Upterm rejecting all ssh connections

[larsks]

I was trying to spin up my first upterm session; after running upterm host -- bash I am presented with the expected ssh session information, but when I attempt to connect to that session from another system, I get a "permission denied" error:

[lars@madhatter ~]$ ssh hGjlbiMJqi0M9Jjo4SSo:...@uptermd.upterm.dev
hGjlbiMJqi0M9Jjo4SSo:...@uptermd.upterm.dev: Permission denied (publickey).

I haven't included any --authorized-key argument in my upterm host command so I expected any ssh client to be able to connect.

[Meister1593]

Same issue, me and my friend added authorised keys from eachother and it still didn't work

[owenthereal]

Can you try again? I found some issue with the uptermd community server and it's now fixed.

[larsks]

@owenthereal with the new 0.6.8 release I still see the same behavior. In one window:

$ upterm version
Upterm version v0.6.8
$ upterm host
=== F00BAAKRQQ5KSKK7O60NF
Command:                /bin/bash
Force Command:          n/a
Host:                   ssh://uptermd.upterm.dev:22
SSH Session:            ssh F00BAAkRqq5KSkk7O60nF:MITMONO0LjAuNjM6MjI=@uptermd.upterm.dev
Press <q> or <ctrl-c> to continue...

And in another window:

$ ssh F00BAAkRqq5KSkk7O60nF:MITMONO0LjAuNjM6MjI=@uptermd.upterm.dev
F00BAAkRqq5KSkk7O60nF:MITMONO0LjAuNjM6MjI=@uptermd.upterm.dev: Permission denied (publickey).

(And I see the same behavior when I assign an explicit authorized keys file with --authorized-key option)

[owenthereal]

Hmm...I could not reproduce this. Can you try the ssh command with the -vvv flag, e.g. ssh F00BAAkRqq5KSkk7O60nF:MITMONO0LjAuNjM6MjI=@uptermd.upterm.dev -vvv and paste the result here (note that you may want to obfusticate info that is confidential). I suspect this is related to your local ssh config.

[Meister1593]

I personally can't connect, it just stays at infinite connection (0.6.8 version, 0.6.7 has the same thing rn)

debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50

last lines from the ssh connection output, and it just stays like that, never connects, then errors on

Connection closed by 157.230.199.75 port 22

Also, how can i disable pubkey auth for upterm? it asks my key pass to authorise with it on host (almost like if i was connecting to myself), and i don't want pubkey auth, i just want to share it (or at least share it with password at max)

[larsks]

Can you try the ssh command with the -vvv flag, e.g. ssh
F00BAAkRqq5KSkk7O60nF:MITMONO0LjAuNjM6MjI=@uptermd.upterm.dev -vvv
and paste the result here (note that you may want to obfusticate
info that is confidential). I suspect this is related to your local
ssh config

Connecting to uptermd.upterm.dev with ssh -vv:

