ssh-agent: agent returned different signature type

[stevehipwell]

"OpenSSH for Windows" version
7.7.2.0

Client OperatingSystem
Windows 10 Enterprise (1709)

What is failing
I've installed the 'ssh-agent' service. I call ssh-add to add my key to the agent. I'm asked to provide my passphrase, which I do. When I use the ssh command I get warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512).

Expected output
No warning.

Actual output
warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512).

[manojampalam]

Can you detail how the keys were generated in the first place?

[Morten242]

In my case I generated it using ssh-keygen from System32/OpenSSH (don't remember but I don't think I had any extra arguments).

[stevehipwell]

I also generated mine with ssh-keygen without arguments.

[manojampalam]

Got it. Investigating.

[the1derer]

The reason for this is you are giving public key to ssh-agent via ssh-add eg ssh-add FILE_NAME.pub instead of private key i.e. ssh-add FILE_NAME.

[stevehipwell]

@the1derer if you're replying to the original issue please see that the command used was ssh-add without any arguments.

[davidmatson]

For a discussion of this symptom in another product see:
cuviper/ssh-pageant#55

Especially:

This warning was added in OpenSSH 7.7:

https://www.openssh.com/txt/release-7.7

ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when
a rsa-sha2-256/512 signature was requested. This condition is possible
when an old or non-OpenSSH agent is in use. bz#279

[admo]

Hi,
I do not want to duplicate issues. Should I open new issue, please let me know.
ssh client version: OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
ssh server version: OpenSSH_7.9p1, OpenSSL 1.1.1 FIPS 11 Sep 2018

I'm also warned about different signature. Moreover, authentication with public key fails, and ssh client falls back to password authentication:

debug1: Offering public key: RSA SHA256:THSeSgCr3A5YDRNtlmgjyWn2Ik5sy2ooxtfIwMKQphU C:\\Users\\adamo/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:THSeSgCr3A5YDRNtlmgjyWn2Ik5sy2ooxtfIwMKQphU
debug3: sign_and_send_pubkey: RSA SHA256:THSeSgCr3A5YDRNtlmgjyWn2Ik5sy2ooxtfIwMKQphU
warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512)
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

Log from server:

sshd: debug1: attempt 1 failures 0 [preauth]                                                                                                                         [10/683]gru 16 22:08:18 little-helper sshd[6951]: debug2: input_userauth_request: try method publickey [preauth]
sshd: debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:THSeSgCr3A5YDRNtlmgjyWn2Ik5sy2ooxtfIwMKQphU [preauth]
sshd: debug3: mm_key_allowed entering [preauth]
sshd: debug3: mm_request_send entering: type 22 [preauth]
sshd: debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
sshd: debug3: mm_request_receive_expect entering: type 23 [preauth]
sshd: debug3: mm_request_receive entering [preauth]
sshd: debug3: mm_request_receive entering
sshd: debug3: monitor_read: checking request 22
sshd: debug3: mm_answer_keyallowed entering
sshd: debug3: mm_answer_keyallowed: key_from_blob: 0x555846342180
sshd: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
sshd: debug1: trying public key file /home/adamo/.ssh/authorized_keys
sshd: debug1: fd 13 clearing O_NONBLOCK
sshd: debug1: /home/adamo/.ssh/authorized_keys:1: matching key found: RSA SHA256:THSeSgCr3A5YDRNtlmgjyWn2Ik5sy2ooxtfIwMKQphU
sshd: debug1: /home/adamo/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
sshd: Accepted key RSA SHA256:THSeSgCr3A5YDRNtlmgjyWn2Ik5sy2ooxtfIwMKQphU found at /home/adamo/.ssh/authorized_keys:1
sshd: debug1: restore_uid: 0/0
sshd: debug3: mm_answer_keyallowed: publickey authentication test: RSA key is allowed
sshd: debug3: mm_request_send entering: type 23
sshd: debug3: send packet: type 60 [preauth]
sshd: debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512 [preauth]
sshd: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
sshd: debug3: ensure_minimum_time_since: elapsed 2.084ms, delaying 6.077ms (requested 8.161ms) [preauth]
sshd: Postponed publickey for adamo from XXX.XXX.XXX.XXX port 59384 ssh2 [preauth]
sshd: debug3: receive packet: type 50 [preauth]
sshd: debug1: userauth-request for user adamo service ssh-connection method publickey [preauth]
sshd: debug1: attempt 2 failures 0 [preauth]
sshd: debug2: input_userauth_request: try method publickey [preauth]
sshd: debug3: userauth_pubkey: have rsa-sha2-512 signature for RSA SHA256:THSeSgCr3A5YDRNtlmgjyWn2Ik5sy2ooxtfIwMKQphU [preauth]
sshd: debug3: mm_key_allowed entering [preauth]
sshd: debug3: mm_request_send entering: type 22 [preauth]
sshd: debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
sshd: debug3: mm_request_receive_expect entering: type 23 [preauth]
sshd: debug3: mm_request_receive entering [preauth]
sshd: debug3: mm_request_receive entering
sshd: debug3: monitor_read: checking request 22
sshd: debug3: mm_answer_keyallowed entering
sshd: debug3: mm_answer_keyallowed: key_from_blob: 0x55584634df40
sshd: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
sshd: debug1: trying public key file /home/adamo/.ssh/authorized_keys
sshd: debug1: fd 13 clearing O_NONBLOCK
sshd: debug1: /home/adamo/.ssh/authorized_keys:1: matching key found: RSA SHA256:THSeSgCr3A5YDRNtlmgjyWn2Ik5sy2ooxtfIwMKQphU
sshd: debug1: /home/adamo/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
sshd: Accepted key RSA SHA256:THSeSgCr3A5YDRNtlmgjyWn2Ik5sy2ooxtfIwMKQphU found at /home/adamo/.ssh/authorized_keys:1
sshd: debug1: restore_uid: 0/0
sshd: debug3: mm_answer_keyallowed: publickey authentication: RSA key is allowed
sshd: debug3: mm_request_send entering: type 23
sshd: debug3: mm_sshkey_verify entering [preauth]
sshd: debug3: mm_request_send entering: type 24 [preauth]
sshd: debug3: mm_sshkey_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
sshd: debug3: mm_request_receive_expect entering: type 25 [preauth]
sshd: debug3: mm_request_receive entering [preauth]
sshd: debug3: mm_request_receive entering
sshd: debug3: monitor_read: checking request 24
sshd: debug3: mm_answer_keyverify: publickey 0x555846351160 signature unverified
sshd: debug1: auth_activate_options: setting new authentication options
sshd: debug3: mm_request_send entering: type 25
sshd: Failed publickey for adamo from XXX.XXX.XXX.XXX port 59384 ssh2: RSA SHA256:THSeSgCr3A5YDRNtlmgjyWn2Ik5sy2ooxtfIwMKQphU
sshd: debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512 [preauth]
sshd: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
sshd: debug3: ensure_minimum_time_since: elapsed 0.946ms, delaying 7.214ms (requested 8.161ms) [preauth]
sshd: debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
sshd: debug3: send packet: type 51 [preauth]

However, if I remove keys from ssh-agent and ssh uses keys from %USERPROFILE%\.ssh, then authentication succeed:

debug1: Offering public key: RSA SHA256:THSeSgCr3A5YDRNtlmgjyWn2Ik5sy2ooxtfIwMKQphU C:\\Users\\adamo/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:THSeSgCr3A5YDRNtlmgjyWn2Ik5sy2ooxtfIwMKQphU
debug3: sign_and_send_pubkey: RSA SHA256:THSeSgCr3A5YDRNtlmgjyWn2Ik5sy2ooxtfIwMKQphU
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).

Is it a bug? Are you aware of it? Is there any workaround for it?

[manojampalam]

@admo what's your server OS & OpenSSH version ?

[admo]

@manojampalam OpenSSH_7.9p1, OpenSSL 1.1.1 FIPS 11 Sep 2018

[manojampalam]

Thanks. ssh-agent on Windows is using an older signing algorithm that your sever is rejecting. The issue is with ssh-agent version on Windows and there isn't any workaround unfortunately. I'll have it fixed shortly and can issue a patched version of ssh-agent if you prefer.

[admo]

@manojampalam understood. Could I somehow deploy patched version on my host?

[musm]

It's not clear what the fix is here? I'm seeing this.

[x3ro]

Hey @manojampalam, is there a way to update the agent binary without having to wait for a windows update?

Edit: Never mind, I figured it out myself. I ended up downloading the latest release (v7.9.0.0p1-Beta at this time) and replaced the files in C:\Windows\System32\OpenSSH (had to to some tinkering with permissions before I was able to). I realize this is probably not the "officially supported" way though, so feel free to chime in if you know of something better :)

[manojampalam]

The is one other less intrusive way. Download the latest release bits to a different location, edit install.ps1 to just install ssh-agent service. This will override the default ssh-agent service registration to pick up binary from new location.

[dbuades]

The is one other less intrusive way. Download the latest release bits to a different location, edit install.ps1 to just install ssh-agent service. This will override the default ssh-agent service registration to pick up binary from new location.

Works flawlessly, thanks!

In case someone finds it useful: download the latest release from here and substitute the "install-sshd.ps1" script for this one.

Also, remember to temporarily change Windows' Execution Policy in order to allow the script to execute, as described here.

[musm]

@dbuades can MSFT post your script somewhere with instructions

[SuperSandro2000]

When does this get released? This prevents vscode remote from properly functioning.

[altano]

Does it? I’ve been messing with vscode remoting since it was released in the Insiders beta and it seems fine?

[SuperSandro2000]

It does since I updated my server to Ubuntu 19.04 today. I get the signature mismatch, the login attempt gets aborted and fail2ban blocks my after a few tries.

[dbuades]

@dbuades can MSFT post your script somewhere with instructions

Sure thing, but it would be easier if they just updated the OpenSSH version bundled with Windows. My script is just a workaround until they update it.

[altano]

@manojampalam / @musm can you communicate what the cause of the delay is in deploying the fix? Sounds like you fixed this 6 months ago. I've been recommending people use this ssh client instead of PuTTY but I am starting to think I should stop doing that?

[AllanOricil]

ssh-keygen -t ecdsa -b 521

this is the easiest solution. Thanks

[metablaster]

@joe-p

ssh-keygen -t ecdsa -b 521 -G .\test.key
ssh-add .\test.key

Error loading key ".\test.key": invalid format

I was hoping for your solution to indeed work but this software just doesn't work as expected.

[AllanOricil]

@joe-p

ssh-keygen -t ecdsa -b 521 -G .\test.key
ssh-add .\test.key

Error loading key ".\test.key": invalid format

I was hoping for your solution to indeed work but this software just doesn't work as expected.

@metablaster I saw this error message too. To fix that I used a Full Path, instead of Relative. e.g. c:%USER%.ssh\yourkey

[metablaster]

Ah OK, thank you!

It looks like problem is not with relative path but with -G option!

ssh-keygen -t ecdsa -b 521 -G C:\Users\USERNAME\.ssh\id_ecdsa

What will happen is that no public key will be generated, only private (or vice versa?),
since no key pair is made that's what "invalid format" probably means.

I tried escaping the path but no change:

ssh-keygen -t ecdsa -b 521 -G C:\\Users\\USERNAME\\.ssh\\id_ecdsa

Anyway omitting the -G option and then specifying path when prompted works just fine.

It's also strange that specifying -G option will take 55 sec. to generate key, while without -G option the key is generated in just 3 seconds.

[Omniptizator]

So, it's been 1.5 years and this is still not fixed? Way to go, guys... @bingbing8 is my assumption correct, that this issue will never make it now to WIn10 release, as OpenSSH is being maintained in this repo?

[gronostajo]

@Omniptizator As already explained in this thread, the issue is fixed and you can download a release containing this fix from the Releases page of this project. I've posted a guide how to use it in a comment above. Whether the version containing a fix is included in Windows is not up to this project's maintainers.

[Omniptizator]

@gronostajo seems like I've got wrong impression about this repository then. The guide helps, thank you for your explanation!

Edit: I'm sorry about letting my frustration go the wrong way. Hopefully, this will at least prevent comments/questions of such kind further in this thread.

[NatoBoram]

For people like @Omniptizator still looking for an answer that was already posted many times before, here's an easier installation method.

This repository is available via scoop.

sudo scoop install -g win32-openssh
sudo C:\ProgramData\scoop\apps\win32-openssh\current\install-sshd.ps1
sudo Set-Service -Name ssh-agent -StartupType Automatic
sudo Start-Service ssh-agent

Once it's installed, you won't have to deal with this error anymore.

[xenadmin]

@NatoBoram Isn't that the point? That, since MS added an openssh-client to the OS, it should be also part of Windows Updates/Upgrades, to be kept on the latest release? Without the need for any Third-Party software?

[gronostajo]

@xenadmin We all agree that it's frustrating that the fix is not available in Windows by default. This is a repository for OpenSSH though, not for Windows. What's bundled with Windows is not within scope of this project.

[xenadmin]

@gronostajo It was that comment (#1263 (comment)) that lead me to my assumption.

[musm]

MSFT should've never released OpenSSH through Windows Optional features in the first place, since it never gets updated. They should've distributed it via the store...

[djmcfar]

Today is 02-12-2021 and the lastest Window's update (which came last night) did not have the fix. It's Version 2004 OS Build 19041.804. Running the install powershell from your downloadable update fixed it for me, except the that the next Window's update that comes down the line will probably break it, and I'll have to re-install your update, but thank you for making this update/fix publicly available !

[moa650]

This repository is available via scoop.

sudo scoop install -g win32-openssh
sudo C:\ProgramData\scoop\apps\win32-openssh\current\install-sshd.ps1
sudo Set-Service -Name ssh-agent -StartupType Automatic
sudo Start-Service ssh-agent

Once it's installed, you won't have to deal with this error anymore.

Confirmed this worked but I had to backtrack and first install scoop then
scoop install sudo.

Thanks.. very annoying.

[shyney7]

@joe-p thank you so much for your solution! This worked for me. I really think Microsoft should update their openssh integration with windows update or at least integrate a fix within the newer versions of powershell.

[crl0wryjr]

I have 3 different Linux-based systems running in my home. Two of the systems worked, while the one running Ubuntu Server 20.10 presented the key mismatch error.

Following the advice from above, I:

• installed SCOOP
• SCOOP installed SUDO
• installed the latest openSSH package
  --- sudo` scoop install -g win32-openssh
• ran the installer
  --- sudo C:\ProgramData\scoop\apps\win32-openssh\current\install-sshd.ps1
• set the agent to run automatically and then started it
  ---sudo Set-Service -Name ssh-agent -StartupType Automatic
  ---sudo Start-Service ssh-agent`

Afterwards ssh'ing to all 3 systems worked correctly.
Total time: ~15 minutes

[derekmahar]

Chocolatey provides OpenSSH 8.0.0.1:

PS C:\Users\derek> choco info openssh
Chocolatey v0.10.15
openssh 8.0.0.1 [Approved]
 Title: Win32 OpenSSH (Universal Installer) | Published: 2019-06-25
 Package approved as a trusted package on Aug 23 2020 09:48:44.
 Package testing status: Passing on Jun 25 2019 11:09:31.
 Number of Downloads: 5251069 | Downloads for this version: 1304437
 Package url
 Chocolatey Package Source: https://github.com/DarwinJS/ChocoPackages/tree/master/openssh
 Package Checksum: 'lak7BlzqMNK+9hFdNuFlox9Z/uQKzWjmyNaCIV7A/K6hpKbxOTX3cCk/BJXXjFl2id7Lig+8aCzd6zThRiy9KA==' (SHA512)
 Tags: openssh admin
 Software Site: https://github.com/PowerShell/Win32-OpenSSH
 Software License: https://raw.githubusercontent.com/PowerShell/Win32-OpenSSH/L1/LICENCE
 Software Source: https://github.com/PowerShell/Win32-OpenSSH
 Documentation: https://github.com/PowerShell/Win32-OpenSSH/wiki
 Issues: https://github.com/PowerShell/Win32-OpenSSH/issues
 Summary: Open SSH tools for Windows - works in all CLIs.
 Description: Open SSH tools for Windows.

From PowerShell as Administrator, install OpenSSH with the ssh-agent service:

choco install openssh -params '"/SSHAgentFeature"' --confirm

[FlexMcMurphy]

@derekmahar

When I run that command in Powershell I get: ERROR: The running command stopped because the preference variable ErrorActionPreference" or common parameter is set to Stop: Service ' (ssh-agent)' cannot be created due to the following error: The specified service already exists

Do I need to uninstall ssh-agent first?

[derekmahar]

@FlexMcMurphy I'd guess that you'd have to remove all instances of the OpenSSH client, in particular the optional one in Windows.

[FlexMcMurphy]

@derekmahar
This worked for me. I uninstalled OpenSSH on Windows 10, had to reboot, then ran your command and now I don't get the error: warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512) when key registered with ssh-agent when I ssh from Windows command prompt to my Linux server.

Cheers.

[mohsentaleb]

In my experience, (Windows 10 - 20H2 OS Build 19042.928) I didn't have to install newer OpenSSH via Chocolatey or anything. I uninstalled OpenSSH client (Start -> Apps & Features -> Other Features), restarted the system and then installed it again and it fixed the problem.
Make sure you start the OpenSSH Authentication Agent service again after you installed it for the second time.

[hmmmk]

I was having problems with the @gronostajo solution and VSCode, but using ECDSA instead of RSA with the default Windows OpenSSH client worked for me (I had to uninstall the client, delete the files downloaded from the repository, and reinstall the OpenSSH client to ensure I was working with the default client).

To use ECDSA simply run:

ssh-keygen -t ecdsa -b 521
ssh-add [path to id_ecdsa]

This resulted in SSH working properly in PowerShell and in VSCode. The nice thing about this solution is that you don't need to worry about file permissions or Windows overwriting any changes. This is also the solution suggested in a VSCode article on remote docker contexts: https://code.visualstudio.com/docs/containers/ssh

genius

[electr0sheep]

Windows updated today, which made my start menu and taskbar completely transparent (had to disable transparency effects to fix), as well as breaking ssh again. So glad I found/commented/followed this thread so I could remember what I did to fix it! Wonder if it's ever not gonna be broken 🤣

[altano]

The official Windows Update 20H2 is here and the problem persists unfortunately.

If anyone is curious, Windows 20H2 (19042.928) comes with OpenSSH 7.7.2.1:

PS C:\> Get-Command ssh

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Application     ssh.exe                                            7.7.2.1    C:\Windows\System32\OpenSSH\ssh.exe

This version was released in 2018. Microsoft has been saying a new release of OpenSSH will come with every single Windows update, and every single update does not have a new version. They clearly have abandoned this project. Don't install it through Windows. Stop waiting for it to be fixed.

[bagajjal]

Please refer to #1693 for news about OpenSSH V8.1.
It's part of April windows update (Cumulative Non-sec update) which is available by end of this month.

[gronostajo]

Windows 10 version 21H1 comes with OpenSSH 8.1, which has this bug fixed. The PATH modification can be reverted now, so that ssh.exe from System32 is the default one (check where ssh output).

The upgrade to 21H1 disables the agent service though. It must be re-enabled in services.msc.

[djipih]

Under Windows 10.8 LTS Arium ([version 10.0.19044.3086), I fixed the problem with the installation of :
https://github.com/PowerShell/Win32-OpenSSH

[SheepDomination]

Is there any workaround for Windows 10.0.18363 N/A Build 18363 ?