Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication (publickey) failed although client and server side agreed on rsa-sha2-512 pubkey algorithm #2064

Open
gatici opened this issue Jun 2, 2022 · 3 comments
Open

Authentication (publickey) failed although client and server side agreed on rsa-sha2-512 pubkey algorithm #2064

gatici opened this issue Jun 2, 2022 · 3 comments
Labels
Bug Keys Needs investigation

Comments

@gatici
Copy link

gatici commented Jun 2, 2022
edited

Hello,

While connecting to a server by using paramiko version 2.11.0, authentication sometimes fails with below logs.
It's reported in the logs that both sides are already agreed to used rsa-sha2-512 as pubkey algorithm.
Private key is correct and works for authentication.

Could you please help to solve this problem ?
Thanks.

2022-06-02T02:41:07.944488564Z 2022-06-02 02:41:07,944 DEBUG paramiko.transport transport.py:1874 === Key exchange possibilities ===
2022-06-02T02:41:07.944809360Z 2022-06-02 02:41:07,944 DEBUG paramiko.transport transport.py:1874 kex algos: curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256
2022-06-02T02:41:07.945034082Z 2022-06-02 02:41:07,944 DEBUG paramiko.transport transport.py:1874 server key: rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
2022-06-02T02:41:07.945183100Z 2022-06-02 02:41:07,944 DEBUG paramiko.transport transport.py:1874 client encrypt: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
2022-06-02T02:41:07.945420795Z 2022-06-02 02:41:07,945 DEBUG paramiko.transport transport.py:1874 server encrypt: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
2022-06-02T02:41:07.945519395Z 2022-06-02 02:41:07,945 DEBUG paramiko.transport transport.py:1874 client mac: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
2022-06-02T02:41:07.945764799Z 2022-06-02 02:41:07,945 DEBUG paramiko.transport transport.py:1874 server mac: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
2022-06-02T02:41:07.945930087Z 2022-06-02 02:41:07,945 DEBUG paramiko.transport transport.py:1874 client compress: none, zlib@openssh.com
2022-06-02T02:41:07.946090467Z 2022-06-02 02:41:07,945 DEBUG paramiko.transport transport.py:1874 server compress: none, zlib@openssh.com
2022-06-02T02:41:07.946270131Z 2022-06-02 02:41:07,946 DEBUG paramiko.transport transport.py:1874 client lang:
2022-06-02T02:41:07.946431865Z 2022-06-02 02:41:07,946 DEBUG paramiko.transport transport.py:1874 server lang:
2022-06-02T02:41:07.946614020Z 2022-06-02 02:41:07,946 DEBUG paramiko.transport transport.py:1874 kex follows: False
2022-06-02T02:41:07.946801210Z 2022-06-02 02:41:07,946 DEBUG paramiko.transport transport.py:1874 === Key exchange agreements ===
2022-06-02T02:41:07.947073988Z 2022-06-02 02:41:07,946 DEBUG paramiko.transport transport.py:1874 Kex: curve25519-sha256@libssh.org
2022-06-02T02:41:07.947298385Z 2022-06-02 02:41:07,947 DEBUG paramiko.transport transport.py:1874 HostKey: ssh-ed25519
2022-06-02T02:41:07.947579492Z 2022-06-02 02:41:07,947 DEBUG paramiko.transport transport.py:1874 Cipher: aes128-ctr
2022-06-02T02:41:07.947772799Z 2022-06-02 02:41:07,947 DEBUG paramiko.transport transport.py:1874 MAC: hmac-sha2-256
2022-06-02T02:41:07.947987423Z 2022-06-02 02:41:07,947 DEBUG paramiko.transport transport.py:1874 Compression: none
2022-06-02T02:41:07.948113563Z 2022-06-02 02:41:07,947 DEBUG paramiko.transport transport.py:1874 === End of kex handshake ===
2022-06-02T02:41:07.961185357Z 2022-06-02 02:41:07,960 DEBUG paramiko.transport transport.py:1874 kex engine KexCurve25519 specified hash_algo
2022-06-02T02:41:07.962209102Z 2022-06-02 02:41:07,961 DEBUG paramiko.transport transport.py:1874 Switch to new keys ...
2022-06-02T02:41:07.963202607Z 2022-06-02 02:41:07,962 DEBUG paramiko.transport transport.py:1874 Adding ssh-ed25519 host key for 172.21.248.210: b'ee3ccd0f1e2eafd13ed62a1ed85ca70b'
2022-06-02T02:41:07.964281585Z 2022-06-02 02:41:07,963 DEBUG paramiko.transport transport.py:1874 Got EXT_INFO: {'server-sig-algs': b'ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com'}
2022-06-02T02:41:07.965501521Z 2022-06-02 02:41:07,965 DEBUG paramiko.transport transport.py:1874 Trying SSH key b'244f4f53fc0770febfad0c3a3b76ff15'
2022-06-02T02:41:07.967348581Z 2022-06-02 02:41:07,966 DEBUG paramiko.transport transport.py:1874 userauth is OK
2022-06-02T02:41:07.967545579Z 2022-06-02 02:41:07,967 DEBUG paramiko.transport transport.py:1874 Finalizing pubkey algorithm for key of type 'ssh-rsa'
2022-06-02T02:41:07.967567108Z 2022-06-02 02:41:07,967 DEBUG paramiko.transport transport.py:1874 Our pubkey algorithm list: ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa']
2022-06-02T02:41:07.967887274Z 2022-06-02 02:41:07,967 DEBUG paramiko.transport transport.py:1874 Server-side algorithm list: ['ssh-ed25519', 'sk-ssh-ed25519@openssh.com', 'ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512', 'ssh-dss', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', 'sk-ecdsa-sha2-nistp256@openssh.com']
2022-06-02T02:41:07.967936793Z 2022-06-02 02:41:07,967 DEBUG paramiko.transport transport.py:1874 Agreed upon 'rsa-sha2-512' pubkey algorithm
2022-06-02T02:41:07.989505635Z 2022-06-02 02:41:07,989 INFO paramiko.transport transport.py:1874 Authentication (publickey) failed.

