v8.2.0 breaks SFTP connection with RSA private key

[mariolopes]

I've been using Cyberduck for a while for connecting to an SFTP server (GoAnywhere MFT SFTP Server). Since I upgraded to version 8.2.0 I'm unable to authenticate using an RSA private key file. Downgrading to v8.1.1 fixes it.

[dkocher]

Also reported in #12720.

[ylangisc]

Tried with 2048 and 4096 bits RSA keys but was unable to reproduce the issue. Can you please post a debug log from an authentication attempt? Refer to https://docs.cyberduck.io/cyberduck/support/?highlight=debug#logging-output

[mariolopes]

Here's the log. I've changed the original hostname. Everything else was left untouched.
cyberduck.log

[dkocher]

Relevant login attempts using different authentication methods.

2021-12-30 15:05:36,158 [Thread-77] DEBUG ch.cyberduck.core.sftp.SFTPSession - Attempt login with 4 authentication methods [ch.cyberduck.core.sftp.auth.SFTPAgentAuthentication@4a21723, ch.cyberduck.core.sftp.auth.SFTPPublicKeyAuthentication@4cef7bd6, ch.cyberduck.core.sftp.auth.SFTPChallengeResponseAuthentication@245371f3, ch.cyberduck.core.sftp.auth.SFTPPasswordAuthentication@48f347f2]
2021-12-30 15:05:36,158 [Thread-77] DEBUG ch.cyberduck.core.sftp.SFTPSession - Remaining authentication methods [password, publickey, keyboard-interactive]
2021-12-30 15:05:36,158 [Thread-77] INFO  ch.cyberduck.core.sftp.SFTPSession - Attempt authentication with credentials Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}} and authentication method ch.cyberduck.core.sftp.auth.SFTPAgentAuthentication@4a21723
2021-12-30 15:05:36,158 [Thread-77] DEBUG ch.cyberduck.core.sftp.auth.SFTPAgentAuthentication - Login using agent OpenSSHAgentAuthenticator{proxy=com.jcraft.jsch.agentproxy.AgentProxy@5cfc4ac0} for Host{protocol=Profile{parent=sftp, vendor=iterate GmbH, description=null, image=null}, port=16119, hostname='sftp.hostnameremovedsorry.com', credentials=Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}}, uuid='86c2a57b-a621-4622-900f-9ecdbe319386', nickname='OCP', defaultpath='null', workdir=null, labels=[]}
2021-12-30 15:05:36,158 [Thread-77] DEBUG ch.cyberduck.core.sftp.openssh.OpenSSHAgentAuthenticator - Retrieve identities from proxy com.jcraft.jsch.agentproxy.AgentProxy@5cfc4ac0
2021-12-30 15:05:36,159 [Thread-77] DEBUG ch.cyberduck.core.sftp.openssh.OpenSSHAgentAuthenticator - Found 0 identities
2021-12-30 15:05:36,159 [Thread-77] WARN  ch.cyberduck.core.sftp.SFTPSession - Login refused with credentials Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}} and authentication method ch.cyberduck.core.sftp.auth.SFTPAgentAuthentication@4a21723
2021-12-30 15:05:36,159 [Thread-77] DEBUG ch.cyberduck.core.sftp.SFTPSession - Remaining authentication methods [password, publickey, keyboard-interactive]
2021-12-30 15:05:36,159 [Thread-77] INFO  ch.cyberduck.core.sftp.SFTPSession - Attempt authentication with credentials Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}} and authentication method ch.cyberduck.core.sftp.auth.SFTPPublicKeyAuthentication@4cef7bd6
2021-12-30 15:05:36,159 [Thread-77] DEBUG ch.cyberduck.core.sftp.auth.SFTPPublicKeyAuthentication - Login using public key authentication with credentials Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}}
2021-12-30 15:05:36,159 [Thread-77] INFO  ch.cyberduck.core.sftp.auth.SFTPPublicKeyAuthentication - Reading private key Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'} with key format OpenSSH
2021-12-30 15:05:36,160 [Thread-77] DEBUG net.schmizz.concurrent.Promise - Setting <<authenticated>> to `null`
2021-12-30 15:05:36,160 [Thread-77] DEBUG net.schmizz.sshj.userauth.UserAuthImpl - Trying `publickey` auth...
2021-12-30 15:05:36,160 [Thread-77] DEBUG net.schmizz.sshj.userauth.method.AuthPublickey - Attempting authentication using PKCS8KeyFile{resource=[PrivateKeyReaderResource] java.io.InputStreamReader@6b7aab42}
2021-12-30 15:05:36,161 [Thread-77] DEBUG net.schmizz.concurrent.Promise - Awaiting <<authenticated>>
2021-12-30 15:05:36,244 [reader] DEBUG net.schmizz.concurrent.Promise - Setting <<authenticated>> to `false`
2021-12-30 15:05:36,244 [Thread-77] DEBUG net.schmizz.sshj.userauth.UserAuthImpl - `publickey` auth failed
2021-12-30 15:05:36,244 [Thread-77] WARN  ch.cyberduck.core.sftp.SFTPSession - Login failed with credentials Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}} and authentication method ch.cyberduck.core.sftp.auth.SFTPPublicKeyAuthentication@4cef7bd6
2021-12-30 15:05:36,244 [Thread-77] DEBUG ch.cyberduck.core.sftp.SFTPSession - Remaining authentication methods [password, publickey, keyboard-interactive]
2021-12-30 15:05:36,245 [Thread-77] INFO  ch.cyberduck.core.sftp.SFTPSession - Attempt authentication with credentials Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}} and authentication method ch.cyberduck.core.sftp.auth.SFTPChallengeResponseAuthentication@245371f3
2021-12-30 15:05:36,245 [Thread-77] DEBUG ch.cyberduck.core.sftp.auth.SFTPChallengeResponseAuthentication - Login using challenge response authentication for Host{protocol=Profile{parent=sftp, vendor=iterate GmbH, description=null, image=null}, port=16119, hostname='sftp.hostnameremovedsorry.com', credentials=Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}}, uuid='86c2a57b-a621-4622-900f-9ecdbe319386', nickname='OCP', defaultpath='null', workdir=null, labels=[]}
2021-12-30 15:05:36,245 [Thread-77] DEBUG net.schmizz.concurrent.Promise - Setting <<authenticated>> to `null`
2021-12-30 15:05:36,245 [Thread-77] DEBUG net.schmizz.sshj.userauth.UserAuthImpl - Trying `keyboard-interactive` auth...
2021-12-30 15:05:36,246 [Thread-77] DEBUG net.schmizz.concurrent.Promise - Awaiting <<authenticated>>
2021-12-30 15:05:36,287 [reader] DEBUG net.schmizz.sshj.userauth.UserAuthImpl - Asking `keyboard-interactive` method to handle USERAUTH_60 packet
2021-12-30 15:05:36,287 [reader] DEBUG net.schmizz.sshj.userauth.method.AuthKeyboardInteractive - Requesting response for challenge `Password:`; echo=false
2021-12-30 15:05:36,287 [reader] DEBUG ch.cyberduck.core.sftp.auth.SFTPChallengeResponseAuthentication - Reply to challenge name password with instruction Enter password for inesctec
2021-12-30 15:05:36,287 [reader] DEBUG ch.cyberduck.ui.cocoa.callback.PromptLoginCallback - Prompt for credentials for inesctec

