Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keepass2Android uses SSH-RSA which is no longer allowed by default #1812

Closed
quickishfm opened this issue Oct 8, 2021 · 8 comments · Fixed by #2176
Closed

Keepass2Android uses SSH-RSA which is no longer allowed by default #1812

quickishfm opened this issue Oct 8, 2021 · 8 comments · Fixed by #2176

Comments

@quickishfm
Copy link

quickishfm commented Oct 8, 2021
edited
Loading

I try to use public key authentication to connect to my Linux server via SFTP but recently it has not worked. The SSH logs show this:

Oct 08 14:10:35 HOSTNAME sshd[48375]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Oct 08 14:10:35 HOSTNAME sshd[48375]: error: Received disconnect from 192.168.1.80 port 48222:3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Oct 08 14:10:35 HOSTNAME sshd[48375]: Disconnected from authenticating user penguin 192.168.1.80 port 48222 [preauth]

I have no option to change the public key or which algorithm keepass2android gives to me. Can this be changed to a more secuer algorithm or an ability to choose my own public key? This issue is also documented here https://bbs.archlinux.org/viewtopic.php?id=270005 which indicates sshd was changed recently to no longer allow ssh-rsa by default.

Workaround currently in place:
Setting SSHD to accept ssh-rsa. Adding the following lines of code to /etc/ssh/sshd and then restarting sshd works.

PubkeyAuthentication yes
PubkeyAcceptedKeyTypes=+ssh-rsa

sudo systemctl restart sshd   #Only on systemd systems, obviously
@rwinkhart
Copy link

I am having this same issue. May I suggest switching to ed25519? Much more secure and won't be phased out for quite some time.

@PhilippC
Copy link
Owner

note to myself: ed25519 doesn't seem to be supported by JSch at the moment (https://sourceforge.net/p/jsch/feature-requests/7/), but some forks seem to support it (subhra74/snowflake#16)

@functionpointer
Copy link

Same issue here. Another solution would be SHA2. This wouldn't even need new keys, just an updated SSH client with SHA2 support.

@snIP3r23
Copy link

I have the same issue, also applied the workaround. Is there any progress with this issue?

@rwinkhart
Copy link

Is there an update for this? I want to remove the RSA workaround from my server, but I still have clients using Keepass2Android. Not here to rush, just wondering what the status of this is.

@PhilippC
Copy link
Owner

looking at https://sourceforge.net/p/jsch/feature-requests/7/ I don't see an update in JSch

@PhilippC PhilippC mentioned this issue Feb 7, 2022
Closed
@ryantig
Copy link

ryantig commented Apr 11, 2022

@PhilippC Thanks for the great app, sorry jsch has been a thorn; it looks like jsch is not being maintained, and the fork you listed above isn't maintained either.
This fork: https://github.com/mwiede/jsch is being actively maintained, rolling fixes, features, and releases... FAQ. Would you consider switching from the jcraft jsch to the Matthias Wiedemann fork? Looks like he's actively addressing entered issues, and provides more settings/options, without requiring that they are used.

For people with very dated ssh servers... Could have a checkbox for legacy ssh settings to cover old + current ssh servers? ( https://github.com/mwiede/jsch/wiki/Jsch-Configuration ) Though I'd be happy just with modern settings/interop... :)

@WinterSolstice8
Copy link

Ubuntu 22.04 now ships with an sshd version that disallows ssh-rsa by default. The workaround in the first post works fine.

sratz added a commit to sratz/keepass2android that referenced this issue Jan 3, 2023
@sratz
Migrate from com.jcraft:jsch 0.1.55 to com.github.mwiede:jsch 0.2.5
e3ce7fe 
com.jcraft:jsch is not actively maintained anymore and lacks support
for modern public key algorithms such as rsa-sha2-256. It only
supports ssh-rsa which is disabled in up-to-date environments.

com.github.mwiede:jsch was created as a drop-in replacement which
works in modern environments [1].

Sources are taken from maven central [2]. The following files were
omitted, because they depend on additional 3rd-party libraries which
we do not have / do not need:

    com/jcraft/jsch/JUnixSocketFactory.java
    com/jcraft/jsch/Log4j2Logger.java
    com/jcraft/jsch/PageantConnector.java
    com/jcraft/jsch/Slf4jLogger.java
    com/jcraft/jsch/SSHAgentConnector.java
    com/jcraft/jsch/bc/*
    com/jcraft/jsch/jgss/GSSContextKrb5.java

Fixes PhilippC#1812.

[1] https://github.com/mwiede/jsch
[2] https://repo1.maven.org/maven2/com/github/mwiede/jsch/0.2.5/jsch-0.2.5-sources.jar
@sratz sratz mentioned this issue Jan 3, 2023
Merged
@jonathan-g jonathan-g mentioned this issue Jan 19, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Migrate from com.jcraft:jsch 0.1.55 to com.github.mwiede:jsch 0.2.5 sratz/keepass2android
7 participants
@ryantig @PhilippC @functionpointer @snIP3r23 @quickishfm @WinterSolstice8 @rwinkhart