Agent auth broken for rsa-sha2-*

[Eugeny]

From what I see in my own project there RSA seems to be misbehave for me. It might just me and it might be unrelated to the above message, but for me RSA keys don't work. Below is a way to reproduce the issue. Btw, ed25519 keys work.

SSH setup

Generate key and load it to be useable in the ssh agent:

ssh-keygen -t rsa -f russh-rsa
ssh-add russh-rsa

Note for later on - in the same way one generate an ed25519 key:

ssh-keygen -t ed25519 -f russh-ed25519
ssh-add russh-ed25519

Dockerfile for SSH server - this authorises the above russh-rsa key to connect to the server:

FROM ubuntu:latest
RUN apt-get update && \
    apt-get install -y openssh-server && \
    mkdir /var/run/sshd
RUN useradd -m -s /bin/bash holden && \
    mkdir -p /home/holden/.ssh
COPY russh-rsa.pub /home/holden/.ssh/authorized_keys
RUN chown -R holden:holden /home/holden/.ssh && \
    chmod 700 /home/holden/.ssh && \
    chmod 600 /home/holden/.ssh/authorized_keys
EXPOSE 2222
CMD ["/usr/sbin/sshd", "-D", "-p", "2222"]

Note for later: you can replace russh-rsa.pub with russh-ed25519.pub

Start the server with:

docker build -t russh-server . && docker run --rm -p 2222:2222 russh-server

Check that the setup was successful:

ssh holden@127.0.0.1 -p 2222

Code for minimal example

use russh::client::{AuthResult, Handler};
use russh::keys::{agent::client::AgentClient, Algorithm, PublicKey};
use std::sync::Arc;
use tokio;

struct ClientHandler;

impl Handler for ClientHandler {
    type Error = russh::Error;

    async fn check_server_key(&mut self, _server_public_key: &PublicKey) -> Result<bool, Self::Error> {
        Ok(true)
    }
}

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let config = Arc::new(russh::client::Config::default());
    let addr = ("127.0.0.1", 2222);

    let mut session = russh::client::connect(config, addr, ClientHandler).await?;
    println!("Connected to {}:{}", addr.0, addr.1);

    let mut agent = AgentClient::connect_env().await?;
    let identities = agent.request_identities().await?;
    println!("Found {} identities in the SSH agent", identities.len());

    let hash_alg = session.best_supported_rsa_hash().await?.flatten();
    let username = "holden";
    let mut authenticated = false;

    for identity in identities {
        // TODO: this is likely bug?! ed25519 explodes if one sets let alg = hash_alg
        let alg = match identity.algorithm() {
            Algorithm::Dsa | Algorithm::Rsa { .. } => hash_alg,
            _ => None,
        };

        let auth_result = session
            .authenticate_publickey_with(username, identity, alg, &mut agent)
            .await?;
        if auth_result == AuthResult::Success {
            println!("Authenticated successfully with SSH agent.");
            authenticated = true;
            break;
        }
    }

    if !authenticated {
        eprintln!("Authentication failed using SSH agent.");
    }

    session
        .disconnect(russh::Disconnect::ByApplication, "bye", "en")
        .await?;
    Ok(())
}

Outcome

With the RSA key:

Connected to 127.0.0.1:2222
Found 3 identities in the SSH agent
Authentication failed using SSH agent.

If one sets up the ssh server with an ed25519 key (that is using the alternative approach from above) the same code succeeds:

Connected to 127.0.0.1:2222
Found 3 identities in the SSH agent
Authenticated successfully with SSH agent.

That's not expected, is it?

Originally posted by @ReSqAr in #468

[ReSqAr]

Hey - thanks for the quick turn around! I just tried to test it with 0.50.3 but my example still doesn't work for me. Should I expect it to work?

Also: if you send any algo for ed25519 keys, it will just hang?

[Eugeny]

Yes, it works for me, both RSA and Ed25519. Could you grab a RUST_LOG=debug level log?

[ReSqAr]

Sure!

