[Bug 3506] Permission denied (publickey) with two -i identity files

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Nov 30 10:39:24 AEDT 2022 

https://bugzilla.mindrot.org/show_bug.cgi?id=3506

--- Comment #4 from andy klier <andy.klier at zuar.com> ---
(In reply to Darren Tucker from comment #1)
> Comment on attachment 3627 [details]
> verbose output of ssh attempt
> 
> The handling of -i hasn't changed as far as I know.
> 
> [...]
> >debug1: identity file /Users/steve/.config/zaccess/penguin.randomhostname.com.cert type 4
> >debug1: identity file /Users/steve/.config/zaccess/penguin.randomhostname.com.cert-cert type -1
> >debug1: identity file /Users/steve/.ssh/vault type 0
> >debug1: identity file /Users/steve/.ssh/vault-cert type -1
> 
> This doesn't exactly match the example invocation, but it indicates
> that two keys were loaded.
> 
> [...]
> >debug1: Offering public key: /Users/steve/.config/zaccess/penguin.randomhostname.com.cert RSA-CERT SHA256:v1zotU9ug24hc109SJwmsnWA0JQHABY/t2NjMn/SDVM explicit
> >debug1: send_pubkey_test: no mutual signature algorithm
> 
> I think this is your problem: ssh-rsa was disabled by default in 8.8
> (https://www.openssh.com/releasenotes.html#8.8).  You can test this
> by adding "-oPubkeyAcceptedAlgorithms=+ssh-rsa" to your command
> line.  I'm not sure why it didn't try one of the stronger RSA
> SHA256/512 variants.
> 
> >debug1: Offering public key: /Users/steve/.ssh/vault RSA SHA256:v1zotU9ug24hc109SJwmsnWA0JQHABY/t2NjMn/SDVM explicit
> >debug3: send packet: type 50
> >debug2: we sent a publickey packet, wait for reply
> >debug3: receive packet: type 51
> >debug1: Authentications that can continue: publickey
> 
> This key is not in the server's authorized_keys.

TBC the example command is from the vault docs. the command we are
running is: 
ssh -i /Users/steve/.config/zaccess/penguin.randomhostname.com.cert -i
/Users/steve/.ssh/vault ubuntu at penguin.randomhostname.com

the pub key for the CA is in `TrustedUserCAKeys` in
`/etc/ssh/sshd_config`.
we sign a cert using `/Users/steve/.ssh/vault.pub` and then ssh with
the cert and it's private key.

with -oPubkeyAcceptedAlgorithms=+ssh-rsa also fails.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list