go: x/crypto/ssh: can't establish ssh connection using signed key

What version of Go are you using (go version)?

$ go version
go version go1.18.4 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

ubuntu 18.04 amd64

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/XXX/.cache/go-build"
GOENV="/home/XXX/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/var/tmp/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/var/tmp/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/home/XXX/bin/go1.18.4"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/home/XXX/bin/go1.18.4/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.18.4"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/XXX/work/go/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2094095442=/tmp/go-build -gno-record-gcc-switches"

What did you do?

$ go run 001-ssh-test.go 127.0.0.1:22
2022/07/24 08:44:16 Connecting to 127.0.0.1:22
2022/07/24 08:44:16 We've got a live session!
$ go run 001-ssh-test.go 10.19.197.10:22
2022/07/24 08:44:25 Connecting to 10.19.197.10:22
2022/07/24 08:44:28 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
exit status 1
$ cat 001-ssh-test.go 
package main

import (
        "log"
        "net"
        "os"
        "os/user"

        "golang.org/x/crypto/ssh"
        "golang.org/x/crypto/ssh/agent"
)

func logFatal(err error) {
        if err != nil {
                log.Fatal(err)
        }
}

func main() {

        sock, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK"))
        logFatal(err)

        u, err := user.Current()
        logFatal(err)

        cfg := &ssh.ClientConfig{
                User: u.Username,
                Auth: []ssh.AuthMethod{ssh.PublicKeysCallback(agent.NewClient(sock).Signers)},
                HostKeyCallback: ssh.InsecureIgnoreHostKey(),
        }

        log.Printf("Connecting to %s\n", os.Args[1])
        client, err := ssh.Dial("tcp", os.Args[1], cfg)
        logFatal(err)

        _, err = client.NewSession()
        logFatal(err)

        log.Println("We've got a live session!")
}
$ cat go.mod 
module test
require golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
require golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
go 1.18
$

What did you expect to see?

Connection is established using signed key.

What did you see instead?

Connection is not established with an error message:

ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

Additional information

I have 2 keys in the agent and I can connect ok via ssh command to 127.0.0.1 (accepts only unsigned keys) and 10.19.197.10 (accepts only signed keys):

$ ssh-add -l
4096 SHA256:m+Hthc93TjF0wcAoq8OyrKZjDl8LE5ddhQwzwnBA02c /home/XXX/.ssh/id_rsa (RSA)
4096 SHA256:m+Hthc93TjF0wcAoq8OyrKZjDl8LE5ddhQwzwnBA02c /home/XXX/.ssh/id_rsa (RSA-CERT)
$ ssh 127.0.0.1 "dpkg -l|grep openssh"
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
ii  openssh-client                        1:7.6p1-4ubuntu0.7                     amd64        secure shell (SSH) client, for secure access to remote machines
ii  openssh-server                        1:7.6p1-4ubuntu0.7                     amd64        secure shell (SSH) server, for secure access from remote machines
ii  openssh-sftp-server                   1:7.6p1-4ubuntu0.7                     amd64        secure shell (SSH) sftp server module, for SFTP access from remote machines
$ ssh 10.19.197.10 "dpkg -l|grep openssh"
ii  openssh-client                        1:7.6p1-4ubuntu0.6                  amd64        secure shell (SSH) client, for secure access to remote machines
ii  openssh-server                        1:7.6p1-4ubuntu0.6                  amd64        secure shell (SSH) server, for secure access from remote machines
ii  openssh-sftp-server                   1:7.6p1-4ubuntu0.6                  amd64        secure shell (SSH) sftp server module, for SFTP access from remote machines
$

Versions of the ssh components are in the output above.

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 5
  • Comments: 20 (4 by maintainers)

Most upvoted comments

@shuLhan please find output below. Please let me know if there is anything else I can do to help with debugging.

# shell session 1
$ ssh-agent -d -a /tmp/test-agent
SSH_AUTH_SOCK=/tmp/test-agent; export SSH_AUTH_SOCK;
echo Agent pid 5944;
debug2: fd 3 setting O_NONBLOCK
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 17
debug1: process_message: socket 1 (fd=4) type 17
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11

