Hide Forgot
Description of problem: Windows Machine rhel-7-3 rhel-7.2 rhel-6 | SC -->| # ssh rhel-7-1 //Works fine rhel-7-3$ ssh rhel-6 //Works fine rhel-7-3$ ssh rhel-7.2 //Works fine Windows Machine rhel7-4 rhel7-4-1 rhel-6 | SC--> | # ssh rhel-7-4 //Works fine rhel-7-4$ ssh rhel-6 //Works fine rhel-7-4$ ssh rhel7-4-1 //Broken Note: - SC means Smart card - Public keys present on rhel6, rhel7.4, rhel7.3 inside ( ~/.ssh/authorized_keys) are all same. - There are no issues in login from rhel7.3 to rhel7.3, rhel6 etc Issue is only b/w rhel7.4 to rhel7.4 Additional info: From our server to a rhel6 server: debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp SHA256:IdElDYHHdZoi83s+VK0ls/qE62KMAe/Nlr0mftMmCZk debug3: sign_and_send_pubkey: RSA SHA256:IdElDYHHdZoi83s+VK0ls/qE62KMAe/Nlr0mftMmCZk This connection works From our server to a rhel7 server: debug1: Server accepts key: pkalg rsa-sha2-512 blen 279 debug2: input_userauth_pk_ok: fp SHA256:IdElDYHHdZoi83s+VK0ls/qE62KMAe/Nlr0mftMmCZk debug3: sign_and_send_pubkey: RSA SHA256:IdElDYHHdZoi83s+VK0ls/qE62KMAe/Nlr0mftMmCZk This connection does not work. Version-Release number of selected component (if applicable): openssh-7.4p1-11.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Login to RHEL-7.4 box. 2. Try login to rhel7.4-1. get this error. rhel-7-4$ ssh rhel7-4-1 sign_and_send_pubkey: signing failed: agent refused operation Enter passphrase for key '/home/net/allhoff/.ssh/id_rsa': Permission denied (publickey,gssapi-keyex,gssapi-with-mic) Actual results: 7.4 to 7.4 smart card login failed Expected results: 7.4 to 7.4 smart card login should work properly Additional info:
This is a problem with SSH extension negotiation in RHEL7.4 [1], namely the server-sig-algs" [2]. Connecting two RHEL7.4 negotiates SHA2 extension and attempts to use use rsa-sha2-512 signature algorithm (you should not use SHA1 in close future anyway). But this algorithm is not supported by the software talking the ssh-agent protocol so it fails. First thing that should resolve this without backing down to SHA-1 would be implementing a support for this extension in your software talking ssh-agent protocol (PuTTY Pageant or whatever forwards the socket on the windows machine). It does silently accept unknown flags and produces (wrong) SHA-1 signature regardless [3]. Unfortunately, at this moment I do not see any fallback mechanism or way how to disable it from OpenSSH point of view. Once this extension is negotiated, it starts using SHA512 regardless any other configuration. I will try to see what is upstream opinion about this and if there is something we can do. [1] https://tools.ietf.org/html/draft-ietf-curdle-ssh-ext-info-10 [2] https://tools.ietf.org/html/draft-ietf-curdle-ssh-ext-info-10#section-3.1 [3] https://tools.ietf.org/html/draft-miller-ssh-agent-00#section-4.2
//Internal: Facing issue while installing packages. [root@rhel7u4-5 ~]# hostname rhel7u4-5.gsslab.pek2.redhat.com [root@rhel7u4-5 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.4 (Maipo) [root@rhel7u4-5 ~]# rpm -qa|grep -i ssh openssh-clients-7.4p1-11.el7.x86_64 libssh2-1.4.3-10.el7_2.1.x86_64 openssh-7.4p1-11.el7.x86_64 openssh-server-7.4p1-11.el7.x86_64 [root@rhel7u4-5 ~]# [root@rhel7u4-5 ssh-bz1497680]# rpm -ivh openssh-* pam_ssh_agent_auth-0.10.3-1.13.el7.x86_64.rpm error: Failed dependencies: libatk-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 libcairo.so.2()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 libfontconfig.so.1()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 libgdk-x11-2.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 libgtk-x11-2.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 libpango-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 libpangocairo-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 libpangoft2-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 Updating / installing... 1:openssh-7.4p1-13.1.bz1497680.el7 ################################# [100%] warning: user mockbuild does not exist - using root warning: group mockbuild does not exist - using root [root@rhel7u4-5 ssh-bz1497680]# adduser mockbuild [root@rhel7u4-5 ssh-bz1497680]# id mockbuild uid=1000(mockbuild) gid=1000(mockbuild) groups=1000(mockbuild) [root@rhel7u4-5 ssh-bz1497680]# rpm -ivh openssh-* pam_ssh_agent_auth-0.10.3-1.13.el7.x86_64.rpm error: Failed dependencies: libatk-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 libcairo.so.2()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 libfontconfig.so.1()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 libgdk-x11-2.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 libgtk-x11-2.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 libpango-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 libpangocairo-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 libpangoft2-1.0.so.0()(64bit) is needed by openssh-askpass-7.4p1-13.1.bz1497680.el7.x86_64 Updating / installing... 1:openssh-7.4p1-13.1.bz1497680.el7 ################################# [100%] [root@rhel7u4-5 ssh-bz1497680]#
It is a client option, not the server one, as I wrote in the comment #15: > please put "AgentUseSHA2 no" into ssh_config and try if you will see any difference.
This is an issue in the client agent. The RHEL7 openssh uses features available in the RHEL7 openssh agent, and we cannot guarantee that any 3rd party agent will work with it.