$ ssh W3JPuwujNLwdjp9fm8PO:MTAuMjQ0LjAuMjI4OjIy@uptermd.upterm.dev
OpenSSH_8.7p1, OpenSSL 1.1.1l  FIPS 24 Aug 2021
debug1: Reading configuration data /home/lars/.ssh/config
debug1: Reading configuration data /home/lars/.ssh/config.d/abc_config
debug1: Reading configuration data /home/lars/.ssh/config.d/house_config
debug1: Reading configuration data /home/lars/.ssh/config.d/def_config
debug1: Reading configuration data /home/lars/.ssh/config.d/mycompany_config
debug1: /home/lars/.ssh/config line 54: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-mycompany.conf
debug2: checking match for 'final all' host uptermd.upterm.dev originally uptermd.upterm.dev
debug2: match not found
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug2: resolve_addr: could not resolve name uptermd.upterm.dev as address: Name or service not known
debug1: re-parsing configuration
debug1: Reading configuration data /home/lars/.ssh/config
debug1: Reading configuration data /home/lars/.ssh/config.d/abc_config
debug1: Reading configuration data /home/lars/.ssh/config.d/house_config
debug1: Reading configuration data /home/lars/.ssh/config.d/def_config
debug1: Reading configuration data /home/lars/.ssh/config.d/mycompany_config
debug1: /home/lars/.ssh/config line 54: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-mycompany.conf
debug2: checking match for 'final all' host uptermd.upterm.dev originally uptermd.upterm.dev
debug2: match found
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug2: resolving "uptermd.upterm.dev" port 22
debug1: Connecting to uptermd.upterm.dev [157.230.199.75] port 22.
debug1: Connection established.
debug1: identity file /home/lars/.ssh/id_rsa type 0
debug1: identity file /home/lars/.ssh/id_rsa-cert type -1
debug1: identity file /home/lars/.ssh/id_dsa type -1
debug1: identity file /home/lars/.ssh/id_dsa-cert type -1
debug1: identity file /home/lars/.ssh/id_ecdsa type -1
debug1: identity file /home/lars/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/lars/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/lars/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/lars/.ssh/id_ed25519 type -1
debug1: identity file /home/lars/.ssh/id_ed25519-cert type -1
debug1: identity file /home/lars/.ssh/id_ed25519_sk type -1
debug1: identity file /home/lars/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/lars/.ssh/id_xmss type -1
debug1: identity file /home/lars/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.7
debug1: Remote protocol version 2.0, remote software version uptermd
debug1: compat_banner: no match: uptermd
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to uptermd.upterm.dev:22 as 'W3JPuwujNLwdjp9fm8PO:MTAuMjQ0LjAuMjI4OjIy'
debug1: load_hostkeys: fopen /home/lars/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com
debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519-cert-v01@openssh.com
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host certificate: ssh-ed25519-cert-v01@openssh.com SHA256:...
debug2: Server host certificate hostname: uptermd.upterm.dev
debug1: load_hostkeys: fopen /home/lars/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'uptermd.upterm.dev' is known and matches the ED25519-CERT host certificate.
debug1: Found CA key in /home/lars/.ssh/known_hosts:390
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/lars/.ssh/id_rsa_myhobby RSA SHA256:...
debug1: Will attempt key: /home/lars/.ssh/id_rsa_mycompany RSA SHA256:...
debug1: Will attempt key: /home/lars/.ssh/id_rsa RSA SHA256:...
debug1: Will attempt key: /home/lars/.ssh/id_dsa
debug1: Will attempt key: /home/lars/.ssh/id_ecdsa
debug1: Will attempt key: /home/lars/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/lars/.ssh/id_ed25519
debug1: Will attempt key: /home/lars/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/lars/.ssh/id_xmss
debug2: pubkey_prepare: done
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/lars/.ssh/id_rsa_myhobby RSA SHA256:...
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Offering public key: /home/lars/.ssh/id_rsa_mycompany RSA SHA256:...
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Offering public key: /home/lars/.ssh/id_rsa RSA SHA256:...
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /home/lars/.ssh/id_dsa
debug1: Trying private key: /home/lars/.ssh/id_ecdsa
debug1: Trying private key: /home/lars/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/lars/.ssh/id_ed25519
debug1: Trying private key: /home/lars/.ssh/id_ed25519_sk
debug1: Trying private key: /home/lars/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
W3JPuwujNLwdjp9fm8PO:MTAuMjQ0LjAuMjI4OjIy@uptermd.upterm.dev: Permission denied (publickey).

Compare that to this connection to a tmate server:

$ ssh XC4DwPpRN6mKS6PQn9bfUcktr@tmate.example.com
OpenSSH_8.7p1, OpenSSL 1.1.1l  FIPS 24 Aug 2021
debug1: Reading configuration data /home/lars/.ssh/config
debug1: Reading configuration data /home/lars/.ssh/config.d/abc_config
debug1: Reading configuration data /home/lars/.ssh/config.d/house_config
debug1: Reading configuration data /home/lars/.ssh/config.d/def_config
debug1: Reading configuration data /home/lars/.ssh/config.d/mycompany_config
debug1: /home/lars/.ssh/config line 54: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-mycompany.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/lars/.ssh/config
debug1: Reading configuration data /home/lars/.ssh/config.d/abc_config
debug1: Reading configuration data /home/lars/.ssh/config.d/house_config
debug1: Reading configuration data /home/lars/.ssh/config.d/def_config
debug1: Reading configuration data /home/lars/.ssh/config.d/mycompany_config
debug1: /home/lars/.ssh/config line 54: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-mycompany.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to tmate.example.com [123.45.67.89] port 22.
debug1: Connection established.
debug1: identity file /home/lars/.ssh/id_rsa type 0
debug1: identity file /home/lars/.ssh/id_rsa-cert type -1
debug1: identity file /home/lars/.ssh/id_dsa type -1
debug1: identity file /home/lars/.ssh/id_dsa-cert type -1
debug1: identity file /home/lars/.ssh/id_ecdsa type -1
debug1: identity file /home/lars/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/lars/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/lars/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/lars/.ssh/id_ed25519 type -1
debug1: identity file /home/lars/.ssh/id_ed25519-cert type -1
debug1: identity file /home/lars/.ssh/id_ed25519_sk type -1
debug1: identity file /home/lars/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/lars/.ssh/id_xmss type -1
debug1: identity file /home/lars/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.7
debug1: Remote protocol version 2.0, remote software version tmate
debug1: compat_banner: no match: tmate
debug1: Authenticating to tmate.example.com:22 as 'XC4DwPpRN6mKS6PQn9bfUcktr'
debug1: load_hostkeys: fopen /home/lars/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: zlib@openssh.com
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: zlib@openssh.com
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:...
debug1: load_hostkeys: fopen /home/lars/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'tmate.example.com' is known and matches the RSA host key.
debug1: Found key in /home/lars/.ssh/known_hosts:629
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/lars/.ssh/id_rsa_myhobby RSA SHA256:...
debug1: Will attempt key: /home/lars/.ssh/id_rsa_mycompany RSA SHA256:...
debug1: Will attempt key: /home/lars/.ssh/id_rsa RSA SHA256:...
debug1: Will attempt key: /home/lars/.ssh/id_dsa 
debug1: Will attempt key: /home/lars/.ssh/id_ecdsa 
debug1: Will attempt key: /home/lars/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/lars/.ssh/id_ed25519 
debug1: Will attempt key: /home/lars/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/lars/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Enabling compression at level 6.
Authenticated to tmate.example.com ([123.45.67.89]:22) using "none".
debug1: pkcs11_del_provider: called, provider_id = (null)
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
debug1: channel 0: setting env XMODIFIERS = "@im=ibus"
debug1: channel 0: setting env LANG = "en_US.UTF-8"

[owenthereal]

Did you press q or ctrl-c to accept connection in your host? Notice the hint:

Press or to continue...

[larsks]

I did, yes. If you don't press q or ctrl-c, the connection blocks. It's not rejected until after you activate the terminal.

[owenthereal]

I finally can reproduce it. It happens when I don't have the key in the ssh-agent. I will see where the problem is, fix it and report back. It's likely a recent change that broke it

[owenthereal]

Okay, the root of the issue is that since openssh 8.8 (2021-09-26), the host algorithm type ssh-rsa was retired in favor of rsa-sha2-256 & rsa-sha2-512 (release note). This breaks a lot of ssh servers, including upterm. The Go issue that tracks the fixes of the Go ssh library is here. I will closely monitor it and pull in changes. Can you do a quick check of your openssh version with:

$ ssh -V

What happens is that you only have a rsa key in your ~/.ssh, and upterm is not ready to handle the openssh 8.8+ client that deprecates the ssh-rsa host algorithm type. However, openssh 8.8+ using other key types work with upterm, e.g. Ed25519. For now, you can workaround by adding the ssh-rsa type back:

ssh UPTERM_URL -o "PubkeyAcceptedKeyTypes +ssh-rsa" -o "HostKeyAlgorithms +ssh-rsa"

You can also put in your ~/.ssh/config with the following to save you from typing the -o flags for every Upterm ssh command:

Host uptermd.upterm.dev
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

I would strongly recommend you to upgrade all your ssh keys to Ed25519 because that's the most secured ssh algorithm that is recommended to use over others: https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54.

I will leave this issue open until upterm with the fixed Go ssh library. Hope this helps

[larsks]

Thanks, that was it. Seems to be working fine now!

[arch1mede]

Hi, I have followed the above but getting the same thing since tmate no longer works:

more /root/.ssh/config
Host uptermd.upterm.dev
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

I still get the following:

upterm host        
Error: ssh://uptermd.upterm.dev:22: Permission denied (publickey).

upterm host -- bash
Error: ssh://uptermd.upterm.dev:22: Permission denied (publickey).

Any other suggestions?

[owenthereal]

@arch1mede:

Any other suggestions?

