View Issue Details

IDProjectCategoryView StatusLast Update
0016890CentOS-8opensshpublic2020-01-08 16:52
Reporterleggettc18 
PrioritynormalSeverityminorReproducibilityalways
Status feedbackResolutionopen 
Product Version8.0.1905 
Target VersionFixed in Version 
Summary0016890: Cannot authenticate with SSH certificates, userauth_pubkey: key type ssh-rsa-cert-v01@openssh.com not in PubkeyAcceptedKeyTypes
DescriptionI have two servers and have set up SSH Certificate authentication for signing in from my computers without a password. One server is Ubuntu 18.04 and one is CentOS 8. They have both been set up identically for User Certificate authentication, and with my Ubuntu Server it works perfectly well on every client I've set it up on. The CentOS 8 server, however, continues to ask for my password. After attempting to connect, the following message gets logged in /var/log/secure: userauth_pubkey: key type ssh-rsa-cert-v01@openssh.com not in PubkeyAcceptedKeyTypes [preauth]. I have tried adding it manually to my /etc/ssh/sshd_config with no success. Also:

cat /etc/crypto-policies/back-ends/opensshserver.config

CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com'

So the cert is listed as an accepted Public Key type there as well.
Steps To Reproduce1. Set up SSH Certificate authentication with User Certificates on a CentOS 8 server.
2. Attempt to ssh into the CentOS 8 server
Additional Informationhttps://bugzilla.redhat.com/show_bug.cgi?id=1665611

My issue appears to be similar to this, however it was supposedly fixed last February. Given CentOS 8 was released well after that I would have expected that bug be fixed there as well, is that not the case?
Tags8.0, centos 8, openssh

Activities

leggettc18

leggettc18

2020-01-05 22:33

reporter   ~0035935

For now I have worked around the issue by setting it up with ecdsa keys instead. I think this is what I will go with for now, as ecdsa is a more modern protocol that can supposedly achieve equal security with smaller keys. However everything for RSA keys to work is still in place on my CentOS server if it is needed for troubleshooting/testing.
bstinson

bstinson

2020-01-08 16:52

administrator   ~0035973

Would you mind enabling the CR repo on a test system to verify that this is fixed in the upcoming 8.1.1911 release?

https://wiki.centos.org/AdditionalResources/Repositories/CR

Issue History

Date Modified Username Field Change
2020-01-05 03:34 leggettc18 New Issue
2020-01-05 03:34 leggettc18 Tag Attached: 8.0
2020-01-05 03:34 leggettc18 Tag Attached: centos 8
2020-01-05 03:34 leggettc18 Tag Attached: openssh
2020-01-05 22:33 leggettc18 Note Added: 0035935
2020-01-08 16:52 bstinson Status new => feedback
2020-01-08 16:52 bstinson Note Added: 0035973