[Bug 3506] Permission denied (publickey) with two -i identity files
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Nov 30 10:39:24 AEDT 2022
https://bugzilla.mindrot.org/show_bug.cgi?id=3506
--- Comment #4 from andy klier <andy.klier at zuar.com> ---
(In reply to Darren Tucker from comment #1)
> Comment on attachment 3627 [details]
> verbose output of ssh attempt
>
> The handling of -i hasn't changed as far as I know.
>
> [...]
> >debug1: identity file /Users/steve/.config/zaccess/penguin.randomhostname.com.cert type 4
> >debug1: identity file /Users/steve/.config/zaccess/penguin.randomhostname.com.cert-cert type -1
> >debug1: identity file /Users/steve/.ssh/vault type 0
> >debug1: identity file /Users/steve/.ssh/vault-cert type -1
>
> This doesn't exactly match the example invocation, but it indicates
> that two keys were loaded.
>
> [...]
> >debug1: Offering public key: /Users/steve/.config/zaccess/penguin.randomhostname.com.cert RSA-CERT SHA256:v1zotU9ug24hc109SJwmsnWA0JQHABY/t2NjMn/SDVM explicit
> >debug1: send_pubkey_test: no mutual signature algorithm
>
> I think this is your problem: ssh-rsa was disabled by default in 8.8
> (https://www.openssh.com/releasenotes.html#8.8). You can test this
> by adding "-oPubkeyAcceptedAlgorithms=+ssh-rsa" to your command
> line. I'm not sure why it didn't try one of the stronger RSA
> SHA256/512 variants.
>
> >debug1: Offering public key: /Users/steve/.ssh/vault RSA SHA256:v1zotU9ug24hc109SJwmsnWA0JQHABY/t2NjMn/SDVM explicit
> >debug3: send packet: type 50
> >debug2: we sent a publickey packet, wait for reply
> >debug3: receive packet: type 51
> >debug1: Authentications that can continue: publickey
>
> This key is not in the server's authorized_keys.
TBC the example command is from the vault docs. the command we are
running is:
ssh -i /Users/steve/.config/zaccess/penguin.randomhostname.com.cert -i
/Users/steve/.ssh/vault ubuntu at penguin.randomhostname.com
the pub key for the CA is in `TrustedUserCAKeys` in
`/etc/ssh/sshd_config`.
we sign a cert using `/Users/steve/.ssh/vault.pub` and then ssh with
the cert and it's private key.
with -oPubkeyAcceptedAlgorithms=+ssh-rsa also fails.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list