I would recommend stopping using any RSA key with upterm for now and generating a new pair of Ed25519 keys. Besides working with upterm, Ed25519 is the most secure key algorithm comparing to others.

1. Remove any RSA keys in ~/.ssh
2. Remove any RSA keys in ssh agent, because ssh will attempt keys in the agent if there are any
3. Generate a pair of Ed25519 key

[arch1mede]

Well where I was going with that was that following the instructions to support RSA still doesn't work and still produces an error whereas @larsks got it to work.

[edmundlaugasson]

used upterm v0.8.2 in Ubuntu 20.04 LTS. In target host the OpenSSH server was set up with default options. In client side Ed25519 key pair was generated without password. Public key was copied via ssh-copy-id command to target host with upterm, which is VirtualBox virtual machine (VM). Direct connecting via SSH works fine with same Ed25519 key. But not via uptermd.upterm.dev server.
ssh connection debug information:

ssh -vvv G5Ei25LNKd9MY1bUfSf9:MTAuMjQ0LjEuMTQ3OjIy@uptermd.upterm.dev
OpenSSH_8.2p1 Ubuntu-4ubuntu0.4, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolving "uptermd.upterm.dev" port 22
debug2: ssh_connect_direct
debug1: Connecting to uptermd.upterm.dev [157.230.199.75] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type 3
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/user/.ssh/id_xmss type -1
debug1: identity file /home/user/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
debug1: Remote protocol version 2.0, remote software version uptermd
debug1: no match: uptermd
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to uptermd.upterm.dev:22 as 'G5Ei25LNKd9MY1bUfSf9:MTAuMjQ0LjEuMTQ3OjIy'
debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"
debug3: record_hostkey: found key type ED25519 in file /home/user/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from uptermd.upterm.dev
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519-cert-v01@openssh.com
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host certificate: ssh-ed25519-cert-v01@openssh.com SHA256:9ajV8JqMe6jJE/s3TYjb/9xw7T0pfJ2+gADiBIJWDPE, serial 0 ID "uptermd" CA ssh-ed25519 SHA256:9ajV8JqMe6jJE/s3TYjb/9xw7T0pfJ2+gADiBIJWDPE valid forever
debug2: Server host certificate hostname: uptermd.upterm.dev
debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"
debug3: record_hostkey: found key type ED25519 in file /home/user/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from uptermd.upterm.dev
debug1: No matching CA found. Retry with plain key
debug1: Host 'uptermd.upterm.dev' is known and matches the ED25519 host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/user/.ssh/id_ed25519 ED25519 SHA256:QBuMAeoXakXRcU3BSPW2xZpw1lNrYhlCtXjJNkn8tcs agent
debug1: Will attempt key: user@remote RSA SHA256:2u/VQG0ADJX9DuHMpvU3Ke+ym1BHl0F9vjexOSxHnCg agent
debug1: Will attempt key: /home/user/.ssh/id_rsa 
debug1: Will attempt key: /home/user/.ssh/id_dsa 
debug1: Will attempt key: /home/user/.ssh/id_ecdsa 
debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/user/.ssh/id_xmss 
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_ed25519 ED25519 SHA256:QBuMAeoXakXRcU3BSPW2xZpw1lNrYhlCtXjJNkn8tcs agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/user/.ssh/id_ed25519 ED25519 SHA256:QBuMAeoXakXRcU3BSPW2xZpw1lNrYhlCtXjJNkn8tcs agent
debug3: sign_and_send_pubkey: ED25519 SHA256:QBuMAeoXakXRcU3BSPW2xZpw1lNrYhlCtXjJNkn8tcs
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:QBuMAeoXakXRcU3BSPW2xZpw1lNrYhlCtXjJNkn8tcs
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering public key: user@remote RSA SHA256:2u/VQG0ADJX9DuHMpvU3Ke+ym1BHl0F9vjexOSxHnCg agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: user@remote RSA SHA256:2u/VQG0ADJX9DuHMpvU3Ke+ym1BHl0F9vjexOSxHnCg agent
debug3: sign_and_send_pubkey: RSA SHA256:2u/VQG0ADJX9DuHMpvU3Ke+ym1BHl0F9vjexOSxHnCg
debug3: sign_and_send_pubkey: signing using ssh-rsa SHA256:2u/VQG0ADJX9DuHMpvU3Ke+ym1BHl0F9vjexOSxHnCg
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/user/.ssh/id_rsa
debug3: no such identity: /home/user/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_dsa
debug3: no such identity: /home/user/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ecdsa
debug3: no such identity: /home/user/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ecdsa_sk
debug3: no such identity: /home/user/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ed25519_sk
debug3: no such identity: /home/user/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_xmss
debug3: no such identity: /home/user/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
G5Ei25LNKd9MY1bUfSf9:MTAuMjQ0LjEuMTQ3OjIy@uptermd.upterm.dev: Permission denied (publickey).

