Ask a Question

Issue with rsa-sha2-512 in PubkeyAcceptedAlgorithms on RHEL 9

0 votes
ago by (140 points)

We’ve encountered a problem when using Rebex to connect via SFTP to a RHEL 9 server configured with a restricted set of public key algorithms.
When the server’s sshd_config contains:

PubkeyAcceptedAlgorithms rsa-sha2-512

Rebex fails to authenticate using a valid private key. The error returned is:
A public key corresponding to the supplied private key was not accepted by the server or the user name is incorrect.

---> Rebex.Net.SshException: A public key corresponding to the supplied private key was not accepted by the server or the user name is incorrect.

However, when we modify the configuration to:

PubkeyAcceptedAlgorithms rsa-sha2-512,rsa-sha2-256

the connection succeeds without issue.
This behavior has been reproduced consistently across three separate environments. Below is the relevant stack trace:

at Rebex.Net.SshSession.ahjfn(String p0, String p1, xaxuc`1 p2, SshGssApiCredentials p3, Boolean p4)
at Rebex.Net.SshSession.icobj(String p0, String p1, xaxuc`1 p2)
at Rebex.Net.Sftp.lsqxf.lbomd(String p0, String p1, xaxuc`1 p2, syrio p3)
at Rebex.Net.Sftp.llstr(String p0, String p1, xaxuc`1 p2, syrio p3)
at Rebex.Net.Sftp.Login(String userName, SshPrivateKey privateKey)

Could you please confirm whether Rebex fully supports rsa-sha2-512 as the sole algorithm in PubkeyAcceptedAlgorithms, or if additional configuration is required?

Applies to: Rebex SFTP
ago by (150k points)
It looks like Rebex SFTP might be selecting rsa-sha2-256 as a preferred algorithm. Which version of Rebex SFTP do you use?
Currently, the algorithm selection is not perfect due to backward compatibility constraints, although we plan to improve this for version 8. (Server announcement of PubkeyAcceptedAlgorithms is a recently-added SSH extension.)

In the meantime, do you have rsa-sha2-512 enabled as a host key algorithm?
If you do, it should be possible to force it for client authentication using this code (called before the Connect method):

    var sftp = new Sftp();

    Rebex.Security.Cryptography.CryptoHelper.SetOption(sftp.Settings.SshParameters, "ClientKeyAlgorithms", new string[] { "rsa-sha2-512" });

    sftp.Connect(...);

(Edit: Posted wrong code at first.)

Please log in or register to answer this question.

...