View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0016890||CentOS-8||openssh||public||2020-01-05 03:34||2020-01-08 16:52|
|Target Version||Fixed in Version|
|Summary||0016890: Cannot authenticate with SSH certificates, userauth_pubkey: key type email@example.com not in PubkeyAcceptedKeyTypes|
|Description||I have two servers and have set up SSH Certificate authentication for signing in from my computers without a password. One server is Ubuntu 18.04 and one is CentOS 8. They have both been set up identically for User Certificate authentication, and with my Ubuntu Server it works perfectly well on every client I've set it up on. The CentOS 8 server, however, continues to ask for my password. After attempting to connect, the following message gets logged in /var/log/secure: userauth_pubkey: key type firstname.lastname@example.org not in PubkeyAcceptedKeyTypes [preauth]. I have tried adding it manually to my /etc/ssh/sshd_config with no success. Also:|
CRYPTO_POLICY='-oCiphersemail@example.com,firstname.lastname@example.org,aes256-ctr,aes256-cbc,email@example.com,aes128-ctr,aes128-cbc -oMACsfirstname.lastname@example.org,email@example.com,firstname.lastname@example.org,email@example.com,hmac-sha2-256,hmac-sha1,firstname.lastname@example.org,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithmsemail@example.com,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,firstname.lastname@example.org,ecdsa-sha2-nistp384,email@example.com,rsa-sha2-512,ecdsa-sha2-nistp521,firstname.lastname@example.org,ssh-ed25519,email@example.com,ssh-rsa,firstname.lastname@example.org -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256,email@example.com,ecdsa-sha2-nistp384,firstname.lastname@example.org,rsa-sha2-512,ecdsa-sha2-nistp521,email@example.com,ssh-ed25519,firstname.lastname@example.org,ssh-rsa,email@example.com'
So the cert is listed as an accepted Public Key type there as well.
|Steps To Reproduce||1. Set up SSH Certificate authentication with User Certificates on a CentOS 8 server.|
2. Attempt to ssh into the CentOS 8 server
My issue appears to be similar to this, however it was supposedly fixed last February. Given CentOS 8 was released well after that I would have expected that bug be fixed there as well, is that not the case?
|Tags||8.0, centos 8, openssh|
|For now I have worked around the issue by setting it up with ecdsa keys instead. I think this is what I will go with for now, as ecdsa is a more modern protocol that can supposedly achieve equal security with smaller keys. However everything for RSA keys to work is still in place on my CentOS server if it is needed for troubleshooting/testing.|
Would you mind enabling the CR repo on a test system to verify that this is fixed in the upcoming 8.1.1911 release?
|2020-01-05 03:34||leggettc18||New Issue|
|2020-01-05 03:34||leggettc18||Tag Attached: 8.0|
|2020-01-05 03:34||leggettc18||Tag Attached: centos 8|
|2020-01-05 03:34||leggettc18||Tag Attached: openssh|
|2020-01-05 22:33||leggettc18||Note Added: 0035935|
|2020-01-08 16:52||bstinson||Status||new => feedback|
|2020-01-08 16:52||bstinson||Note Added: 0035973|