Authentication failiure using ssh-agent

[pinpox]

I'm trying to connect to server using code from the examples, but the authentication fails without further information:

package main

import (
	"fmt"
	"log"

	"github.com/melbahja/goph"
)

func main() {

	auth, err := goph.UseAgent()

	if err != nil {
		log.Fatal(err)
	}

	client, err := goph.New("root", "kfbox.public", auth)

	if err != nil {
		log.Fatal(err)
	}

	// Defer closing the network connection.
	defer client.Close()

	// Execute your command.
	out, err := client.Run("ls /tmp/")

	if err != nil {
		log.Fatal(err)
	}

	// Get your output as []byte.
	fmt.Println(string(out))
}

$ go run main.go
2021/11/10 17:29:47 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
exit status 1

$  ssh [email protected]
Last login: Wed Nov 10 17:23:22 2021 from 89.0.11.182
root@kfbox:~/ >

As you can see the agent authenticates without problems when using plain ssh. Is there any way to figure out why this is failing?

[melbahja]

can you try to check first with: goph.HasAgent() ?

[pinpox]

can you try to check first with: goph.HasAgent() ?

That returns true. I think I have found the problem though, the upstream package crypto/ssh seems to have a bug at the moment, the issue is this one: golang/go#37278

I have linked the example code I tried in the comment I lelft in that issue. @melbahja Do you know any way to work around this? I can't change the server configuration

[melbahja]

I'm unable to reproduce the bug?

I think you can use the IP instead of kfbox.public, because we do not support .ssh/config file in v1.

[pinpox]

The issue will only happen on new SSH servers with RSA SHA-2 host key.

OpenSSH has already deprecated ssh-rsa (i.e. SHA-1 based) signatures in host certificates in version 8.2 because of safety reasons.

What server version are you trying this with?

$ ssh -v localhost
OpenSSH_8.8p1, OpenSSL 1.1.1l  24 Aug 2021
...

[Dentrax]

Hit the exact same issue. Any ideas on this? @melbahja @pinpox

I'm using go1.19, goph v1.3.0 on Alpine 3.17.

$ ssh -v localhost
OpenSSH_9.0p1, OpenSSL 1.1.1q  5 Jul 2022

But works on my macOS 13:

$ ssh -v localhost
OpenSSH_9.0p1, LibreSSL 3.3.6

[Dentrax]

Updated underlying crypto package to latest version golang.org/x/crypto v0.6.0 but still no luck. @melbahja

[melbahja]

Hey,

I'm unable to reproduce the bug on my device. maybe this relevant to your issue:

appleboy/ssh-action#80 (comment)

[Dentrax]

Hey @melbahja,

Upgraded to v1.3.1 but still I got the following error with $SSH_AUTH_SOCK:

case goph.HasAgent():
		auth, err = goph.UseAgent()

Resulting an error:

attempted methods [none publickey], no supported methods remain

In go.mod, crypto package is golang.org/x/crypto v0.8.0. Tried v0.13.0 as well.

Any thoughts?

[melbahja]

Hey,

is the agent working with the ssh -v command ?

[Dentrax]

ssh -v

Yep, it's working as expected. I can able to ssh to any remote instance using 1password's SSH Agent.

[melbahja]

I tried on my end and it works, is there anyway for me to reproduce it ?

[Dentrax]

I tried on my end and it works, is there anyway for me to reproduce it ?

I really don't know what the problem is. ssh -vvv foo@bar simply works and I able to get into remote instance, whereas goph.UseAgent() does not. And also it's NOT nil.

I think something is wrong with this function:

ssh.PublicKeysCallback(agent.NewClient(sshAgent).Signers),

Error is throwing from here:

ssh.Dial(proto, net.JoinHostPort(c.Addr, fmt.Sprint(c.Port)), &ssh.ClientConfig{
		User:            c.User,
		Auth:            c.Auth,
		Timeout:         c.Timeout,
		HostKeyCallback: c.Callback,
		BannerCallback:  c.BannerCallback,
	})

My auth is: golang.org/x/crypto/ssh/agent.ExtendedAgent.Signers-fm, callback is golang.org/x/crypto/ssh.InsecureIgnoreHostKey.func1, all other values are correct.

• echo $SSH_AUTH_SOCK is set
• MacBook M1 Max

What other information should I provide here? What I'm missing? 🤔

[Dentrax]

Maybe could be: golang/go#54027 or golang/go#39885?

Both crypto and sys packages is up-to-date and v0.13.0. I have tried v0.0.0-20220314234659-1baeb1ce4c0b as well but no luck.

$ ssh-add -l
The agent has no identities.

$ cat ~/.ssh/config
Host *
    IdentityAgent "~/Library/Group Containers/REDACT.com.1password/t/agent.sock"

Minimal reproducible code snippet adopted from: https://cs.opensource.google/go/x/crypto/+/master:ssh/agent/example_test.go;drc=ac88ee75c92c889b97e05591e9a39b6480c538b3

// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package main

import (
	"log"
	"net"
	"os"

	"golang.org/x/crypto/ssh"
	"golang.org/x/crypto/ssh/agent"
)

func main() {
	// ssh-agent(1) provides a UNIX socket at $SSH_AUTH_SOCK.
	socket := os.Getenv("SSH_AUTH_SOCK")
	conn, err := net.Dial("unix", socket)
	if err != nil {
		log.Fatalf("Failed to open SSH_AUTH_SOCK: %v", err)
	}

	agentClient := agent.NewClient(conn)
	config := &ssh.ClientConfig{
		User: "USER",
		Auth: []ssh.AuthMethod{
			// Use a callback rather than PublicKeys so we only consult the
			// agent once the remote server wants it.
			ssh.PublicKeysCallback(agentClient.Signers),
		},
		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
	}

	sshc, err := ssh.Dial("tcp", "IP:22", config)
	if err != nil {
		log.Fatal(err)
	}
	// Use sshc...
	sshc.Close()
}

Resulting with error:

2023/09/19 18:01:26 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

---

EDIT:

I think this is not related with goph package.

Dropped a comment here: golang/go#54027 (comment)

[Dentrax]

OK. Finally found the issue after bunch of debugging, and filed an enhancement proposal. PTAL when possible: #57