Cannot connect with Yubikey on OpenSSH 8.8+

[shyim]

The connections get declined with userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

See references

https://youtrack.jetbrains.com/issue/IDEA-291877/Unable-to-connect-to-OpenSSH-8.8+-servers-with-RSA-keys
https://administrator.de/knowledge/openssh-8-8-update-putty-versions-hinweis-1373660060.html

Adding

PubkeyAcceptedAlgorithms +ssh-rsa

to sshd config fixes it.

ssh, sftp scp on the CLI works for that server without that config

PS C:\Users\shyim> ssh-add -l
4096 SHA256:6vihnhOFvWrHDSMlXovXZqMBK0tATlX2IaqdA+MtzcU cardno:10 655 981 (RSA)

[AliveDevil]

Which Cyberduck version?
Can you send us the log output from ssh -v and Cyberduck (with debug logging enabled)¹ without the PubkeyAcceptedAlgorithms option?

Footnotes

1. https://docs.cyberduck.io/cyberduck/support/#logging-output ↩

[shyim]

❯ ssh -v root@aelia.shyim.de
OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /Users/shyim/.ssh/config
debug1: /Users/shyim/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /Users/shyim/.ssh/groups/benchmark
debug1: Reading configuration data /Users/shyim/.ssh/groups/downtown
debug1: Reading configuration data /Users/shyim/.ssh/groups/private
debug1: Reading configuration data /Users/shyim/.ssh/groups/shopware
debug1: Reading configuration data /Users/shyim/.platformsh/ssh/session.config
debug1: Reading configuration data /Users/shyim/.platformsh/.session/sess-cli-default/ssh/config
debug1: /Users/shyim/.ssh/config line 10: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to aelia.shyim.de port 22.
debug1: Connection established.
debug1: identity file /Users/shyim/.ssh/id_rsa type -1
debug1: identity file /Users/shyim/.ssh/id_rsa-cert type -1
debug1: identity file /Users/shyim/.ssh/id_dsa type -1
debug1: identity file /Users/shyim/.ssh/id_dsa-cert type -1
debug1: identity file /Users/shyim/.ssh/id_ecdsa type -1
debug1: identity file /Users/shyim/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/shyim/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/shyim/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/shyim/.ssh/id_ed25519 type -1
debug1: identity file /Users/shyim/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/shyim/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/shyim/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/shyim/.ssh/id_xmss type -1
debug1: identity file /Users/shyim/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.0
debug1: compat_banner: match: OpenSSH_9.0 pat OpenSSH* compat 0x04000000
debug1: Authenticating to aelia.shyim.de:22 as 'root'
debug1: load_hostkeys: fopen /Users/shyim/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:oOpAG+kax02295SSBXHJO//+7uJNTr5CfErVvfJGm3k
debug1: load_hostkeys: fopen /Users/shyim/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'aelia.shyim.de' is known and matches the ED25519 host key.
debug1: Found key in /Users/shyim/.ssh/known_hosts:19
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: cardno:13 333 559 RSA SHA256:6vihnhOFvWrHDSMlXovXZqMBK0tATlX2IaqdA+MtzcU agent
debug1: Will attempt key: shyim@Soners-MacBook-Pro.local RSA SHA256:hyT11UGALE9+aJy5bQkf5EoCwvDqHBbcDrXeBr7lUcE agent
debug1: Will attempt key: /Users/shyim/.ssh/id_rsa
debug1: Will attempt key: /Users/shyim/.ssh/id_dsa
debug1: Will attempt key: /Users/shyim/.ssh/id_ecdsa
debug1: Will attempt key: /Users/shyim/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/shyim/.ssh/id_ed25519
debug1: Will attempt key: /Users/shyim/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/shyim/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com (unrecognised)
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: cardno:13 333 559 RSA SHA256:6vihnhOFvWrHDSMlXovXZqMBK0tATlX2IaqdA+MtzcU agent
debug1: Server accepts key: cardno:13 333 559 RSA SHA256:6vihnhOFvWrHDSMlXovXZqMBK0tATlX2IaqdA+MtzcU agent
debug1: Authentication succeeded (publickey).
Authenticated to aelia.shyim.de ([142.132.213.189]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /Users/shyim/.ssh/known_hosts for aelia.shyim.de / (none)
debug1: client_input_hostkeys: searching /Users/shyim/.ssh/known_hosts2 for aelia.shyim.de / (none)
debug1: client_input_hostkeys: hostkeys file /Users/shyim/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: Remote: /etc/ssh/authorized_keys.d/root:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /etc/ssh/authorized_keys.d/root:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
debug1: channel 0: setting env LC_TERMINAL = "iTerm2"
debug1: channel 0: setting env LANG = "en_US.UTF-8"
debug1: channel 0: setting env LC_TERMINAL_VERSION = "3.4.15"

cyberduck.log

[ylangisc]

I can confirm this issue when using the agent. Connections with the private key selected explicitly in the bookmark work fine.

[ylangisc]

Relates to hierynomus/sshj#763.

[ylangisc]

Depends on iterate-ch/jsch-agent-proxy#1.

[shyim]

When does this land in a snapshot interested to test it :)

[dkocher]

When does this land in a snapshot interested to test it :)

This change is included in build 8.3.3.37537 and later.