openssh 8.8 break compatibility by default

[ambroisie]

I recently updated my server, and with it upgraded openssh from 8.7 to 8.8. One of the incompatible changes from that release is disabling RSA signatures using SHA-1 by default 1. There is currently an open bug at golang/go#37278 relating to this, and because drone-scp is making use of this library, it is also affected.

The error message from drone-scp in such cases is the following:

drone-scp error:  error copy file to dest: <destination censored>, error message: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

I do not think that there is anything to be done from drone-scp, apart from updating to the latest version once it is fixed upstream. I opened the issue so that others impacted by this change can find it more easily.

[ambroisie]

@appleboy bump, since upstream has closed the issue with a fix.

[appleboy]

@ambroisie Let me check.

[ambroisie]

FYI still have the exact same error message when I bumped my version of drone-scp, so that issue might have been a red-herring.

[appleboy]

@ambroisie how do you generate your key? maybe I can try it and how do I reproduce the issue?

[ambroisie]

@appleboy it's a simple RSA key, 4096 bits: ssh-keygen -b 4096 with a passphrase.

Here are the ssh -v logs for an example of a connection:

Logs

OpenSSH_9.0p1, OpenSSL 1.1.1o  3 May 2022
debug1: Reading configuration data /home/XXX/.ssh/config
debug1: /home/XXX/.ssh/config line 26: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 5: Applying options for *
debug1: Control socket "/home/XXX/.ssh/master-<some_user>@<some_host>:22" does not exist
debug1: Connecting to <some_host> [<some_ip>] port 22.
debug1: Connection established.
debug1: identity file /home/XXX/.ssh/some_rsa_key type 0
debug1: identity file /home/XXX/.ssh/some_rsa_key-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.0
debug1: compat_banner: match: OpenSSH_9.0 pat OpenSSH* compat 0x04000000
debug1: Authenticating to <some_host>:22 as '<some_user>'
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:cKojmrFclyXoBsKeOvuXb3M/ZVGR0FLOiedZUeHp8Bc
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '<some_host>' is known and matches the ED25519 host key.
debug1: Found key in /home/XXX/.ssh/known_hosts:9
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/XXX/.ssh/some_rsa_key RSA SHA256:n9lCUdxvsAbPTuZA3bOc8UDjXIMr8NXGU8MF8M6mMnU explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]>
debug1: kex_input_ext_info: [email protected]=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/XXX/.ssh/some_rsa_key RSA SHA256:n9lCUdxvsAbPTuZA3bOc8UDjXIMr8NXGU8MF8M6mMnU explicit
debug1: Server accepts key: /home/XXX/.ssh/some_rsa_key RSA SHA256:n9lCUdxvsAbPTuZA3bOc8UDjXIMr8NXGU8MF8M6mMnU explicit
Enter passphrase for key '/home/XXX/.ssh/some_rsa_key':
Authenticated to <some_host> ([<some_ip>]:22) using "publickey".
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: client_input_hostkeys: searching /home/XXX/.ssh/known_hosts for <some_host> / (none)
debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update
debug1: Remote: /etc/ssh/authorized_keys.d/<some_user>:2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /etc/ssh/authorized_keys.d/<some_user>:2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Last login: Thu Jun 16 10:11:54 2022 from 176.150.113.6
[exited]
debug1: channel 0: free: client-session, nchannels 1
Connection to <some_host> closed.
Transferred: sent 5236, received 6232 bytes, in 2.3 seconds
Bytes per second: sent 2290.5, received 2726.2
debug1: Exit status 0

But with the following example script it does not work:

Script

#!/bin/sh

export SCP_SOURCE='<some_file>'
export SCP_RM=true
export SCP_HOST=<some_host>
export SCP_TARGET=test_directory
export SCP_USERNAME=<some_user>
# shellcheck disable=2155
export SCP_KEY="$(cat ~/.ssh/some_rsa_key)"
export SSH_PASSPHRASE="<passphrase>"
export SCP_PORT=22

drone-scp --debug

Still the same message of error message: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain