k+weEqlha50iUnqCAurituQBWenl7vMVSoU//PZsNw7H5qVqwNGJdNr+XHZkw9invUbcCT/GSDRA33teW8xRYxB/cZlEITG4sXYUjJJXCMbybaVhCr1Iarb1giVSQVmuAiHdnCByiEU3nXkw1gNbUDOLnqUJDJWi9KbPT1RpHpDTzVWBgb6igyr4txWq6EDdtwJ4nBvcJFwuzdhis6RIdTVpokyor3zvfZRPpPA/wahtUy09SKps97wf8dNiYWId7dbx/2NcEpk8gDGUgE403JbkwyZZOEZojxmQ1h0K6CgjfD8rkcx4kO2DEkomkMaGDZtm8a/84RpoiH2LJ9KRVtiE267hQckFrv2kf+/5qPr2ATKiwDBiB8S7g1sDdWHLb3m37JrlBlPlWYAAAAAQAAAAZtaWR3YXkAAAAMAAAACGt0aW1vZmVlAAAAAGNRZLUAAAAAY1J98gAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC7xeCqpx6k/LfD0/r/KbupvYyyIs1fwgZyMlNwld5CgBKbwlbO+wDzhRVv0jfOgcuZQqXXOgAO1Z9bViaYb92aRV+yBE5K6XjnT2dIoQZ/c1b0H2eMsEvE6t5bwDC0fpVOXFELa9Z18+3NPWQQbr6igSPsjji1OxV1OpWNPZcV3gSI+Gawazawya+Xh5625CaZ5ww0+I85wpCcsPIAskXu+JH83ihsLCgmN1jLmi+Z3FORtk5PwjwH0xSGlIWIqiy9c7YvXgTfP4IJVSm+7Da5/TYFhyKTEQ/dR5pPDl0w+6+bu4iOouA5kihSlQ8l8lhTnmQTlPJMnir53k+QtmcrAAABDwAAAAdzc2gtcnNhAAABAHR3hspEwFw9SNlz5ADqPQLawucavSuWSUimEVulWazkc8SioaBV6Zk1fPxa186cb2lu6jaresD0eRc0NuxHXsHN7bjgLgg2Hn3ctgX7a+z+Y693jnVsZgfGi/jLsIxg1gTFxQ+qIWKYOR2N1L/o6ZN8Nfy0pQoXYZCXd7MCXw9T8pTB8VEQgVCYu9Fn97DttgSAsejprfIErEVYsrq5dbXKxCADHchl2UzcF0DTvSnoudhDBgWNen1Q331drUsObmqUli14jCBpb8p3/0E7jkXUr36bN6dvmT6bbOvIf7VgzFkoLRf9dmHfs7ZP/uTlQ3pz/3OUphyHEi620XMPbIU= /home/XXX/.ssh/id_rsa
$ go run 001-ssh-test.go 10.19.197.10:22
2022/10/20 08:32:37 Connecting to 10.19.197.10:22
2022/10/20 08:32:39 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
exit status 1
$

@kt97679
Copy link
Author

kt97679 commented Nov 17, 2022

Tried today, still see failure:

go: downloading golang.org/x/crypto v0.3.0
go: downloading golang.org/x/sys v0.2.0
go: downloading golang.org/x/term v0.2.0
go: upgraded golang.org/x/crypto v0.1.0 => v0.3.0
go: upgraded golang.org/x/sys v0.1.0 => v0.2.0
2022/11/16 18:44:55 Connecting to 10.19.197.10:22
2022/11/16 18:44:57 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
exit status 1

Can I provide more details to help with the fix of this issue?

@kt97679
Copy link
Author

kt97679 commented Jan 3, 2023

Issue is still there:

$ cat 001-ssh-test.sh
#!/bin/bash

go get -u
go mod tidy
go run 001-ssh-test.go 10.19.197.10:22
$ ./001-ssh-test.sh
go: downloading golang.org/x/crypto v0.4.0
go: downloading golang.org/x/sys v0.3.0
go: downloading golang.org/x/term v0.3.0
go: upgraded golang.org/x/crypto v0.3.0 => v0.4.0
go: upgraded golang.org/x/sys v0.2.0 => v0.3.0
2023/01/02 11:40:54 Connecting to 10.19.197.10:22
2023/01/02 11:40:56 ssh: handshake failed: ssh: unable to authenticate,
attempted methods [none publickey], no supported methods remain
exit status 1
$

It seems that this is a regression. I have old binary that works with signed keys ok and here is dependency:

$ strings ossh|grep ssh/client.go
/go/pkg/mod/golang.org/x/crypto@v0.0.0-20210817164053-32db794688a5/ssh/client.go
$

@kt97679
Copy link
Author

kt97679 commented Jan 9, 2023

issue is reproducible with golang.org/x/crypto v0.5.0

$ ./001-ssh-test.sh
go: downloading golang.org/x/crypto v0.5.0
go: downloading golang.org/x/sys v0.4.0
go: downloading golang.org/x/term v0.4.0
go: upgraded golang.org/x/crypto v0.4.0 => v0.5.0
go: upgraded golang.org/x/sys v0.3.0 => v0.4.0
2023/01/06 10:01:55 Connecting to 10.19.197.10:22
2023/01/06 10:01:57 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
exit status 1
$

@kt97679
Copy link
Author

kt97679 commented Feb 7, 2023

Hi folks, I found list of versions here: https://deps.dev/go/golang.org%2Fx%2Fcrypto/v0.0.0-20151201002508-7b85b097bf75/versions and was able to identify versions where issue was introduced:

$ for x in v0.0.0-20220314234659-1baeb1ce4c0b v0.0.0-20220314234724-5d542ad81a58 v0.0.0-20220315160706-3147a52a75dd; do echo $x && sed -ie "s@\(require golang.org/x/crypto \).*@\1$x@" go.mod && go mod tidy && go run 001-ssh-test.go 10.19.197.10:22; done
v0.0.0-20220314234659-1baeb1ce4c0b
2023/02/06 20:58:16 Connecting to 10.19.197.10:22
2023/02/06 20:58:19 We've got a live session!
v0.0.0-20220314234724-5d542ad81a58
2023/02/06 20:58:19 Connecting to 10.19.197.10:22
2023/02/06 20:58:22 ssh: handshake failed: agent: unsupported algorithm "ssh-rsa"
exit status 1
v0.0.0-20220315160706-3147a52a75dd
2023/02/06 20:58:22 Connecting to 10.19.197.10:22
2023/02/06 20:58:24 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
exit status 1
$

I really hope this will help with fixing this issue. Thank you.

@kt97679
Copy link
Author

kt97679 commented Feb 8, 2023

From what I see issue is related to this change: golang/crypto@5d542ad#diff-bb5baf29632fd3d0305064ad6e6dc4b9849778a8cd1513f08cf9e866c61210acL775-L783

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
4 participants
@shuLhan @kt97679 @gopherbot @cherrymui