Unable to connect to ubuntu 22.04 using ssh-rsa

[veochen-octopus]

Team

• I've assigned a team label to this issue

Severity

potentially blocking

Version

any

Latest Version

I could reproduce the problem in the latest build

What happened?

RSA keys working when manually connecting but not working inside Octopus, throwing userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth].

ssh-rsa is disabled in openssh 8.8+ which Ubuntu 22.04 ships with. Our SSH client seems to be affected by this. There's a workaround as well as a PR we could look at bringing in.

Reproduction

• Create a Ubuntu 22.04 instance
• Create an RSA key pair (or download directly from AWS)
• Add pub key to instance
• Do a manual ssh connection <- This works
• Add private key to Octopus
• Add instance as an SSH target and do a health check <- This fails

Error and Stacktrace

Sep  7 18:20:42 ip-172-31-8-76 sshd[196978]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Sep  7 18:20:42 ip-172-31-8-76 sshd[196978]: Connection closed by authenticating user ubuntu 52.250.93.133 port 3136 [preauth]

More Information

Customer ticket - https://octopus.zendesk.com/agent/tickets/95925
Internal discussion - https://octopusdeploy.slack.com/archives/CNHBHV2BX/p1662589109899939
SSH.NET Upstream discussion - sshnet/SSH.NET#956

Workaround

Possible workarounds (not always possible)

• use an older version of ubuntu
• use a different key type, e.g. ed25519

[okarpov]

How you can specify different key type using the username+password authentication method?

[octoreleasebot]

Release Note: Updated the library used for SSH. This provides improved compatibility with support for newer algorithms (unblocking support for OpenSSH Server 8.8+). SSH targets can now use SHA256 fingerprints for host verification. When adding new SSH targets, Octopus Server will use SHA256 fingerprinting by default.

[davisowb]

@rhysparry Any chance this fix is going to be released in 2024.1 too? we are seeing the same for our self hosted Octopus with Amazon linux 2023 but cannot upgrade to the released version because as far as I can see 2024.2 is not yet available for self hosted?

[rhysparry]

Hi @davisowb, there are no plans to backport this to 2024.1. The change involved migrating from an old fork of SSH.NET to the current released version. Given the significance of this change, we elected to minimise the risk to existing versions of Octopus by applying it to the next version. 2024.2 should be available for self-hosted customers in the next couple of months.

Octopus Tentacle is also an option.

[lucyjspence]

Hi @davisowb I'm a Product Manager at Octopus and I'm currently looking at SSH targets. Don't suppose you'd be up for a chat would you? If you are, I'd love to understand a bit more about how you use them and why you use SSH. Please book some time in here: https://calendly.com/lucyspence/15-minute-meeting-clone

[davisowb]

@rhysparry - Makes sense, I'd forgotten tentacle was an option. Thanks for the quick response!