SSH rsa issue and workaround
, azure | bash | ssh
I was experimenting with Azure Devops from Fedora where I observed a ssh client connection issue. The issue is related to up-to-date ssh clients blocking the deprecated ssh-rsa signature algorithm. The issue blocks any ssh connection to a server including git commands such as git pull, git push, git clone and friends.
The Azure Devops dashboard provides checkout solutions for various development IDE's and directly via ssh git clone command.
When ssh git clone is used a ssh keypair mush be setup on the development machine.
Name the keypair and provide password if needed
At this point the two following files are available in the ~/.ssh folder:
The content of the id_key_name_rsa.pub public key must be added in the Azure Devops dashboard in SSH public keys under user settings.
At this point the following git clone command should be possible:
But on Fedora I get the following response:
Access should be possible at this point without password. In order to debug further I created the following ~/.ssh/config file.
And executed the following:
The issue is related to the output 'no mutual signature algorithm'. In short: A signature algorihtm is missing and in this case the ssh-rsa signature algorithm is missing.
The following ssh config change allow the ssh client to access the server.
The important line is PubkeyAcceptedKeyTypes=ssh-rsa which enables the ssh-rsa signature algorithm. This may be a security issue for your use case. See links for further information.
Based on these changes I was able to checkout from the Azure Devops project using on of the following lines.
As of writing, the public key output from 'ssh-keygen -t ed25519' produce the following error when copied into Azure Devops dashboard in SSH public keys under user settings.
For now the PubkeyAcceptedKeyTypes setting must be used either in ssh config or in the systems ssh client config.
cd ~/.ssh
ssh-keygen
# NOTE: do NOT overwrite any key pairs unless you know what you are doing !
# NOTE: parameters may be needed, read ssh-keygen man pageGenerating public/private rsa key pair.
Enter file in which to save the key (/home/[user name]/.ssh/id_rsa): id_key_name_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:id_key_name_rsa # private key, keep it safe, secure and do NOT share this
id_key_name_rsa.pub # public keygit clone git@ssh.dev.azure.com:v3/[user]/[project]/[repo]Cloning into '[repo]'...
git@ssh.dev.azure.com's password:Host ssh.dev.azure.com
User git
IdentityFile ~/.ssh/id_key_name_rsa
IdentitiesOnly yesssh -v ssh.dev.azure.com
...
...
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Next authentication method: password
...
...Host ssh.dev.azure.com
User git
IdentityFile ~/.ssh/[name of rsa file]
IdentitiesOnly yes
PubkeyAcceptedKeyTypes=ssh-rsa
Host azure_access
Hostname ssh.dev.azure.com
User git
IdentityFile ~/.ssh/[name of rsa file]
IdentitiesOnly yes
PubkeyAcceptedKeyTypes=ssh-rsagit clone ssh.dev.azure.com:v3/[user]/[project]/[repo]
git clone git@ssh.dev.azure.com:v3/[user]/[project]/[repo]
git clone azure_access:v3/[user]/[project]/[repo]Invalid key: Key must be Base64 encoded with OpenSSH format and RSA type. Valid keys will start with "ssh-rsa".