I've tried to setup CA signed ssh user keys.
I got my configuration working on most clients, there seems to be problem on a few specific ones.
The key verification fails and they are prompted for password.
When I try to connect to the sftp user (one of the principals in the ssh key) this is what appears in the server ssh log
Failed publickey for sftp from 192.168.99.13 port 55830 ssh2: RSA-CERT SHA256:yYgNW3M5txAtXjj6jXnBVf6vI4NUnoNvfWPPtS4pewU ID debby (serial 0) CA RSA SHA256:W78bubCEvj75KxHJcasa9aclOddsDfKiOLd2uozMqKI
Both the user key and the CA signing key hash seem to be correct.
This works from several other client no problem including:
- Arch linux OpenSSH_9.3p2, OpenSSL 3.1.1 30 May 2023
- Fedora linux OpenSSH_8.8p1, OpenSSL 3.0.9 30 May 2023
The problematic clients are:
- Debian OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n 15 Mar 2022
- Ubuntu OpenSSH_9.0p1 Ubuntu-1ubuntu7.3, OpenSSL 3.0.5 5 Jul 2022
With the Debian client I even tried to copy its ~/.ssh folder locally to verify it is signed correctly.
The connection works.
This is the only difference in the server ssh log:
debug1: cert: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Accepted certificate ID "debby" (serial 0) signed by RSA CA SHA256:W78bubCEvj75KxHJcasa9aclOddsDfKiOLd2uozMqKI via /etc/ssh/ca_user_key.pub
I've made sure the permissions and ownership of the ~/.ssh directories are the same.
Has anyone ever encountered anything similar or have any more troubleshooting tips?
EDIT: Here is the relevant part of the DEBUG3 log
debug1: trying public key file /home/sftp/.ssh/authorized_keys
debug1: fd 5 clearing O_NONBLOCK
debug2: /home/sftp/.ssh/authorized_keys:1: check options: '@cert-authority *.dev.tbscz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDagkuT1W+CXkdkhkgCEWHTekY/QF9To4Ls0UMukW0VURcnER465QoUbOFzsZ6wZ1TkxNv32M9kgrUaCOZayyylYr1asLKgGx8KQayCoTgay06b5NLG6kFw7+zE/uk7lS5AXPS2tdzO9qxb7agtGcr9nyrUqyqA0ux+Kox03RlciazXS2b0BLzDYfIAvKcCk2peaQsogh0JIZxXNF8eVJZ9LGKh6XbQqxw1uwjizlMCXwzVwL1Qo/sTsDbo67lrIdH5mjX2HapCFbMz31BTX0IjJ+qqpBwDS2ydH4zpyOmHmIqn3kOh1DgCfZFtXSYzCKERKx5R5n5KtJShvjh7w7LBuD7VDB8u85Us7OpUUM7Ie+JbAPlxfGJ0I
debug2: /home/sftp/.ssh/authorized_keys:1: advance: '*.dev.tbscz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDagkuT1W+CXkdkhkgCEWHTekY/QF9To4Ls0UMukW0VURcnER465QoUbOFzsZ6wZ1TkxNv32M9kgrUaCOZayyylYr1asLKgGx8KQayCoTgay06b5NLG6kFw7+zE/uk7lS5AXPS2tdzO9qxb7agtGcr9nyrUqyqA0ux+Kox03RlciazXS2b0BLzDYfIAvKcCk2peaQsogh0JIZxXNF8eVJZ9LGKh6XbQqxw1uwjizlMCXwzVwL1Qo/sTsDbo67lrIdH5mjX2HapCFbMz31BTX0IjJ+qqpBwDS2ydH4zpyOmHmIqn3kOh1DgCfZFtXSYzCKERKx5R5n5KtJShvjh7w7LBuD7VDB8u85Us7OpUUM7Ie+JbAPlxfGJ0IkBMuS6yAY2WOOTntDNEP65
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1004/1004 (e=0/0)
debug1: trying public key file /home/sftp/.ssh/authorized_keys2
debug1: Could not open authorized keys '/home/sftp/.ssh/authorized_keys2': No such file or directory
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: publickey authentication test: RSA-CERT key is not allowed
Failed publickey for sftp from 192.168.99.13 port 58972 ssh2: RSA-CERT SHA256:yYgNW3M5txAtXjj6jXnBVf6vI4NUnoNvfWPPtS4pewU ID debby (serial 0) CA RSA SHA256:W78bubCEvj75KxHJcasa9aclOddsDfKiOLd2uozMqKI
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg [email protected] [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 0.757ms, delaying 6.094ms (requested 6.850ms) [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]
debug3: send packet: type 51 [preauth]
The issue seems to be this
mm_answer_keyallowed: publickey authentication test: RSA-CERT key is not allowed
