Docker rootless SSH access error: "Permission denied (publickey)" due to OpenSSH 8.8 RSA SHA-1 deprecation

[raffitz]

Gitea Version

1.15.6 built with GNU Make 4.3, go1.16.9 : bindata, timetzdata, sqlite, sqlite_unlock_notify (docker gitea/gitea:1.15.6-rootless)

Git Version

No response

Operating System

No response

How are you running Gitea?

I am running gitea through the docker container gitea/gitea:1.15.6-rootless (image id b26ce93dd8b2)

Database

SQLite

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Description

Using an OpenSSH 8.8 client, using a Gitea server running the built-in ssh server, it leads to an error due to no mutual signature algorithms between ssh server and client.

debug1: Offering public key: *** RSA SHA256:***
debug1: send_pubkey_test: no mutual signature algorithm

OpenSSH 8.8 deprecated RSA signatures using SHA-1 hashes (release notes here).

The built-in ssh server was not prepared for this deprecation, as per upstream: golang/go#49952

Presumably, once the above upstream issue is fixed and Gitea updates the go ssh module version, the Gitea issue will be fixed as well.

Stopgap solution:

As per the OpenSSH 8.8 release notes, I configured my local OpenSSH 8.8 client (through the ssh_config file) with the following:

    Host gitea-host
        HostkeyAlgorithms +ssh-rsa
	PubkeyAcceptedAlgorithms +ssh-rsa

This was sufficient to stop the "Permission denied (publickey)" messages from appearing and for my fetches, pushes and pulls to start working again.

Screenshots

No response

[wxiaoguang]

Related to this one:

• RSA public keys cannot authenticate against internal SSH if the client has a recent ssh version (which disables ssh-rsa algorithm) #17798

[zeripath]

This is a duplicate of #17798