It shows the server is not accepting the key /Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk.

[mariolopes]

I'm using the exact same key with version 8.1.2 and it's working fine.

[ylangisc]

Thanks @mariolopes. Can you please share the fingerprint of your private key? That would give me information about the type and size of the key.

ssh-keygen -l -f /Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk

[mariolopes]

Weird. It says it's not a key file. Anyway, here's the fingerprint that's on the file header. I thought it was an RSA key but I was wrong. It's a AES-128 key.

-----BEGIN RSA PRIVATE KEY-----
x-Generator: GoAnywhere 6.0.1
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,05f8fcdc2efeb47ed5dd5130500462e9

[alturic]

Same issue, AES256 here though.

Downgraded back to 8.0.0, works flawlessly.

[ylangisc]

@mariolopes You have an RSA private key encrypted with AES-128-CBC. Tried with an encrypted private key too but was still able to properly connect.

Also tried to restrict the used algorithms on the server side to the ones I see in your log.
Negotiated algorithms: [ kex=diffie-hellman-group-exchange-sha256; sig=ssh-rsa; c2sCipher=aes128-cbc; s2cCipher=aes128-cbc; c2sMAC=hmac-sha1; s2cMAC=hmac-sha1; c2sComp=zlib@openssh.com; s2cComp=zlib@openssh.com; ]

Still no luck but I suspect that the change of the signature algorithm priority in the sshj library could be the reason. Refer to iterate-ch/sshj@624747c

Can you please try to connect in debug mode from the command line and post the output? That would let me see the supported algorithms of your server and if we choose an unsupported one.

ssh -i /Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk [HOSTNAME] -vv

I'm especially interested in the following two lines:

debug2: KEX algorithms: ...
debug2: host key algorithms: ...

[mariolopes]

Here you go:

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

By the way, I have two VPS machines running Ubuntu Focal and we're using an scp wrapper for Python (paramiko). In one of the machines I'm still able to connect. In the other I get the same error (Authentication failed) as with Cyberduck 8.2.0. They're running the exact same versions of openssh-client.

[ylangisc]

@mariolopes What version of Paramiko are you running? You might hit paramiko/paramiko#1955. It would be helpful to post the output as shown in the issue above when trying to connect with Cyberduck 8.2.0.

[mariolopes]

Weird. In the VPS that's still connecting to the SFTP server we're running Paramiko 2.8.1 (older Docker image). In the version that's not connecting, it was upgraded to 2.9.1. There must have been some recent change in the ssh that's breaking the authentication with older SFTP servers.