Relevant part from ~/.upterm/upterm.log

time="2022-05-05T18:12:07+03:00" level=info msg="Etablishing reverse tunnel" server="ssh://uptermd.upterm.dev:22"
time="2022-05-05T18:12:08+03:00" level=info msg="Established reverse tunnel" server="ssh://uptermd.upterm.dev:22" session=G5Ei25LNKd9MY1bUfSf9
time="2022-05-05T18:12:08+03:00" level=info msg="Starting sshd server" cmd="[/bin/bash]" force-cmd="[]" server="ssh://uptermd.upterm.dev:22" session=G5Ei25LNKd9MY1bUfSf9
time="2022-05-05T18:12:54+03:00" level=error msg="error parsing auth request from cert" com=server error="ssh: cert is not yet valid"
time="2022-05-05T18:12:54+03:00" level=error msg="connection failed" com=server error="[ssh: no auth passed yet, permission denied]"

Sometimes even cannot start connection with upterm server:

upterm host
Error: ssh://uptermd.upterm.dev:22: Permission denied (publickey).
FATA[0001] ssh://uptermd.upterm.dev:22: Permission denied (publickey).

But when used OpenSSH 9.0 server in Arch-based EndeavourOS, then it worked! Could connect even from Ubuntu 20.04, where OpenSSH v8.2 client was used.

Noticed, that when started upterm 0.8.2 in Ubuntu 20.04 (which has OpenSSH_8.2p1, OpenSSL 1.1.1f) then on first connection:

The authenticity of host 'uptermd.upterm.dev (157.230.199.75)' can't be established.
ED25519 key fingerprint is SHA256:9ajV8JqMe6jJE/s3TYjb/9xw7T0pfJ2+gADiBIJWDPE.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

... and ~/.ssh/authorized_keys file got content:
@cert-authority uptermd.upterm.dev,157.230.199.75 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICiecex8Dq718eSe1CCLgLvDmI7AagvCtax7brPFWkh4

But when started upterm in EndeavourOS, where is OpenSSH_9.0p1, OpenSSL 1.1.1o, then on first connection:

The authenticity of host 'uptermd.upterm.dev (157.230.199.75)' can't be established.
ED25519 key fingerprint is SHA256:9ajV8JqMe6jJE/s3TYjb/9xw7T0pfJ2+gADiBIJWDPE.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Warning: Permanently added 'uptermd.upterm.dev,157.230.199.75' (ED25519) to the list of known hosts.

... and ~/.ssh/authorized_keys file got content:

|1|OmiJ6bltf9A21mUO2E+Bzi7OVac=|s+dCw0RJid+PQ3xa5D867zK4M0Y= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICiecex8Dq718eSe1CCLgLvDmI7AagvCtax7brPFWkh4
|1|jdhVsW8hvRVLmMqkP/apGtiolbE=|4g18zj2bK3nSRS7GMa/fhDMyRZY= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICiecex8Dq718eSe1CCLgLvDmI7AagvCtax7brPFWkh4

When tried to connect from Win11 (21H2, 22000.376), then on first connection (although connection did not succeed):

The authenticity of host 'uptermd.upterm.dev (157.230.199.75)' can't be established.
ED25519 key fingerprint is SHA256:9ajV8JqMe6jJE/s3TYjb/9xw7T0pfJ2+gADiBIJWDPE.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

... and %userprofile%\.ssh\authorized_keys file got content:
uptermd.upterm.dev,157.230.199.75 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICiecex8Dq718eSe1CCLgLvDmI7AagvCtax7brPFWkh4
Now the question is - which OpenSSH versions are with which upterm version supported?

[Eliav2]

running the following command fixed the problem

ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -C "your_email@example.com"

(your machine needs to have an ssh key associated with it)