RSA key with Sha512 (= auto)

[2025-02-20T22:03:31Z DEBUG russh::client] beginning re-key
[2025-02-20T22:03:31Z DEBUG russh::sshbuffer] > msg type 20, len 818
[2025-02-20T22:03:31Z DEBUG russh::client] < msg type 20, seqn 1, len 1108
[2025-02-20T22:03:31Z DEBUG russh::negotiation] strict kex enabled
[2025-02-20T22:03:31Z DEBUG russh::client::kex] negotiated algorithms: Names { kex: Name("curve25519-sha256"), key: Ed25519, cipher: Name("chacha20-poly1305@openssh.com"), client_mac: Name("hmac-sha2-512-etm@openssh.com"), server_mac: Name("hmac-sha2-512-etm@openssh.com"), server_compression: None, client_compression: None, ignore_guessed: false, strict_kex: true }
[2025-02-20T22:03:31Z DEBUG russh::sshbuffer] > msg type 30, len 37
[2025-02-20T22:03:31Z DEBUG russh::client] kex impl continues: ClientKex { cause: Initial, state: "waiting for DH response" }
[2025-02-20T22:03:31Z DEBUG russh::client] < msg type 31, seqn 2, len 179
[2025-02-20T22:03:31Z DEBUG russh::client::kex] received server host key: Ok("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvjnkWZqB6CB192LLGSVXt2qxqE0uLIm80G59QywH2c")
[2025-02-20T22:03:31Z DEBUG russh::sshbuffer] > msg type 21, len 1
[2025-02-20T22:03:31Z DEBUG russh::client] kex impl continues: ClientKex { cause: Initial, state: "waiting for NEWKEYS" }
[2025-02-20T22:03:31Z DEBUG russh::client] kex impl requests seqno reset
[2025-02-20T22:03:31Z DEBUG russh::client] < msg type 21, seqn 3, len 1
[2025-02-20T22:03:31Z DEBUG russh::client] kex impl has completed
[2025-02-20T22:03:31Z DEBUG russh::client] kex done
Connected to 127.0.0.1:2222
[2025-02-20T22:03:31Z DEBUG russh::client] < msg type 7, seqn 1, len 252
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted] waiting service request, Some(7) 6
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted] Received EXT_INFO, 3 extensions
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted] * server-sig-algs
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted]   * Ed25519
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted]   * Ecdsa { curve: NistP256 }
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted]   * Ecdsa { curve: NistP384 }
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted]   * Ecdsa { curve: NistP521 }
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted]   * SkEd25519
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted]   * SkEcdsaSha2NistP256
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted]   * Rsa { hash: Some(Sha512) }
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted]   * Rsa { hash: Some(Sha256) }
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted] * "publickey-hostbound@openssh.com" (unknown, data: [48])
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted] * "ping@openssh.com" (unknown, data: [48])