It's tested again with another server that if the authentication is successful, server side algorithm list is different.

022-06-02T03:48:03.301965061Z 2022-06-02 03:48:03,298 DEBUG paramiko.transport transport.py:1874 Server-side algorithm list: ['ssh-ed25519', 'ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512', 'ssh-dss', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521']
@gatici gatici changed the title Authentication (publickey) failed with while client and server side already agreed on rsa-sha2-512 pubkey algorithm Authentication (publickey) failed although client and server side already agreed on rsa-sha2-512 pubkey algorithm Jun 2, 2022
@gatici gatici changed the title Authentication (publickey) failed although client and server side already agreed on rsa-sha2-512 pubkey algorithm Authentication (publickey) failed although client and server side agreed on rsa-sha2-512 pubkey algorithm Jun 2, 2022
@gatici
Copy link
Author

gatici commented Jun 2, 2022

Hello,

We observed that this problem is happening if the server side uses OpenSSH_8.2p1.
The issue is happened with paramiko versions 2.9.2, 2.10.3 and 2.11.0.

2022-06-02T02:40:31.695178961Z 2022-06-02 02:40:31,691 DEBUG paramiko.transport transport.py:1874 starting thread (client mode): 0x70a89a00
2022-06-02T02:40:31.695222235Z 2022-06-02 02:40:31,691 DEBUG paramiko.transport transport.py:1874 Local version/idstring: SSH-2.0-paramiko_2.11.0
2022-06-02T02:40:31.709064067Z 2022-06-02 02:40:31,708 DEBUG paramiko.transport transport.py:1874 Remote version/idstring: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
2022-06-02T02:40:31.709104126Z 2022-06-02 02:40:31,708 INFO paramiko.transport transport.py:1874 Connected (version 2.0, client OpenSSH_8.2p1)

@jun66j5
Copy link
Contributor

jun66j5 commented Jun 4, 2022

Unable to reproduce the issue. Authentication (publickey) failed is logged because SSH server sended userauth failure. I consider your publickey is not added to your authorized_keys.

  • Check SSH server's log
  • Make sure public/privatekey pair is valid
DEB [20220604-09:36:47.915] thr=1   paramiko.transport: starting thread (client mode): 0xcb67feb0
DEB [20220604-09:36:47.916] thr=1   paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.11.0
DEB [20220604-09:36:47.921] thr=1   paramiko.transport: Remote version/idstring: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
INF [20220604-09:36:47.921] thr=1   paramiko.transport: Connected (version 2.0, client OpenSSH_8.2p1)
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: === Key exchange possibilities ===
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: kex algos: sntrup4591761x25519-sha512@tinyssh.org, curve25519-sha256@libssh.org, curve25519-sha256, ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group18-sha512, diffie-hellman-group16-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: server key: rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: client encrypt: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: server encrypt: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: client mac: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: server mac: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: client compress: none, zlib@openssh.com
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: server compress: none, zlib@openssh.com
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: client lang: <none>
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: server lang: <none>
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: kex follows: False
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: === Key exchange agreements ===
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: Kex: curve25519-sha256@libssh.org
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: HostKey: ssh-ed25519
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: Cipher: aes128-ctr
DEB [20220604-09:36:47.922] thr=1   paramiko.transport: MAC: hmac-sha2-256
DEB [20220604-09:36:47.923] thr=1   paramiko.transport: Compression: none
DEB [20220604-09:36:47.923] thr=1   paramiko.transport: === End of kex handshake ===
DEB [20220604-09:36:47.929] thr=1   paramiko.transport: kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
DEB [20220604-09:36:47.929] thr=1   paramiko.transport: Switch to new keys ...
DEB [20220604-09:36:47.929] thr=1   paramiko.transport: Got EXT_INFO: {'server-sig-algs': b'ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com'}
DEB [20220604-09:36:47.963] thr=1   paramiko.transport: userauth is OK
DEB [20220604-09:36:47.963] thr=1   paramiko.transport: Finalizing pubkey algorithm for key of type 'ssh-rsa'
DEB [20220604-09:36:47.963] thr=1   paramiko.transport: Our pubkey algorithm list: ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa']
DEB [20220604-09:36:47.963] thr=1   paramiko.transport: Server-side algorithm list: ['ssh-ed25519', 'sk-ssh-ed25519@openssh.com', 'ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512', 'ssh-dss', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', 'sk-ecdsa-sha2-nistp256@openssh.com']
DEB [20220604-09:36:47.963] thr=1   paramiko.transport: Agreed upon 'rsa-sha2-512' pubkey algorithm
INF [20220604-09:36:47.971] thr=1   paramiko.transport: Authentication (publickey) successful!

@jun66j5
Copy link
Contributor

jun66j5 commented Jun 4, 2022

In addition, confirm publickey authentication is passed using ssh client (/usr/bin/ssh).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Keys Needs investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jun66j5 @bskinn @gatici