The new Mac OS X Ventura introduces a new version of the SSH tools too. This version has more restrictive rules on which host key algorithms are deemed "secure enough" and in consequence rejects older key algorithms, like the one used in our Teleport keys is indeed. It is not possible for us to update those keys without breaking compatibility with older versions of the SSH tools (which don't support newer algorithms) so we need to strike a balance here. Supporting older algorithms in newer SSH is possible (via configuration options) but supporting newer algorithms in older SSHs is not possible at all.
In order to ensure that you can connect to Teleport with a newer SSH version you must add these lines to your config file
Host jump.ecmwf.int HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512 PubkeyAcceptedKeyTypes +ssh-rsa* User YOURUSERID # For Atos HPCF Host a?-* a??-* hpc-* hpc2020-* ecs-* HostKeyAlgorithms +ssh-rsa*,rsa-sha2-512 PubkeyAcceptedKeyTypes +ssh-rsa* User YOURUSERID ProxyJump jump.ecmwf.int
If you are experiencing this problem you may see an output like this, when using the debug ("-vvv") option of ssh.
% ssh -vvv hpc-login OpenSSH_9.0p1, LibreSSL 3.3.6 debug1: Reading configuration data /Users/snoopy/.ssh/config debug1: /Users/snoopy/.ssh/config line 1: Applying options for * .... .... .... debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug3: start over, passed a different list publickey debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /Users/snoopy/.tsh/keys/jump.ecmwf.int/name.surname@ecmwf.int-ssh/jump.ecmwf.int-cert.pub RSA-CERT SHA256:GIL5eBX0bcVMbUIFTO+XZpOEYAniaUhp/OX5czdlSsQ explicit debug1: send_pubkey_test: no mutual signature algorithm debug1: Offering public key: /Users/snoopy/.tsh/keys/jump.ecmwf.int/name.username@ecmwf.int RSA SHA256:GIL5eBX0bcVMbUIFTO+XZpOEYAniaUhp/OX5czdlSsQ explicit agent debug1: send_pubkey_test: no mutual signature algorithm debug1: Offering public key: teleport:name.surname@ecmwf.int RSA-CERT SHA256:GIL5eBX0bcVMbUIFTO+XZpOEYAniaUhp/OX5czdlSsQ agent debug1: send_pubkey_test: no mutual signature algorithm debug2: we did not send a packet, disable method debug1: No more authentication methods to try. userid@jump.ecmwf.int: Permission denied (publickey). kex_exchange_identification: Connection closed by remote host Connection closed by UNKNOWN port 65535
1 Comment
Edward Comyn-Platt
This problem has come back for me (I still have the .ssh/config set up as described above). Is anyone else having similar issues? Is it related to the Hid Token issues reported recently?