[2025-02-20T22:03:31Z DEBUG russh::keys::agent::client] identities: [12, 0, 0, 0, 1, 0, 0, 1, 151, 0, 0, 0, 7, 115, 115, 104, 45, 114, 115, 97, 0, 0, 0, 3, 1, 0, 1, 0, 0, 1, 129, 0, 214, 15, 107, 225, 220, 127, 210, 155, 159, 193, 67, 170, 25, 147, 28, 214, 73, 165, 123, 220, 149, 142, 45, 205, 16, 195, 122, 22, 241, 140, 109, 19, 179, 28, 237, 139, 252, 166, 192, 207, 187, 180, 223, 105, 70, 124, 72, 7, 13, 141, 8, 91, 100, 237, 180, 221, 55, 139, 204, 214, 92, 156, 34, 23, 247, 223, 64, 114, 151, 118, 82, 165, 166, 131, 39, 15, 16, 0, 165, 46, 195, 221, 142, 191, 26, 83, 209, 97, 127, 160, 73, 209, 24, 95, 38, 0, 245, 247, 160, 113, 219, 250, 32, 212, 243, 48, 56, 242, 103, 189, 19, 93, 240, 114, 55, 34, 35, 37, 47, 41, 221, 6, 110, 188, 50, 167, 34, 61, 36, 208, 8, 184, 100, 228, 200, 32, 18, 225, 88, 245, 17, 197, 39, 75, 243, 245, 21, 85, 182, 101, 112, 192, 132, 45, 74, 219, 111, 146, 60, 227, 135, 100, 221, 25, 217, 70, 92, 55, 200, 77, 130, 197, 61, 37, 218, 137, 213, 142, 163, 141, 114, 42, 146, 57, 241, 153, 66, 21, 140, 153, 37, 249, 226, 197, 123, 204, 127, 231, 132, 90, 156, 216, 255, 138, 114, 23, 251, 81, 153, 164, 103, 10, 17, 158, 173, 170, 80, 234, 234, 203, 155, 229, 2, 68, 11, 85, 163, 175, 11, 118, 75, 227, 162, 115, 29, 120, 211, 61, 254, 96, 128, 85, 216, 214, 38, 19, 181, 142, 86, 242, 43, 203, 42, 109, 204, 243, 46, 243, 8, 237, 12, 194, 20, 36, 55, 227, 66, 230, 103, 36, 34, 83, 104, 135, 104, 119, 127, 39, 155, 105, 39, 31, 5, 128, 112, 254, 217, 41, 205, 94, 164, 71, 180, 2, 90, 207, 187, 141, 62, 194, 172, 208, 118, 144, 85, 209, 137, 183, 237, 156, 202, 101, 216, 83, 37, 106, 253, 1, 229, 191, 161, 13, 44, 83, 99, 20, 156, 52, 137, 87, 229, 214, 70, 38, 211, 197, 252, 237, 34, 2, 57, 111, 40, 9, 188, 4, 25, 202, 229, 10, 17, 20, 108, 19, 116, 121, 120, 207, 11, 201, 229, 93, 187, 122, 237, 121, 11, 126, 198, 222, 144, 28, 145, 67, 218, 163, 214, 9, 95, 2, 165, 188, 155, 115, 0, 0, 0, 45, 121, 97, 115, 105, 110, 122, 97, 101, 104, 114, 105, 110, 103, 101, 114, 64, 77, 97, 99, 46, 99, 117, 115, 116, 46, 99, 111, 109, 109, 117, 110, 105, 116, 121, 102, 105, 98, 114, 101, 46, 99, 111, 46, 117, 107]
Found 1 identities in the SSH agent
Some(Sha512)
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted] sending ssh-userauth service requset
[2025-02-20T22:03:31Z DEBUG russh::sshbuffer] > msg type 5, len 17
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted] write_auth_request_if_needed: is_waiting = false
[2025-02-20T22:03:31Z DEBUG russh::client] < msg type 6, seqn 2, len 17
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted] waiting service request, Some(6) 6
