Join Log in
Score:0
sandeepreddy bobbala avatar Ubuntu

ubuntu 20.04 FIPS image unable to do SSH using bless tool

is flag
sandeepreddy bobbala

recently we started upgrading from ubuntu18.04 fips to ubuntu 20.04 fips image, and I used aws marketplace image ubuntu-pro-fips-server/images/hvm-ssd/ubuntu-focal-20.04-amd64-pro-fips-server, and we use Netfilx bless tool for ssh and it still works for 18.04 FIPS and 20.04 for non FIPS too,

But I'm getting "userauth_pubkey: certificate signature algorithm ssh-rsa: signature algorithm not supported [preauth]",

but to test this bless tool, I created the cert manually with same algorithm ssh-rsa and same bits and I'm able ssh with that keys(ssh with signed CA certs option I used), but not with bless keys

root@hostname:/var/snap/amazon-ssm-agent/6563# ssh -Q key
ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

I'm getting this error from bastion No more authentication methods to try. ubuntu@graviton-test-bastion-20-fips-0c3f60d2: Permission denied (publickey).

SSH SERVER LOGS:

Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11415]: debug1: Forked child 11417.
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: Set /proc/self/oom_score_adj to 0
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: inetd sockets after dupping: 4, 4
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: Connection from 10.X.X.X port 16130 on 10.X.X.X port 22 rdomain ""
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.fips.0.2.1
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.7
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.7 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: permanently_set_uid: 109/65534 [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: SSH2_MSG_KEXINIT received [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: kex: algorithm: curve25519-sha256 [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: rekey out after 134217728 blocks [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: Sending SSH2_MSG_EXT_INFO [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: rekey in after 134217728 blocks [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: KEX done [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: userauth-request for user ubuntu service ssh-connection method none [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: attempt 0 failures 0 [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: PAM: initializing for "ubuntu"
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: PAM: setting PAM_RHOST to "10.X.X.X"
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: PAM: setting PAM_TTY to "ssh"
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: userauth_send_banner: sent [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: userauth-request for user ubuntu service ssh-connection method publickey [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: attempt 1 failures 0 [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:eDIkE2MsPXLsxp5tG5jeQLQ+E/tdypLNxQk4nBEEfUM [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: trying public key file /home/ubuntu/.ssh/authorized_keys
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: fd 5 clearing O_NONBLOCK
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: restore_uid: 0/0
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: trying public key file /home/ubuntu/.ssh/authorized_keys2
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: Could not open authorized keys '/home/ubuntu/.ssh/authorized_keys2': No such file or directory
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: restore_uid: 0/0
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: temporarily_use_uid: 112/65534 (e=0/0)
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: restore_uid: 0/0
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: temporarily_use_uid: 112/65534 (e=0/0)
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys ubuntu SHA256:XXXXXpLNxQk4nBEEfUM failed, status 22
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: restore_uid: 0/0
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: Failed publickey for ubuntu from 10.X.X.X port 16130 ssh2: RSA SHA256:XXXXXXXXXEEfUM
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: userauth-request for user ubuntu service ssh-connection method publickey [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: debug1: attempt 2 failures 1 [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: userauth_pubkey: certificate signature algorithm ssh-rsa: signature algorithm not supported [preauth]
Jul  1 04:09:32 graviton-test-bastion-20-fips-0c3f60d2 sshd[11417]: Connection closed by authenticating user ubuntu 10.88.67.39 port 16130 [preauth]
41
0 + 1
Luuk avatar
cn flag
Luuk
Because of: "**ssh-rsa: signature algorithm not supported**", see: [Ubuntu 22.04 SSH the RSA key isn't working since upgrading from 20.04](https://askubuntu.com/questions/1409105/ubuntu-22-04-ssh-the-rsa-key-isnt-working-since-upgrading-from-20-04) and/or [SSH without password does not work after upgrading from 18.04 to 22.04](https://askubuntu.com/questions/1404049/ssh-without-password-does-not-work-after-upgrading-from-18-04-to-22-04)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.