Score:0

SSH CA-signed key does not work from certain hosts

ph flag

I've tried to setup CA signed ssh user keys.

I got my configuration working on most clients, there seems to be problem on a few specific ones. The key verification fails and they are prompted for password.

When I try to connect to the sftp user (one of the principals in the ssh key) this is what appears in the server ssh log

Failed publickey for sftp from 192.168.99.13 port 55830 ssh2: RSA-CERT SHA256:yYgNW3M5txAtXjj6jXnBVf6vI4NUnoNvfWPPtS4pewU ID debby (serial 0) CA RSA SHA256:W78bubCEvj75KxHJcasa9aclOddsDfKiOLd2uozMqKI

Both the user key and the CA signing key hash seem to be correct. This works from several other client no problem including:

  • Arch linux OpenSSH_9.3p2, OpenSSL 3.1.1 30 May 2023
  • Fedora linux OpenSSH_8.8p1, OpenSSL 3.0.9 30 May 2023

The problematic clients are:

  • Debian OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n 15 Mar 2022
  • Ubuntu OpenSSH_9.0p1 Ubuntu-1ubuntu7.3, OpenSSL 3.0.5 5 Jul 2022

With the Debian client I even tried to copy its ~/.ssh folder locally to verify it is signed correctly.

The connection works. This is the only difference in the server ssh log:

debug1: cert: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Accepted certificate ID "debby" (serial 0) signed by RSA CA SHA256:W78bubCEvj75KxHJcasa9aclOddsDfKiOLd2uozMqKI via /etc/ssh/ca_user_key.pub

I've made sure the permissions and ownership of the ~/.ssh directories are the same.

Has anyone ever encountered anything similar or have any more troubleshooting tips?

EDIT: Here is the relevant part of the DEBUG3 log

debug1: trying public key file /home/sftp/.ssh/authorized_keys
debug1: fd 5 clearing O_NONBLOCK
debug2: /home/sftp/.ssh/authorized_keys:1: check options: '@cert-authority *.dev.tbscz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDagkuT1W+CXkdkhkgCEWHTekY/QF9To4Ls0UMukW0VURcnER465QoUbOFzsZ6wZ1TkxNv32M9kgrUaCOZayyylYr1asLKgGx8KQayCoTgay06b5NLG6kFw7+zE/uk7lS5AXPS2tdzO9qxb7agtGcr9nyrUqyqA0ux+Kox03RlciazXS2b0BLzDYfIAvKcCk2peaQsogh0JIZxXNF8eVJZ9LGKh6XbQqxw1uwjizlMCXwzVwL1Qo/sTsDbo67lrIdH5mjX2HapCFbMz31BTX0IjJ+qqpBwDS2ydH4zpyOmHmIqn3kOh1DgCfZFtXSYzCKERKx5R5n5KtJShvjh7w7LBuD7VDB8u85Us7OpUUM7Ie+JbAPlxfGJ0I
debug2: /home/sftp/.ssh/authorized_keys:1: advance: '*.dev.tbscz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDagkuT1W+CXkdkhkgCEWHTekY/QF9To4Ls0UMukW0VURcnER465QoUbOFzsZ6wZ1TkxNv32M9kgrUaCOZayyylYr1asLKgGx8KQayCoTgay06b5NLG6kFw7+zE/uk7lS5AXPS2tdzO9qxb7agtGcr9nyrUqyqA0ux+Kox03RlciazXS2b0BLzDYfIAvKcCk2peaQsogh0JIZxXNF8eVJZ9LGKh6XbQqxw1uwjizlMCXwzVwL1Qo/sTsDbo67lrIdH5mjX2HapCFbMz31BTX0IjJ+qqpBwDS2ydH4zpyOmHmIqn3kOh1DgCfZFtXSYzCKERKx5R5n5KtJShvjh7w7LBuD7VDB8u85Us7OpUUM7Ie+JbAPlxfGJ0IkBMuS6yAY2WOOTntDNEP65
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1004/1004 (e=0/0)
debug1: trying public key file /home/sftp/.ssh/authorized_keys2
debug1: Could not open authorized keys '/home/sftp/.ssh/authorized_keys2': No such file or directory
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: publickey authentication test: RSA-CERT key is not allowed
Failed publickey for sftp from 192.168.99.13 port 58972 ssh2: RSA-CERT SHA256:yYgNW3M5txAtXjj6jXnBVf6vI4NUnoNvfWPPtS4pewU ID debby (serial 0) CA RSA SHA256:W78bubCEvj75KxHJcasa9aclOddsDfKiOLd2uozMqKI
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg [email protected] [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 0.757ms, delaying 6.094ms (requested 6.850ms) [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]
debug3: send packet: type 51 [preauth]

The issue seems to be this

mm_answer_keyallowed: publickey authentication test: RSA-CERT key is not allowed
user1686 avatar
fr flag
Can you get more detailed logs with `LogLevel DEBUG3` in the sshd config?
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.