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted] enc: [0, 0, 1, 209, 50, 0, 0, 0, 6, 104, 111, 108, 100, 101, 110, 0, 0, 0, 14, 115, 115, 104, 45, 99, 111, 110, 110, 101, 99, 116, 105, 111, 110, 0, 0, 0, 9, 112, 117, 98, 108, 105, 99, 107, 101, 121, 0, 0, 0, 0, 7, 115, 115, 104, 45, 114, 115, 97, 0, 0, 1, 151, 0, 0, 0, 7, 115, 115, 104, 45, 114, 115, 97, 0, 0, 0, 3, 1, 0, 1, 0, 0, 1, 129, 0, 214, 15, 107, 225, 220, 127, 210, 155, 159, 193, 67, 170, 25, 147, 28, 214, 73, 165, 123, 220, 149, 142, 45, 205, 16, 195, 122, 22, 241, 140, 109, 19, 179, 28, 237, 139, 252, 166, 192, 207, 187, 180, 223, 105, 70, 124, 72, 7, 13, 141, 8, 91, 100, 237, 180, 221, 55, 139, 204, 214, 92, 156, 34, 23, 247, 223, 64, 114, 151, 118, 82, 165, 166, 131, 39, 15, 16, 0, 165, 46, 195, 221, 142, 191, 26, 83, 209, 97, 127, 160, 73, 209, 24, 95, 38, 0, 245, 247, 160, 113, 219, 250, 32, 212, 243, 48, 56, 242, 103, 189, 19, 93, 240, 114, 55, 34, 35, 37, 47, 41, 221, 6, 110, 188, 50, 167, 34, 61, 36, 208, 8, 184, 100, 228, 200, 32, 18, 225, 88, 245, 17, 197, 39, 75, 243, 245, 21, 85, 182, 101, 112, 192, 132, 45, 74, 219, 111, 146, 60, 227, 135, 100, 221, 25, 217, 70, 92, 55, 200, 77, 130, 197, 61, 37, 218, 137, 213, 142, 163, 141, 114, 42, 146, 57, 241, 153, 66, 21, 140, 153, 37, 249, 226, 197, 123, 204, 127, 231, 132, 90, 156, 216, 255, 138, 114, 23, 251, 81, 153, 164, 103, 10, 17, 158, 173, 170, 80, 234, 234, 203, 155, 229, 2, 68, 11, 85, 163, 175, 11, 118, 75, 227, 162, 115, 29, 120, 211, 61, 254, 96, 128, 85, 216, 214, 38, 19, 181, 142, 86, 242, 43, 203, 42, 109, 204, 243, 46, 243, 8, 237, 12, 194, 20, 36, 55, 227, 66, 230, 103, 36, 34, 83, 104, 135, 104, 119, 127, 39, 155, 105, 39, 31, 5, 128, 112, 254, 217, 41, 205, 94, 164, 71, 180, 2, 90, 207, 187, 141, 62, 194, 172, 208, 118, 144, 85, 209, 137, 183, 237, 156, 202, 101, 216, 83, 37, 106, 253, 1, 229, 191, 161, 13, 44, 83, 99, 20, 156, 52, 137, 87, 229, 214, 70, 38, 211, 197, 252, 237, 34, 2, 57, 111, 40, 9, 188, 4, 25, 202, 229, 10, 17, 20, 108, 19, 116, 121, 120, 207, 11, 201, 229, 93, 187, 122, 237, 121, 11, 126, 198, 222, 144, 28, 145, 67, 218, 163, 214, 9, 95, 2, 165, 188, 155, 115]
[2025-02-20T22:03:31Z DEBUG russh::sshbuffer] > msg type 50, len 465
[2025-02-20T22:03:31Z DEBUG russh::client] < msg type 51, seqn 3, len 24
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted] userauth_failure
[2025-02-20T22:03:31Z DEBUG russh::client::encrypted] remaining methods MethodSet([PublicKey, Password])
Authentication FAILED using SSH agent.
[2025-02-20T22:03:31Z DEBUG russh::sshbuffer] > msg type 1, len 18
[2025-02-20T22:03:31Z DEBUG russh::client] drop handle
[2025-02-20T22:03:31Z DEBUG russh::client] disconnected Disconnect
[2025-02-20T22:03:31Z DEBUG russh::client] disconnected: Error(Disconnect)
[2025-02-20T22:03:31Z DEBUG russh::client] drop session

