openssh 8.8 break compatibility by default

[ambroisie]

I recently updated my server, and with it upgraded openssh from 8.7 to 8.8. One of the incompatible changes from that release is disabling RSA signatures using SHA-1 by default 1. There is currently an open bug at https://github.com/golang/go/issues/37278 relating to this, and because drone-scp is making use of this library, it is also affected.

The error message from drone-scp in such cases is the following:

drone-scp error:  error copy file to dest: <destination censored>, error message: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

I do not think that there is anything to be done from drone-scp, apart from updating to the latest version once it is fixed upstream. I opened the issue so that others impacted by this change can find it more easily.

[ambroisie]

@appleboy bump, since upstream has closed the issue with a fix.

[appleboy]

@ambroisie Let me check.

[ambroisie]

FYI still have the exact same error message when I bumped my version of drone-scp, so that issue might have been a red-herring.

[appleboy]

@ambroisie how do you generate your key? maybe I can try it and how do I reproduce the issue?

[ambroisie]

@appleboy it's a simple RSA key, 4096 bits: ssh-keygen -b 4096 with a passphrase.

Here are the ssh -v logs for an example of a connection:

Logs

``` OpenSSH_9.0p1, OpenSSL 1.1.1o 3 May 2022 debug1: Reading configuration data /home/XXX/.ssh/config debug1: /home/XXX/.ssh/config line 26: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 5: Applying options for * debug1: Control socket "/home/XXX/.ssh/master-@:22" does not exist debug1: Connecting to [] port 22. debug1: Connection established. debug1: identity file /home/XXX/.ssh/some_rsa_key type 0 debug1: identity file /home/XXX/.ssh/some_rsa_key-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.0 debug1: Remote protocol version 2.0, remote software version OpenSSH_9.0 debug1: compat_banner: match: OpenSSH_9.0 pat OpenSSH* compat 0x04000000 debug1: Authenticating to :22 as '' debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:cKojmrFclyXoBsKeOvuXb3M/ZVGR0FLOiedZUeHp8Bc debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host '' is known and matches the ED25519 host key. debug1: Found key in /home/XXX/.ssh/known_hosts:9 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/XXX/.ssh/some_rsa_key RSA SHA256:n9lCUdxvsAbPTuZA3bOc8UDjXIMr8NXGU8MF8M6mMnU explicit debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering public key: /home/XXX/.ssh/some_rsa_key RSA SHA256:n9lCUdxvsAbPTuZA3bOc8UDjXIMr8NXGU8MF8M6mMnU explicit debug1: Server accepts key: /home/XXX/.ssh/some_rsa_key RSA SHA256:n9lCUdxvsAbPTuZA3bOc8UDjXIMr8NXGU8MF8M6mMnU explicit Enter passphrase for key '/home/XXX/.ssh/some_rsa_key': Authenticated to ([]:22) using "publickey". debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: filesystem debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: client_input_hostkeys: searching /home/XXX/.ssh/known_hosts for / (none) debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update debug1: Remote: /etc/ssh/authorized_keys.d/:2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug1: Remote: /etc/ssh/authorized_keys.d/:2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding Last login: Thu Jun 16 10:11:54 2022 from 176.150.113.6 [exited] debug1: channel 0: free: client-session, nchannels 1 Connection to closed. Transferred: sent 5236, received 6232 bytes, in 2.3 seconds Bytes per second: sent 2290.5, received 2726.2 debug1: Exit status 0 ```

But with the following example script it does not work:

Script

```bash #!/bin/sh export SCP_SOURCE='' export SCP_RM=true export SCP_HOST= export SCP_TARGET=test_directory export SCP_USERNAME= # shellcheck disable=2155 export SCP_KEY="$(cat ~/.ssh/some_rsa_key)" export SSH_PASSPHRASE="" export SCP_PORT=22 drone-scp --debug ```

Still the same message of error message: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain