Failed: SSHProtocolFailure: invalid privatekey: [B@5dbcf05

[bdietric5]

Describe the bug
I had made a private and public ssh key with the command : ssh-keygen -t rsa -b 4096 on my rundeck server. I add the private key to the key storage by the web interface. And add the public key to the VM i want to use ssh, i copy it with scp and then add it to ~/.ssh/authorized_keys with cat key>> authorized_keys.
But when i try to run a command by the web interface, for example uptime, i got the following errors.

13:33:33	deb9Failed: SSHProtocolFailure: invalid privatekey: [B@cf6e042
13:33:33	localhost 13:33:33 up 15 min, 1 user, load average: 0,41, 0,46, 0,46
13:33:33	Execution failed: 111 in project test1: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [deb9: SSHProtocolFailure: invalid privatekey: [B@cf6e042 + {dataContext=MultiDataContextImpl(map={ContextView(step:1, node:deb9)=BaseDataContext{{exec={exitCode=-1}}}, ContextView(node:deb9)=BaseDataContext{{exec={exitCode=-1}}}}, base=null)} ]}, Node failures: {deb9=[SSHProtocolFailure: invalid privatekey: [B@cf6e042 + {dataContext=MultiDataContextImpl(map={ContextView(step:1, node:deb9)=BaseDataContext{{exec={exitCode=-1}}}, ContextView(node:deb9)=BaseDataContext{{exec={exitCode=-1}}}}, base=null)} ]}, status: failed]

My Rundeck detail

• Rundeck version: 3.2
• install type: [choose: rpm,deb,war,launcher] apt-get install rundeck
• OS Name/version: Debian 10
• DB Type/version: [choose: mysql, postgres, mssql, oracle, ... ] mysql

To Reproduce
Steps to reproduce the behavior:
file configuration for nodes :

Project configuration :
#Tue May 05 13:35:34 CEST 2020
#edit below
project.description=test1
project.disable.executions=false
project.disable.schedule=false
project.execution.history.cleanup.batch=500
project.execution.history.cleanup.enabled=false
project.execution.history.cleanup.retention.days=60
project.execution.history.cleanup.retention.minimum=50
project.execution.history.cleanup.schedule=0 0 0 1/1 * ? *
project.jobs.gui.groupExpandLevel=1
project.label=test1
project.name=test1
project.output.allowUnsanitized=false
project.ssh-authentication=privateKey
project.ssh-command-timeout=0
project.ssh-connect-timeout=0
project.ssh-keypath=/var/lib/rundeck/.ssh/id_rsa
resources.source.1.config.file=/var/lib/rundeck/projects/test1/etc/resources.xml
resources.source.1.config.format=resourcexml
resources.source.1.config.generateFileAutomatically=true
resources.source.1.config.includeServerNode=true
resources.source.1.config.writeable=true
resources.source.1.type=file
service.FileCopier.default.provider=jsch-scp
service.NodeExecutor.default.provider=jsch-ssh

On rundeck server : ssh-keygen -t rsa -b 4096
no specify name or passphrase

Add the private key to Key Storage in Rundeck Web Interface, add the public key to other VM and add it in the VM authorized_keys.

Expected behavior
Be able to run command with SSH in Web interface

Screenshots

Desktop (please complete the following information):

• OS: Debian 10
• Browser [e.g. chrome, safari] Firefox

[MegaDrive68k]

Hi, I followed these steps and works:

1. If you're using a WAR-based installation execute: ssh-keygen -t rsa -b 4096. That generates two keys (private and public) on the user .ssh directory (the user that launches Rundeck). If you're using an RPM/DEB installation that keys are already created on the /var/lib/rundeck path.

2. Go to the remote SSH node (the account that you want to connect from Rundeck), add the Rundeck server user public key to the authorized_keys file. Then you can test that connection doing ssh user@xxx.xxx.xxx.xxx from the Rundeck server user account.

3. Launch Rundeck and add to key store the Rundeck server user private key (remember to include the first and the last line "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----") in my case I use this path keys/rundeck.

4. Create a new Project and then create the resources.xml file with remote node information. To generate that file just go to Project Settings > Edit Nodes > Click on "Configure Nodes" button > Click on "Add Sources +" > Select "+ File" option > in "Format" field select resourcexml and fill the path in "File Path" field (put the file name at the end, usually "resources.xml", also, select "Generate", "Include Server Node" and "Writeable" checkboxes and click on the "Save" button.

Now you can edit that file including the remote node, in my case is "node00" (a Vagrant test image), on key-storage-path attribute i used the same path created in the step 3:

<?xml version="1.0" encoding="UTF-8"?>

<project>
  <node name="hyperion" description="Rundeck server node" tags="" hostname="hyperion" osArch="amd64" osFamily="unix" osName="Linux" osVersion="4.15.0-66-generic" username="ruser"/>
  <node name="node00" description="Node 00" tags="" hostname="192.168.33.20" osArch="amd64" osFamily="unix" osName="Linux" osVersion="3.10.0-1062.4.1.el7.x86_64" username="vagrant" ssh-key-storage-path="keys/rundeck"/>
</project>

5. On Rundeck GUI go to the sidebar and check your nodes on the "Nodes" section.

6. Go to "Commands" (sidebar) and put the SSH remote node name as a filter and launch any command like:

Hope it helps!

[nneul]

This is an old thread, but I wasted a bunch of time following rabbit trails on this. In case it helps anyone hitting this with a google search - make sure your framework ssh key has "BEGIN RSA PRIVATE KEY" instead of "BEGIN OPENSSH PRIVATE KEY". The latter will not work. You will need to convert it with:

ssh-keygen -p -f /var/lib/rundeck/.ssh/id_rsa -m pem

or similar.

[whitehatmiddleman]

This is an old thread, but I wasted a bunch of time following rabbit trails on this. In case it helps anyone hitting this with a google search - make sure your framework ssh key has "BEGIN RSA PRIVATE KEY" instead of "BEGIN OPENSSH PRIVATE KEY". The latter will not work. You will need to convert it with:

ssh-keygen -p -f /var/lib/rundeck/.ssh/id_rsa -m pem

or similar.

Thank you for this reply. Everytime I want to sell to management Rundeck as a solution, these small rabbit holes make me want to shelves this solution completely. I was really hoping that after 5 years of using the solution before in a previous company, that this would mature. Let see what other rabbit holes I'll find before selling this solution.

[whitehatmiddleman]

One more thing to add for those who might be in the same rabbit hole I was in.
Check your sshd logs on the server side, if you are running an up to date version of openssh you might see the following:
userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

SHA1 is disable by default for security reasons in updated versions of openssh, so for Rundeck you will need to enable it.
https://unix.stackexchange.com/questions/721606/ssh-server-gives-userauth-pubkey-key-type-ssh-rsa-not-in-pubkeyacceptedalgorit

Add this line in /etc/ssh/sshd_config.
PubkeyAcceptedAlgorithms=+ssh-rsa
Then sudo systemctl restart sshd

That being said I ran into this issue with version: 4.10.0-20230213 (docker image tag) and storing the keys on the database.