RSA key with Sha256 (manual override)

[2025-02-20T22:07:14Z DEBUG russh::client] beginning re-key
[2025-02-20T22:07:14Z DEBUG russh::sshbuffer] > msg type 20, len 818
[2025-02-20T22:07:14Z DEBUG russh::client] < msg type 20, seqn 1, len 1108
[2025-02-20T22:07:14Z DEBUG russh::negotiation] strict kex enabled
[2025-02-20T22:07:14Z DEBUG russh::client::kex] negotiated algorithms: Names { kex: Name("curve25519-sha256"), key: Ed25519, cipher: Name("chacha20-poly1305@openssh.com"), client_mac: Name("hmac-sha2-512-etm@openssh.com"), server_mac: Name("hmac-sha2-512-etm@openssh.com"), server_compression: None, client_compression: None, ignore_guessed: false, strict_kex: true }
[2025-02-20T22:07:14Z DEBUG russh::sshbuffer] > msg type 30, len 37
[2025-02-20T22:07:14Z DEBUG russh::client] kex impl continues: ClientKex { cause: Initial, state: "waiting for DH response" }
[2025-02-20T22:07:14Z DEBUG russh::client] < msg type 31, seqn 2, len 179
[2025-02-20T22:07:14Z DEBUG russh::client::kex] received server host key: Ok("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvjnkWZqB6CB192LLGSVXt2qxqE0uLIm80G59QywH2c")
[2025-02-20T22:07:14Z DEBUG russh::sshbuffer] > msg type 21, len 1
[2025-02-20T22:07:14Z DEBUG russh::client] kex impl continues: ClientKex { cause: Initial, state: "waiting for NEWKEYS" }
[2025-02-20T22:07:14Z DEBUG russh::client] kex impl requests seqno reset
[2025-02-20T22:07:14Z DEBUG russh::client] < msg type 21, seqn 3, len 1
[2025-02-20T22:07:14Z DEBUG russh::client] kex impl has completed
[2025-02-20T22:07:14Z DEBUG russh::client] kex done
Connected to 127.0.0.1:2222
[2025-02-20T22:07:14Z DEBUG russh::client] < msg type 7, seqn 1, len 252
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted] waiting service request, Some(7) 6
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted] Received EXT_INFO, 3 extensions
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted] * server-sig-algs
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted]   * Ed25519
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted]   * Ecdsa { curve: NistP256 }
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted]   * Ecdsa { curve: NistP384 }
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted]   * Ecdsa { curve: NistP521 }
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted]   * SkEd25519
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted]   * SkEcdsaSha2NistP256
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted]   * Rsa { hash: Some(Sha512) }
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted]   * Rsa { hash: Some(Sha256) }
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted] * "publickey-hostbound@openssh.com" (unknown, data: [48])
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted] * "ping@openssh.com" (unknown, data: [48])
