Keychain use causes corrupted pad block login failure for sftp

[Tampa]

Use of keychain with RSA keys causes login failure with "Pad block corrupted" error. Unchecking keychain use in Preferences resolves the problem.

Steps to reproduce the behavior:
Using Ubuntu 22LTS add an RSA public key to a user and attempt and sftp connection to that with keychain enabled.
Disable keychain, restart Cyberduck, try again, now asks for passphrase and logs in.

This started happening with newer ssh servers that deprecated the RSA keys, but using the keychain ssh connections themselves work just fine through putty, so should Cyberduck sftp connections once the ssh server is configured to accept RSA keys again.

I don't have this issue with any older machines running older ssh servers.

• OS: Win10 64bit
• Version: 8.4.3 38269

Before you tell me to update to Snapshots, setting that in the update policy and checking for updates returns up to date for that version so there is no snapshot build available as of writing this.

[AliveDevil]

I performed these steps:

• Create Ubuntu 22.04 VM, cloud-init with an SSH-RSA 2048 public key
  Public Key generated with ssh-keygen -b 2048 -t rsa -N "some-pass"
• Created a connection for this server, user root, no password, set identity to the private key
• Logged in once with passphrase for that key (Keychain enabled)
• Restart Cyberduck, reconnect (no passphrase requested, connection opened fine)

If you'd like, you can start Windows Credential Manager and search for duck:ssh:server.ip?user=username as well as sftp://user@server.ip and delete these entries (sftp:// is our old credential format, duck: is the new one).

How many characters long is your passphrase for the private key?

Can you send the log¹ either as an attachment through Github Web (Github doesn't allow email attachments, unfortunately), or if you don't feal comfortable sending private data on a public issue tracker, as an e-mail to support@cyberduck.io with reference to this ticket (13673)?

Footnotes

1. https://docs.cyberduck.io/cyberduck/support/ ↩

[Tampa]

I generated the key on the Windows machine locally and put the public one into authorized_keys file, like I normally would, but initially this still refused login both ssh and sftp. I found out later that the RSA keys were being thrown out for some reason so I had to add:

PubkeyAcceptedKeyTypes=+ssh-rsa
PubkeyAcceptedKeyTypes=+ssh-dss
HostKeyAlgorithms=ssh-rsa,ssh-rsa-cert-v01@openssh.com

To the sshd_config in order to allow login with my RSA key at all. This works fine for ssh, but with sftp I struggle as described above.

If I remove all caches from Cyberduck and restart with Keychain enabled I can login once and use sftp just fine, but when I reconnect to the same server I get the same error of Pad block corrupted. On the server I get no further logs as to why auth broke besides mention of preauth and then disconnect.

The passphrase 21 characters.

Checking the credentials manager there is no credential saved for that server.

I plan to generate a new key in a different format that is supported by sshd without the need to add the "old" key algo to it. I sent the log file to the specified email.