SSH plugin refuses keys

[Mo B]

Hi all,

again I am facing a small issue. Until now, I had been using HTTPS for Git transactions - simply because it was working by default and was secure enough.

Since I activated HTTP/2 on my server I realized that sending usernames via URL has been removed, thus I installed the SSH plugin.

Now this plugin works fine with password authentication but I seem unable to get it to accept my public keys:

1. I tried with a ED25519 key, which SCM-Manager straight out refused because of "invalid format" or something. Sad, but hey - I hope support for EC keys will come some time in the future.

2. I tried with an RSA 4096 key which it accepted and stored - but when I try to connect with it the SSH server does not seem to know about it. I get the fallback to password auth or, when I disable password auth completely, the SSH server just refuses it with "publickey".

I even tried to restart SCM-Manager after adding the key - no change.

My workflow: Log in -> Click on "authorized keys" at the bottom -> Add the key

Does anybody have an idea how to solve this?

I'd love to help you debug if somebody can tell me how to enable a SSH debug log...

I am running SCM-Manager 2.12.0 in a container.

Thank you very much in advance!

Kind regards,

Maurice

[Sebastian Sdorra]

Hi Maurice,

To point one, i've just added support for ED25519 keys to the ssh plugin. The changes only have to pass the review from one of my colleagues.

https://github.com/scm-manager/scm-ssh-plugin/pull/16

To your second point, can you confirm that your private key is used if you try to connect to scm-manager e.g.:

ssh -v -l scmadmin localhost -p 2222

Please replace scmadmin with your user, localhost with your scm-manager host and 2222 with the port of the ssh plugin. Did you see your private key in the output?

Sebastian

--
You received this message because you are subscribed to the Google Groups "scmmanager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scmmanager+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/scmmanager/4160096a-cd02-4fab-8193-9fd0a37ee781n%40googlegroups.com.

[Mo B]

Hey

> To point one, i've just added support for ED25519 keys to the ssh plugin. The changes only have to pass the review from one of my colleagues.

that is very cool, thanks :)

Second thing, well. It does try to use the correct key - but I should have read the verbose output more carefully yesterday. There seems to be some kind of conflict here between versions of SSH and key configuration because I found this in the log:

> debug1: send_pubkey_test: no mutual signature algorithm

To be honest I do not fully understand the issue. I searched a bit and it seems this lets me know that my client refuses to use RSA keys - apparently some new behaviour of OpenSSH (I'm on Fedora, so I kinda have a pretty current version of it). When I tried with a Raspbian 10 it worked out of the box however...

Maybe Apache SSH 2.2 and my OpenSSH 8.4 are both "new enough" and it falls back to some kind of legacy mode with the Raspbian box (OpenSSH 7.9).

However, the solution is pretty simple: I only need to instruct my client to allow ssh-rsa public keys for this host. In the config this is done by adding `PubkeyAcceptedKeyTypes +ssh-rsa`.

Works perfectly.

Thanks for your help though, maybe this helps someone else in the future :)

Regards,

Maurice

[Eduard Heimbuch]

Hey Maurice,

we just released the new version of the SCM-SSH-Plugin. This contains support for ED25519 keys.

https://www.scm-manager.org/plugins/scm-ssh-plugin/releases/

Regards,

Eduard