Skip to content

tctl auth sign --format=openssh generates a ssh-rsa-cert-v01 public key breaking centos7 to alma9 ssh #40100

New issue
New issue
Open
Open
tctl auth sign --format=openssh generates a ssh-rsa-cert-v01 public key breaking centos7 to alma9 ssh#40100

Description

@amarinderca

amarinderca
openedon Apr 2, 2024

Expected behavior:

As mentioned in #10918 ssh-rsa-cert-v01 is no longer on the approval list of PubKeyAcceptedAlgorithms for many new OSes like Alma 9.

This issue of teleport generating ssh-rsa-cert-v01 public keys still present with tctl auth sign --format=openssh --host=myhost --out=myhost when manually enrolling agentless hosts.

This specifically causes issues when connecting from centos7 -> alma9 machines directly as the ssh command fails.

We are able to ssh from alma9 machines to centos7 machines.

Current behavior:

CASignatureAlgorithms=+ssh-rsa is not a valid option on centos 7 with ssh version: OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

[a@admin ~]$ ssh -A teleport -o CASignatureAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa-cert-v01@openssh.com
command-line: line 0: Bad configuration option: casignaturealgorithms

[a@admin ~]$ ssh -A teleport -o PubkeyAcceptedAlgorithms=+ssh-rsa-cert-v01@openssh.com
command-line: line 0: Bad configuration option: pubkeyacceptedalgorithms
[a@admin ~]$ ssh -A teleport -o PubkeyAcceptedKeyTypes=+ssh-rsa-cert-v01@openssh.com
Connection closed by 10.4.30.165 port 22

We are not able to ssh from centos7 machines to alma9 machines.

Bug details:

  • Teleport version
    Teleport v15.2.0 git:v15.2.0-0-gbb8bd77 go1.21.8

  • Recreation steps

  1. Enroll a centos7 and a alma9 host with agentless manual enrollment following the official docs using tctl auth sign
  2. Add HostKey, HostCertificate, TrustedUserCAKeys to /etc/ssh/sshd_config as shown in the docs on both hosts and restart sshd
  3. Try to ssh from centos7 host to alma9 host
  4. Revert step number 2 changes on the alma9 machine and restart sshd and the issue is fixed
  • Debug logs

/var/log/messages

Apr  1 22:47:46 p1.hc.domain.com sshd[470936]: fatal: mm_answer_sign: sign: error in libcrypto
Apr  1 22:48:31 p1.hc.domain.com sshd[470948]: fatal: mm_answer_sign: sign: error in libcrypto
Apr  1 22:48:42 p1.hc.domain.com sshd[470951]: fatal: mm_answer_sign: sign: error in libcrypto
Apr  1 22:49:31 p1.hc.domain.com sshd[471071]: fatal: mm_answer_sign: sign: error in libcrypto
Apr  1 22:50:11 p1.hc.domain.com sshd[471145]: fatal: mm_answer_sign: sign: error in libcrypto

[a@tester ~]$ ssh -vvv p1.hc.domain.com
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "p1.hc.domain.com" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to p1.hc.domain.com [10.4.30.114] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/a/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/a/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/a/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/a/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/a/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/a/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/a/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/a/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
debug1: match: OpenSSH_8.7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to p1.hc.domain.com:22 as 'a'
debug3: hostkeys_foreach: reading file "/home/a/.ssh/known_hosts"
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,kex-strict-s-v00@openssh.com
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com
debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr
debug2: MACs ctos: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
debug2: MACs stoc: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-rsa-cert-v01@openssh.com
debug1: kex: server->client cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none
debug1: kex: curve25519-sha256 need=16 dh_need=16
debug1: kex: curve25519-sha256 need=16 dh_need=16
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by 10.4.30.114 port 22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    bugserver-accessssh

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions