ssh: support for new key algorithms rsa-sha2-256/rsa-sha2-512

[wenerme]

# ok with identity file
SSH_AUTH_SOCK= ssh -i ./credentials/admin_rsa [email protected] uname
# ok with ssh-agent
ssh [email protected] uname

spec:
  hosts:
  - ssh:
      address: 192.168.1.61
      user: admin
      port: 22
      keyPath: ./credentials/admin_rsa
    role: controller+worker

# not ok
k0sctl reset -f
# not ok
SSH_AUTH_SOCK= k0sctl reset -f

output

k0sctl v0.12.6 Copyright 2021, k0sctl authors.
By continuing to use k0sctl you agree to these terms:
https://k0sproject.io/licenses/eula
INFO ==> Running phase: Connect to hosts 
ERRO [ssh] 192.168.1.61:22: failed to connect: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain 
FATA failed on 1 hosts:
 - [ssh] 192.168.1.61:22: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain 

version

version: v0.12.6
commit: d5f7d66

[kke]

How about leaving out keyPath and just using the agent?

[wenerme]

I will try when I back home.

Why address must be ip address instead allowed host in ~/.ssh/config, can not access this host without multi jump host.

[wenerme]

@kke without keyPath

ERRO can't parse keyfile ~/.ssh/id_rsa: ssh: this private key is passphrase protected 

but the key is already added

ssh-add -l | grep credentials/admin_rsa

[wenerme]

removed ~/.ssh/id_rsa still get the same error, but ssh works.

[kke]

Hmm, I wonder if it's actually trying to use the SSH_AUTH_SOCK, it should try it right after that error.

	_, err := os.Stat(c.KeyPath)
	if err != nil && !c.keypathDefault { 
		return err
	}
	if err == nil {
		var key []byte
		key, err = os.ReadFile(c.KeyPath)
		if err != nil {
			return err
		}
		signer, err := ssh.ParsePrivateKey(key)
		if err != nil {
			log.Errorf("can't parse keyfile %s: %s", c.KeyPath, err.Error())  // <-- the error comes from here
		} else {
			pubkeySigners = append(pubkeySigners, signer)
		}
	}

	sshAgentSock := os.Getenv("SSH_AUTH_SOCK") // <-- it should continue from here even with the error message
	if sshAgentSock != "" {
		sshAgent, err := net.Dial("unix", sshAgentSock)
		if err != nil {
			log.Errorf("can't connect to SSH agent auth socket %s: %s", sshAgentSock, err)
		} else {
			signers, err := agent.NewClient(sshAgent).Signers()
			if err == nil {
				pubkeySigners = append(pubkeySigners, signers...)
			}
		}
	}

Jump-hosts are possible via the "bastion" setting:

spec:
  hosts:
    - role: controller
      ssh:
        address: 10.0.0.2
        user: ubuntu
        keyPath: ~/.ssh/id_rsa
        bastion:
          address: 10.0.0.1
          user: root
          keyPath: ~/.ssh/id_rsa2

Using named hosts from ~/.ssh/config is doable, but there may be some problems when k0sctl tries to use the address for figuring things out in the discovery phase.

[wenerme]

@kke To access the host need tow jump host.

Maybe caused by golang/go#49952

ssh-keygen -l -f key

2048 SHA256:XXX  (RSA)

dose this mean the key is rsa-sha2-256

[kke]

I'll update the ssh library dependency, let's see what that does.

[wenerme]

One more reference bfritz/homelab-bootstrap@11fad69

Using alpine 3.15

[wenerme]

This is the problem, after add

PubkeyAcceptedAlgorithms +ssh-rsa

to sshd_config, works now.

[wenerme]

@kke still not fixed, x/crypto/ssh do not support rsa-sha2-256/rsa-sha2-512 according to golang/go#49952

[kke]

This will have to wait then, good thing there's a workaround.

[wenerme]

how about switch to this for now ?

replace golang.org/x/crypto => github.com/rmohr/crypto v0.0.0-20211203105847-e4ed9664ac54

enable ssh-ras is not good

[kke]

Whoops, merging the rig PR auto-closed this issue.

[kke]

Does https://github.com/k0sproject/k0sctl/releases/tag/v0.13.0-beta.7 fix it for you?

[Skaronator]

Still doesn't work for me, at least on a Windows machine using the Microsoft OpenSSH Agent in CMD/PowerShell. Also tried Git Bash with the Git Bash SSH Agent but doesn't work either.

k0sctl version
version: v0.13.0-rc.1
commit: 92876fb

C:\Users\Niklas\Workspace\homelab\config>k0sctl backup -c k0sctl.yaml

⠀⣿⣿⡇⠀⠀⢀⣴⣾⣿⠟⠁⢸⣿⣿⣿⣿⣿⣿⣿⡿⠛⠁⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀█████████ █████████ ███
⠀⣿⣿⡇⣠⣶⣿⡿⠋⠀⠀⠀⢸⣿⡇⠀⠀⠀⣠⠀⠀⢀⣠⡆⢸⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀███          ███    ███
⠀⣿⣿⣿⣿⣟⠋⠀⠀⠀⠀⠀⢸⣿⡇⠀⢰⣾⣿⠀⠀⣿⣿⡇⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀███          ███    ███
⠀⣿⣿⡏⠻⣿⣷⣤⡀⠀⠀⠀⠸⠛⠁⠀⠸⠋⠁⠀⠀⣿⣿⡇⠈⠉⠉⠉⠉⠉⠉⠉⠉⢹⣿⣿⠀███          ███    ███
⠀⣿⣿⡇⠀⠀⠙⢿⣿⣦⣀⠀⠀⠀⣠⣶⣶⣶⣶⣶⣶⣿⣿⡇⢰⣶⣶⣶⣶⣶⣶⣶⣶⣾⣿⣿⠀█████████    ███    ██████████
k0sctl v0.13.0-rc.1 Copyright 2021, k0sctl authors.
Anonymized telemetry of usage will be sent to the authors.
By continuing to use k0sctl you agree to these terms:
https://k0sproject.io/licenses/eula
INFO ==> Running phase: Connect to hosts
ERRO can't parse keyfile C:\Users\Niklas\.ssh\id_rsa: ssh: this private key is passphrase protected
ERRO [ssh] 192.168.178.5:22: failed to connect: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain
ERRO backup failed - log file saved to C:\Users\Niklas\AppData\Local/k0sctl/k0sctl.log
segment 2022/03/29 00:09:29 ERROR: sending request - Post "https://api.segment.io/v1/batch": dial tcp: lookup api.segment.io: getaddrinfow: The requested name is valid, but no data of the requested type was found.
segment 2022/03/29 00:09:29 ERROR: 3 messages dropped because they failed to be sent and the client was closed
FATA failed on 1 hosts:
 - [ssh] 192.168.178.5:22: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain

C:\Users\Niklas\Workspace\homelab\config>ssh 192.168.178.5
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-104-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 29 Mar 2022 12:09:38 AM CEST

  System load:  0.52                Users logged in:              1
  Usage of /:   76.7% of 116.12GB   IPv4 address for enp1s0f0:    192.168.0.5
  Memory usage: 86%                 IPv4 address for enp1s0f1:    192.168.178.5
  Swap usage:   0%                  IPv4 address for kube-bridge: 10.244.0.1
  Processes:    894

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

0 updates can be applied immediately.


*** System restart required ***
Last login: Tue Mar 29 00:08:47 2022 from 192.168.178.10
niklas@amy:~$ logout
Connection to 192.168.178.5 closed.

[twz123]

@Skaronator The log snippets you provided indicate that this is a different problem as described in this issue. The key you're trying to use is encrypted:

ERRO can't parse keyfile C:\Users\Niklas.ssh\id_rsa: ssh: this private key is passphrase protected

and hence k0sctl tries to connect without any means of authentication:

ERRO [ssh] 192.168.178.5:22: failed to connect: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain

You already said that you tried with the Git Bash SSH Agent. Did you check if the SSH_AUTH_SOCK environment variable was set to the right value in the shell in which you were invoking k0sctl? Moreover, was your private key properly added to the SSH Agent?

Alternatively, instead of using your personal private key, you could generate a separate keypair, just for the provisioning of k0s hosts, and keep the private key of that keypair unencrypted.

If the problem persists, feel free to open a new issue for that.