# shell session 2
$ SSH_AUTH_SOCK=/tmp/test-agent; export SSH_AUTH_SOCK;
$ ssh-add -L
The agent has no identities.
$ ssh-add
Enter passphrase for /home/XXX/.ssh/id_rsa:
Identity added: /home/XXX/.ssh/id_rsa (/home/XXX/.ssh/id_rsa)
Certificate added: /home/XXX/.ssh/id_rsa-cert.pub (midway)
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCuXW2Nc1St7rocbyi3RCOvkxRazi3cmt7oOjHbYciq4/ZkC5kDx/n/xG5k9OOL90pQ3kaIwqHeJZ5ET6nJ1sQAy7i2BlPHbSipX4wJkzBOZfEeQUzNu6U8owdO0MZEfOnez7bhT0lHlh1DCUq0bj07gfKxpxTICqqlBJ3Z9oCfQTeFmVLX/b/GOvVlU9l9XaEy6VTszecdyj8H08PNpVzyKpzbD58b1oKvLLtoVlsZQJahj9ZGe6F+Qb6wUNKUhdb7qyy7/FoDQBNjwZEG1WuNbE1UtwWdiCT7x0Amv/k+weEqlha50iUnqCAurituQBWenl7vMVSoU//PZsNw7H5qVqwNGJdNr+XHZkw9invUbcCT/GSDRA33teW8xRYxB/cZlEITG4sXYUjJJXCMbybaVhCr1Iarb1giVSQVmuAiHdnCByiEU3nXkw1gNbUDOLnqUJDJWi9KbPT1RpHpDTzVWBgb6igyr4txWq6EDdtwJ4nBvcJFwuzdhis6RIdTVpokyor3zvfZRPpPA/wahtUy09SKps97wf8dNiYWId7dbx/2NcEpk8gDGUgE403JbkwyZZOEZojxmQ1h0K6CgjfD8rkcx4kO2DEkomkMaGDZtm8a/84RpoiH2LJ9KRVtiE267hQckFrv2kf+/5qPr2ATKiwDBiB8S7g1sDdWHLb3mw== /home/XXX/.ssh/id_rsa
ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgxrMEpOWf7tnCerqWi4QL83pVLStKQ1aKcY3DB9bXpkIAAAADAQABAAACAQCuXW2Nc1St7rocbyi3RCOvkxRazi3cmt7oOjHbYciq4/ZkC5kDx/n/xG5k9OOL90pQ3kaIwqHeJZ5ET6nJ1sQAy7i2BlPHbSipX4wJkzBOZfEeQUzNu6U8owdO0MZEfOnez7bhT0lHlh1DCUq0bj07gfKxpxTICqqlBJ3Z9oCfQTeFmVLX/b/GOvVlU9l9XaEy6VTszecdyj8H08PNpVzyKpzbD58b1oKvLLtoVlsZQJahj9ZGe6F+Qb6wUNKUhdb7qyy7/FoDQBNjwZEG1WuNbE1UtwWdiCT7x0Amv/k+weEqlha50iUnqCAurituQBWenl7vMVSoU//PZsNw7H5qVqwNGJdNr+XHZkw9invUbcCT/GSDRA33teW8xRYxB/cZlEITG4sXYUjJJXCMbybaVhCr1Iarb1giVSQVmuAiHdnCByiEU3nXkw1gNbUDOLnqUJDJWi9KbPT1RpHpDTzVWBgb6igyr4txWq6EDdtwJ4nBvcJFwuzdhis6RIdTVpokyor3zvfZRPpPA/wahtUy09SKps97wf8dNiYWId7dbx/2NcEpk8gDGUgE403JbkwyZZOEZojxmQ1h0K6CgjfD8rkcx4kO2DEkomkMaGDZtm8a/84RpoiH2LJ9KRVtiE267hQckFrv2kf+/5qPr2ATKiwDBiB8S7g1sDdWHLb3m37JrlBlPlWYAAAAAQAAAAZtaWR3YXkAAAAMAAAACGt0aW1vZmVlAAAAAGNRZLUAAAAAY1J98gAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC7xeCqpx6k/LfD0/r/KbupvYyyIs1fwgZyMlNwld5CgBKbwlbO+wDzhRVv0jfOgcuZQqXXOgAO1Z9bViaYb92aRV+yBE5K6XjnT2dIoQZ/c1b0H2eMsEvE6t5bwDC0fpVOXFELa9Z18+3NPWQQbr6igSPsjji1OxV1OpWNPZcV3gSI+Gawazawya+Xh5625CaZ5ww0+I85wpCcsPIAskXu+JH83ihsLCgmN1jLmi+Z3FORtk5PwjwH0xSGlIWIqiy9c7YvXgTfP4IJVSm+7Da5/TYFhyKTEQ/dR5pPDl0w+6+bu4iOouA5kihSlQ8l8lhTnmQTlPJMnir53k+QtmcrAAABDwAAAAdzc2gtcnNhAAABAHR3hspEwFw9SNlz5ADqPQLawucavSuWSUimEVulWazkc8SioaBV6Zk1fPxa186cb2lu6jaresD0eRc0NuxHXsHN7bjgLgg2Hn3ctgX7a+z+Y693jnVsZgfGi/jLsIxg1gTFxQ+qIWKYOR2N1L/o6ZN8Nfy0pQoXYZCXd7MCXw9T8pTB8VEQgVCYu9Fn97DttgSAsejprfIErEVYsrq5dbXKxCADHchl2UzcF0DTvSnoudhDBgWNen1Q331drUsObmqUli14jCBpb8p3/0E7jkXUr36bN6dvmT6bbOvIf7VgzFkoLRf9dmHfs7ZP/uTlQ3pz/3OUphyHEi620XMPbIU= /home/XXX/.ssh/id_rsa
$ go run 001-ssh-test.go 10.19.197.10:22
2022/10/20 08:32:37 Connecting to 10.19.197.10:22
2022/10/20 08:32:39 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
exit status 1
$
+4
kt97679 on Oct 20, 2022
Read more comments on GitHub
← go: x/crypto/openpgp: cannot encrypt a message to key id 83378a94fa6c4994 because it has no encryption keys
go: x/crypto/ssh: deadlock during key renegotiation →