The new Mac OS X Ventura introduces a new version of the SSH tools too. This version has more restrictive rules on which host key algorithms are deemed "secure enough" and in consequence rejects older key algorithms, like the one used in our Teleport keys is indeed. It is not possible for us to update those keys without breaking compatibility with older versions of the SSH tools (which don't support newer algorithms) so we need to strike a balance here. Supporting older algorithms in newer SSH is possible (via configuration options) but supporting newer algorithms in older SSHs is not possible at all.

In order to ensure that you can connect to Teleport with a newer SSH version you must add these lines to your config file

Host jump.ecmwf.int
    HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedKeyTypes +ssh-rsa*
    User YOURUSERID  
 
# For Atos HPCF
Host a?-* a??-* hpc-* hpc2020-* ecs-*
    HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512
    PubkeyAcceptedKeyTypes +ssh-rsa*
    User YOURUSERID
    ProxyJump jump.ecmwf.int


If you are experiencing this problem you may see an output like this, when using the debug ("-vvv") option of ssh.

Debug output showing the problem
% ssh -vvv hpc-login
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/snoopy/.ssh/config
debug1: /Users/snoopy/.ssh/config line 1: Applying options for *
....
....
....
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/snoopy/.tsh/keys/jump.ecmwf.int/name.surname@ecmwf.int-ssh/jump.ecmwf.int-cert.pub RSA-CERT SHA256:GIL5eBX0bcVMbUIFTO+XZpOEYAniaUhp/OX5czdlSsQ explicit
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Offering public key: /Users/snoopy/.tsh/keys/jump.ecmwf.int/name.username@ecmwf.int RSA SHA256:GIL5eBX0bcVMbUIFTO+XZpOEYAniaUhp/OX5czdlSsQ explicit agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Offering public key: teleport:name.surname@ecmwf.int RSA-CERT SHA256:GIL5eBX0bcVMbUIFTO+XZpOEYAniaUhp/OX5czdlSsQ agent
debug1: send_pubkey_test: no mutual signature algorithm
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
userid@jump.ecmwf.int: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

1 Comment

  1. Edward Comyn-Platt

    This problem has come back for me (I still have the .ssh/config set up as described above). Is anyone else having similar issues? Is it related to the Hid Token issues reported recently?