[2025-02-20T22:07:14Z DEBUG russh::keys::agent::client] identities: [12, 0, 0, 0, 1, 0, 0, 1, 151, 0, 0, 0, 7, 115, 115, 104, 45, 114, 115, 97, 0, 0, 0, 3, 1, 0, 1, 0, 0, 1, 129, 0, 214, 15, 107, 225, 220, 127, 210, 155, 159, 193, 67, 170, 25, 147, 28, 214, 73, 165, 123, 220, 149, 142, 45, 205, 16, 195, 122, 22, 241, 140, 109, 19, 179, 28, 237, 139, 252, 166, 192, 207, 187, 180, 223, 105, 70, 124, 72, 7, 13, 141, 8, 91, 100, 237, 180, 221, 55, 139, 204, 214, 92, 156, 34, 23, 247, 223, 64, 114, 151, 118, 82, 165, 166, 131, 39, 15, 16, 0, 165, 46, 195, 221, 142, 191, 26, 83, 209, 97, 127, 160, 73, 209, 24, 95, 38, 0, 245, 247, 160, 113, 219, 250, 32, 212, 243, 48, 56, 242, 103, 189, 19, 93, 240, 114, 55, 34, 35, 37, 47, 41, 221, 6, 110, 188, 50, 167, 34, 61, 36, 208, 8, 184, 100, 228, 200, 32, 18, 225, 88, 245, 17, 197, 39, 75, 243, 245, 21, 85, 182, 101, 112, 192, 132, 45, 74, 219, 111, 146, 60, 227, 135, 100, 221, 25, 217, 70, 92, 55, 200, 77, 130, 197, 61, 37, 218, 137, 213, 142, 163, 141, 114, 42, 146, 57, 241, 153, 66, 21, 140, 153, 37, 249, 226, 197, 123, 204, 127, 231, 132, 90, 156, 216, 255, 138, 114, 23, 251, 81, 153, 164, 103, 10, 17, 158, 173, 170, 80, 234, 234, 203, 155, 229, 2, 68, 11, 85, 163, 175, 11, 118, 75, 227, 162, 115, 29, 120, 211, 61, 254, 96, 128, 85, 216, 214, 38, 19, 181, 142, 86, 242, 43, 203, 42, 109, 204, 243, 46, 243, 8, 237, 12, 194, 20, 36, 55, 227, 66, 230, 103, 36, 34, 83, 104, 135, 104, 119, 127, 39, 155, 105, 39, 31, 5, 128, 112, 254, 217, 41, 205, 94, 164, 71, 180, 2, 90, 207, 187, 141, 62, 194, 172, 208, 118, 144, 85, 209, 137, 183, 237, 156, 202, 101, 216, 83, 37, 106, 253, 1, 229, 191, 161, 13, 44, 83, 99, 20, 156, 52, 137, 87, 229, 214, 70, 38, 211, 197, 252, 237, 34, 2, 57, 111, 40, 9, 188, 4, 25, 202, 229, 10, 17, 20, 108, 19, 116, 121, 120, 207, 11, 201, 229, 93, 187, 122, 237, 121, 11, 126, 198, 222, 144, 28, 145, 67, 218, 163, 214, 9, 95, 2, 165, 188, 155, 115, 0, 0, 0, 45, 121, 97, 115, 105, 110, 122, 97, 101, 104, 114, 105, 110, 103, 101, 114, 64, 77, 97, 99, 46, 99, 117, 115, 116, 46, 99, 111, 109, 109, 117, 110, 105, 116, 121, 102, 105, 98, 114, 101, 46, 99, 111, 46, 117, 107]
Found 1 identities in the SSH agent
Some(Sha256)
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted] sending ssh-userauth service requset
[2025-02-20T22:07:14Z DEBUG russh::sshbuffer] > msg type 5, len 17
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted] write_auth_request_if_needed: is_waiting = false
[2025-02-20T22:07:14Z DEBUG russh::client] < msg type 6, seqn 2, len 17
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted] waiting service request, Some(6) 6
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted] enc: [0, 0, 1, 209, 50, 0, 0, 0, 6, 104, 111, 108, 100, 101, 110, 0, 0, 0, 14, 115, 115, 104, 45, 99, 111, 110, 110, 101, 99, 116, 105, 111, 110, 0, 0, 0, 9, 112, 117, 98, 108, 105, 99, 107, 101, 121, 0, 0, 0, 0, 7, 115, 115, 104, 45, 114, 115, 97, 0, 0, 1, 151, 0, 0, 0, 7, 115, 115, 104, 45, 114, 115, 97, 0, 0, 0, 3, 1, 0, 1, 0, 0, 1, 129, 0, 214, 15, 107, 225, 220, 127, 210, 155, 159, 193, 67, 170, 25, 147, 28, 214, 73, 165, 123, 220, 149, 142, 45, 205, 16, 195, 122, 22, 241, 140, 109, 19, 179, 28, 237, 139, 252, 166, 192, 207, 187, 180, 223, 105, 70, 124, 72, 7, 13, 141, 8, 91, 100, 237, 180, 221, 55, 139, 204, 214, 92, 156, 34, 23, 247, 223, 64, 114, 151, 118, 82, 165, 166, 131, 39, 15, 16, 0, 165, 46, 195, 221, 142, 191, 26, 83, 209, 97, 127, 160, 73, 209, 24, 95, 38, 0, 245, 247, 160, 113, 219, 250, 32, 212, 243, 48, 56, 242, 103, 189, 19, 93, 240, 114, 55, 34, 35, 37, 47, 41, 221, 6, 110, 188, 50, 167, 34, 61, 36, 208, 8, 184, 100, 228, 200, 32, 18, 225, 88, 245, 17, 197, 39, 75, 243, 245, 21, 85, 182, 101, 112, 192, 132, 45, 74, 219, 111, 146, 60, 227, 135, 100, 221, 25, 217, 70, 92, 55, 200, 77, 130, 197, 61, 37, 218, 137, 213, 142, 163, 141, 114, 42, 146, 57, 241, 153, 66, 21, 140, 153, 37, 249, 226, 197, 123, 204, 127, 231, 132, 90, 156, 216, 255, 138, 114, 23, 251, 81, 153, 164, 103, 10, 17, 158, 173, 170, 80, 234, 234, 203, 155, 229, 2, 68, 11, 85, 163, 175, 11, 118, 75, 227, 162, 115, 29, 120, 211, 61, 254, 96, 128, 85, 216, 214, 38, 19, 181, 142, 86, 242, 43, 203, 42, 109, 204, 243, 46, 243, 8, 237, 12, 194, 20, 36, 55, 227, 66, 230, 103, 36, 34, 83, 104, 135, 104, 119, 127, 39, 155, 105, 39, 31, 5, 128, 112, 254, 217, 41, 205, 94, 164, 71, 180, 2, 90, 207, 187, 141, 62, 194, 172, 208, 118, 144, 85, 209, 137, 183, 237, 156, 202, 101, 216, 83, 37, 106, 253, 1, 229, 191, 161, 13, 44, 83, 99, 20, 156, 52, 137, 87, 229, 214, 70, 38, 211, 197, 252, 237, 34, 2, 57, 111, 40, 9, 188, 4, 25, 202, 229, 10, 17, 20, 108, 19, 116, 121, 120, 207, 11, 201, 229, 93, 187, 122, 237, 121, 11, 126, 198, 222, 144, 28, 145, 67, 218, 163, 214, 9, 95, 2, 165, 188, 155, 115]
[2025-02-20T22:07:14Z DEBUG russh::sshbuffer] > msg type 50, len 465
[2025-02-20T22:07:14Z DEBUG russh::client] < msg type 51, seqn 3, len 24
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted] userauth_failure
[2025-02-20T22:07:14Z DEBUG russh::client::encrypted] remaining methods MethodSet([PublicKey, Password])
Authentication FAILED using SSH agent.
[2025-02-20T22:07:14Z DEBUG russh::sshbuffer] > msg type 1, len 18
[2025-02-20T22:07:14Z DEBUG russh::client] drop handle
[2025-02-20T22:07:14Z DEBUG russh::client] disconnected Disconnect
[2025-02-20T22:07:14Z DEBUG russh::client] disconnected: Error(Disconnect)
[2025-02-20T22:07:14Z DEBUG russh::client] drop session

ED2559 hangs with auto hash alg

[2025-02-20T22:08:50Z DEBUG russh::client] beginning re-key
[2025-02-20T22:08:50Z DEBUG russh::sshbuffer] > msg type 20, len 818
[2025-02-20T22:08:50Z DEBUG russh::client] < msg type 20, seqn 1, len 1108
[2025-02-20T22:08:50Z DEBUG russh::negotiation] strict kex enabled
[2025-02-20T22:08:50Z DEBUG russh::client::kex] negotiated algorithms: Names { kex: Name("curve25519-sha256"), key: Ed25519, cipher: Name("chacha20-poly1305@openssh.com"), client_mac: Name("hmac-sha2-512-etm@openssh.com"), server_mac: Name("hmac-sha2-512-etm@openssh.com"), server_compression: None, client_compression: None, ignore_guessed: false, strict_kex: true }
[2025-02-20T22:08:50Z DEBUG russh::sshbuffer] > msg type 30, len 37
[2025-02-20T22:08:50Z DEBUG russh::client] kex impl continues: ClientKex { cause: Initial, state: "waiting for DH response" }
[2025-02-20T22:08:50Z DEBUG russh::client] < msg type 31, seqn 2, len 179
[2025-02-20T22:08:50Z DEBUG russh::client::kex] received server host key: Ok("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvjnkWZqB6CB192LLGSVXt2qxqE0uLIm80G59QywH2c")
[2025-02-20T22:08:50Z DEBUG russh::sshbuffer] > msg type 21, len 1
[2025-02-20T22:08:50Z DEBUG russh::client] kex impl continues: ClientKex { cause: Initial, state: "waiting for NEWKEYS" }
[2025-02-20T22:08:50Z DEBUG russh::client] kex impl requests seqno reset
[2025-02-20T22:08:50Z DEBUG russh::client] < msg type 21, seqn 3, len 1
[2025-02-20T22:08:50Z DEBUG russh::client] kex impl has completed
[2025-02-20T22:08:50Z DEBUG russh::client] kex done
Connected to 127.0.0.1:2222
[2025-02-20T22:08:50Z DEBUG russh::client] < msg type 7, seqn 1, len 252
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted] waiting service request, Some(7) 6
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted] Received EXT_INFO, 3 extensions
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted] * server-sig-algs
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted]   * Ed25519
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted]   * Ecdsa { curve: NistP256 }
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted]   * Ecdsa { curve: NistP384 }
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted]   * Ecdsa { curve: NistP521 }
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted]   * SkEd25519
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted]   * SkEcdsaSha2NistP256
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted]   * Rsa { hash: Some(Sha512) }
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted]   * Rsa { hash: Some(Sha256) }
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted] * "publickey-hostbound@openssh.com" (unknown, data: [48])
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted] * "ping@openssh.com" (unknown, data: [48])
[2025-02-20T22:08:50Z DEBUG russh::keys::agent::client] identities: [12, 0, 0, 0, 1, 0, 0, 0, 51, 0, 0, 0, 11, 115, 115, 104, 45, 101, 100, 50, 53, 53, 49, 57, 0, 0, 0, 32, 228, 39, 254, 232, 12, 241, 150, 10, 17, 38, 210, 16, 89, 80, 37, 103, 125, 42, 66, 151, 12, 123, 110, 233, 108, 137, 117, 3, 226, 52, 162, 25, 0, 0, 0, 45, 121, 97, 115, 105, 110, 122, 97, 101, 104, 114, 105, 110, 103, 101, 114, 64, 77, 97, 99, 46, 99, 117, 115, 116, 46, 99, 111, 109, 109, 117, 110, 105, 116, 121, 102, 105, 98, 114, 101, 46, 99, 111, 46, 117, 107]
Found 1 identities in the SSH agent
Some(Sha512)
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted] sending ssh-userauth service requset
[2025-02-20T22:08:50Z DEBUG russh::sshbuffer] > msg type 5, len 17
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted] write_auth_request_if_needed: is_waiting = false
[2025-02-20T22:08:50Z DEBUG russh::client] < msg type 6, seqn 2, len 17
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted] waiting service request, Some(6) 6
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted] enc: [0, 0, 0, 113, 50, 0, 0, 0, 6, 104, 111, 108, 100, 101, 110, 0, 0, 0, 14, 115, 115, 104, 45, 99, 111, 110, 110, 101, 99, 116, 105, 111, 110, 0, 0, 0, 9, 112, 117, 98, 108, 105, 99, 107, 101, 121, 0, 0, 0, 0, 11, 115, 115, 104, 45, 101, 100, 50, 53, 53, 49, 57, 0, 0, 0, 51, 0, 0, 0, 11, 115, 115, 104, 45, 101, 100, 50, 53, 53, 49, 57, 0, 0, 0, 32, 228, 39, 254, 232, 12, 241, 150, 10, 17, 38, 210, 16, 89, 80, 37, 103, 125, 42, 66, 151, 12, 123, 110, 233, 108, 137, 117, 3, 226, 52, 162, 25]
[2025-02-20T22:08:50Z DEBUG russh::sshbuffer] > msg type 50, len 113
[2025-02-20T22:08:50Z DEBUG russh::client] < msg type 60, seqn 3, len 71
[2025-02-20T22:08:50Z DEBUG russh::client::encrypted] public key
[2025-02-20T22:08:50Z DEBUG russh::keys::agent::client] sign_request: <149>
[2025-02-20T22:08:50Z DEBUG russh::keys::agent::client] public = PublicKey { key_data: Ed25519(Ed25519PublicKey([228, 39, 254, 232, 12, 241, 150, 10, 17, 38, 210, 16, 89, 80, 37, 103, 125, 42, 66, 151, 12, 123, 110, 233, 108, 137, 117, 3, 226, 52, 162, 25])), comment: "<public key email>" }

[Eugeny]

At least for the RSA keys, the server is rejecting the key before it's even used for signing (see: no msg type 60 reply) - looks like it's just not in authorized_keys for your user.

[Eugeny]

The Ed25519 hang is now fixed - I just didn't test it correctly

[ReSqAr]

Regarding RSA, I see this error on the server (Dockerfile: CMD ["/usr/sbin/sshd", "-d", "-e", "-p", "2222"]):

userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

Which is a bit weird since ssh holden@127.0.0.1 -p 2222 works for me. For ssh I see this in the logs:

userauth_pubkey: publickey test pkalg rsa-sha2-512 pkblob RSA SHA256:U/xww/ntgyW+yyjC2GL0rgTZ2HpSjEiStXWT2LGWfYw [preauth]

When it comes to supported algorithms in ubuntu:latest I see:

> sshd -T | grep -i pubkeyacceptedalgorithms
pubkeyacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256

[Eugeny]

Thanks - found and fixed another issue with it!

[ReSqAr]

Cool - thanks! I can confirm RSA works for me now.