upterm: Upterm rejecting all ssh connections

I was trying to spin up my first upterm session; after running upterm host -- bash I am presented with the expected ssh session information, but when I attempt to connect to that session from another system, I get a “permission denied” error:

[lars@madhatter ~]$ ssh hGjlbiMJqi0M9Jjo4SSo:...@uptermd.upterm.dev
hGjlbiMJqi0M9Jjo4SSo:...@uptermd.upterm.dev: Permission denied (publickey).

I haven’t included any --authorized-key argument in my upterm host command so I expected any ssh client to be able to connect.

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 2
Comments: 16 (6 by maintainers)

Commits related to this issue

Pull in latest x/crypto/ssh This contains partial fixes to the ssh-rsa issue: * https://github.com/owenthereal/upterm.crypto/commit/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d * https://github.com/owen... — committed to owenthereal/upterm by owenthereal 2 years ago

Most upvoted comments

Okay, the root of the issue is that since openssh 8.8 (2021-09-26), the host algorithm type ssh-rsa was retired in favor of rsa-sha2-256 & rsa-sha2-512 (release note). This breaks a lot of ssh servers, including upterm. The Go issue that tracks the fixes of the Go ssh library is here. I will closely monitor it and pull in changes. Can you do a quick check of your openssh version with:

$ ssh -V

What happens is that you only have a rsa key in your ~/.ssh, and upterm is not ready to handle the openssh 8.8+ client that deprecates the ssh-rsa host algorithm type. However, openssh 8.8+ using other key types work with upterm, e.g. Ed25519. For now, you can workaround by adding the ssh-rsa type back:

ssh UPTERM_URL -o "PubkeyAcceptedKeyTypes +ssh-rsa" -o "HostKeyAlgorithms +ssh-rsa"

You can also put in your ~/.ssh/config with the following to save you from typing the -o flags for every Upterm ssh command:

Host uptermd.upterm.dev
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

I would strongly recommend you to upgrade all your ssh keys to Ed25519 because that’s the most secured ssh algorithm that is recommended to use over others: https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54.

I will leave this issue open until upterm with the fixed Go ssh library. Hope this helps

owenthereal on Feb 19, 2022

Well where I was going with that was that following the instructions to support RSA still doesn’t work and still produces an error whereas @larsks got it to work.

arch1mede on Mar 13, 2022

Hi, I have followed the above but getting the same thing since tmate no longer works:

more /root/.ssh/config
Host uptermd.upterm.dev
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

I still get the following:

upterm host        
Error: ssh://uptermd.upterm.dev:22: Permission denied (publickey).

upterm host -- bash
Error: ssh://uptermd.upterm.dev:22: Permission denied (publickey).

Any other suggestions?

arch1mede on Mar 12, 2022

I finally can reproduce it. It happens when I don’t have the key in the ssh-agent. I will see where the problem is, fix it and report back. It’s likely a recent change that broke it

owenthereal on Feb 18, 2022