SSH Key Certificates

MaxRaab

Hello,

I'm using SSH keys in combination with certificates. The certificates are the result of a signing process by a ca certificate.
Normally the ssh-agent adds them automatically if they are named correctly.

An example:

key
key.pub
key-cert.pub`

$ ssh-add key

Enter passphrase for /home/max/.ssh/key:
Identity added: /home/max/.ssh/key (Server access)
Certificate added: /home/max/.ssh/key-cert.pub (certificate_max)

How do I add my certificates to 1Password? (One can have more than one certificate per key)

Kind regards,
Max

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

K.J._1P

Thanks for testing! This is not a use case that we have considered and we will need to give it some thought. In the meantime, it should be possible by specifying an IdentityFile in SSH config that specifies the public key. I believe this will still pick up the certificate, but I have not tested.

https://developer.1password.com/docs/ssh/agent/advanced#match-key-with-host

Are you able to try and let me know? Thanks!

timscha

Same thing in our company. We use it company wide.
I would love to have full support of this, if not I can use my ssh key as before as I don't see any benefit.

floris_1P

What would 1Password's ideal role be in an SSH certificates workflow?

nielsk

That it works. I don’t know what has to be done.
I have my private key, my public key and my certificate in my .ssh-folder.
When I authenticate at a server the server recognizes the certificate and it works.

With 1P I don’t know what should be done. Maybe I would need to be able to import the certificate as well?

RFC6187 should be the one to look at if I am not mistaken.
https://datatracker.ietf.org/doc/html/rfc6187

nielsk

And setting up a test environment is easy. You need like three lines in your sshd_config, a signing key and that’s it. Sign your first key and you can test.
Here is a tutorial:
https://smallstep.com/docs/tutorials/ssh-certificate-login/#configure-sshd-to-accept-user-certs

For this forum post only the user key-part (not the host-key part is required). And if AgileBits is using ssh, they should consider using it as well because it is the best way to handle ssh-keys in scale. You can set expiry dates on your keys, you can easily revoke and new members of teams can be given easily access without rolling out their public key everywhere. And if you have freelancers you have a user for them on the needed servers with the right principal, sign their key with an expiry date of the end of the project and the. They won’t be able to log in anymore when the key expired.

Here is how Facebook (sorry Meta) is using it:
https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/

floris_1P

If you already have the certificate locally, have you tried running the SSH command with -o CertificateFile /path/to/cert?

nielsk

I will try that later. Sorry, didn’t get any notification for this.

nielsk

I just tried it an di t doesn't work.

That's what I see on the server, when I try to identify with the 1P-IdentityAgent and the CertificateFile-option:

destinationhost# /usr/sbin/sshd -d -p 2222
debug1: sshd version OpenSSH_7.5, OpenSSL 1.0.2u-freebsd  20 Dec 2019
debug1: private host key #0: ssh-rsa SHA256:bQOMBvPw32zqCG9wAKku447CKX0VV0L8m3+Fcnidsws
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:5PzxSW/mxjC2KfZ/Sim0nAyzGD7GcEi4MFi4AbGi0r0
debug1: private host key #2: ssh-ed25519 SHA256:HDPsxjNsZuK7+53Re9n0foz4npqAW9CPJn+fa3xCNew
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='2222'
debug1: Bind to port 2222 on ::.
debug1: Server TCP RWIN socket size: 4194304
Server listening on :: port 2222.
debug1: Bind to port 2222 on 0.0.0.0.
debug1: Server TCP RWIN socket size: 4194304
Server listening on 0.0.0.0 port 2222.
debug1: fd 5 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
debug1: res_init()
Connection from xxx.xxx.xxx.xxx port 46136 on yyyy.yyyy.yyy.yyy port 2222
debug1: Client protocol version 2.0; client software version OpenSSH_8.6
debug1: match: OpenSSH_8.6 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_7.5 FreeBSD-20170903
debug1: Enabling compatibility mode for protocol 2.0
debug1: permanently_set_uid: 22/22 [preauth]
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256@libssh.org [preauth]
debug1: kex: host key algorithm: ssh-ed25519 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user user service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "user"
debug1: PAM: setting PAM_RHOST to "some.host.com"
user user login class  [preauth]
debug1: userauth-request for user user service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
user user login class  [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU [preauth]
debug1: trying public key file /home/user/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/user/.ssh/authorized_keys': No such file or directory
debug1: trying public key file /home/user/.ssh/authorized_keys2
debug1: Could not open authorized keys '/home/user/.ssh/authorized_keys2': No such file or directory
Failed publickey for user from xxx.xxx.xxx.xxx port 46136 ssh2: RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU
debug1: audit_event: unhandled event 6
debug1: userauth-request for user user service ssh-connection method keyboard-interactive [preauth]
debug1: attempt 2 failures 1 [preauth]
user user login class  [preauth]
debug1: keyboard-interactive devs  [preauth]
debug1: auth2_challenge: user=user devs= [preauth]
debug1: kbdint_alloc: devices 'pam' [preauth]
debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
Postponed keyboard-interactive for user from xxx.xxx.xxx.xxx port 46136 ssh2 [preauth]
Connection closed by authenticating user user xxx.xxx.xxx.xxx port 46136 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: PAM: cleanup
debug1: Killing privsep child 825
debug1: audit_event: unhandled event 12

nielsk

It does not work with "CertificateFile"

This is what I see on the server when using 1Passwords Identity-Agent and the CertificateFile-option: https://pastebin.com/Lpx3R6kj
This is what I see on the server without using 1Passwords Identity-Agent: https://pastebin.com/LzLik7qM

nielsk

And I tested the CertificateFile-option by copying my key to a bogus-name, removed all identities from the ssh-agent, setting the IdentityFile-option to the bogus-name and copying the cert-file to another bogus-name and setting the CertificateFile-option.

So the option etc. works; but it doesn't work together with the IdentityAgent.
Btw. when I do an ssh-add of the key, the certificate-file with the -cert.pub-name gets automatically added to the agent as well.

floris_1P

Could you also share your (client-side) ssh -v output?

K.J._1P

@nielsk Thanks. I looked into this further and it's a different signing algorithm. E.g., ssh-rsa-cert-v01@openssh.com. This is something we would need to add support for.

We have noted your request in our internal tracker. Thanks for the feedback!

nielsk

ok -- I get it suddenly working. With FreeBSD 13-systems it works; with older FreeBSD-versions it does not work and it also does not work with CentOS7-systems, but Debian 11 works.

My output from ssh -v:
❯ ssh -v desthost
OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /Users/nik/.ssh/config
debug1: /Users/nik/.ssh/config line 204: Applying options for desthost
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: auto-mux: Trying existing master
debug1: Control socket "/Users/nik/.ssh/connections/mux_00e2d55221ac236fbe3807269258a4722b2647a7" does not exist
debug1: Connecting to my.destination.com port 22.
debug1: Connection established.
debug1: identity file /Users/nik/.ssh/id_rsa type -1
debug1: identity file /Users/nik/.ssh/id_dsa type -1
debug1: identity file /Users/nik/.ssh/id_ecdsa type -1
debug1: identity file /Users/nik/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/nik/.ssh/id_ed25519 type -1
debug1: identity file /Users/nik/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/nik/.ssh/id_xmss type -1
debug1: certificate file /Users/nik/.ssh/id_rsa_sam-cert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5 FreeBSD-20170903
debug1: compat_banner: match: OpenSSH_7.5 FreeBSD-20170903 pat OpenSSH_7.0,OpenSSH_7.1,OpenSSH_7.2,OpenSSH_7.3,OpenSSH_7.4,OpenSSH_7.5,OpenSSH_7.6,OpenSSH_7.7 compat 0x04000002
debug1: Authenticating to my.destination.com:22 as 'user'
debug1: load_hostkeys: fopen /Users/nik/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:OHY8LPz3qv2cSwyMVIp/J32p38pin0cEbiMtAZXexhk
debug1: load_hostkeys: fopen /Users/nik/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'my.destination.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/nik/.ssh/known_hosts:18
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/nik/.ssh/id_rsa_sam-cert.pub RSA-CERT SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU explicit
debug1: Will attempt key: id_rsa_sam RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU agent
debug1: Will attempt key: /Users/nik/.ssh/id_rsa
debug1: Will attempt key: /Users/nik/.ssh/id_dsa
debug1: Will attempt key: /Users/nik/.ssh/id_ecdsa
debug1: Will attempt key: /Users/nik/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/nik/.ssh/id_ed25519
debug1: Will attempt key: /Users/nik/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/nik/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/nik/.ssh/id_rsa_sam-cert.pub RSA-CERT SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU explicit
debug1: Server accepts key: /Users/nik/.ssh/id_rsa_sam-cert.pub RSA-CERT SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU explicit
sign_and_send_pubkey: signing failed for RSA "id_rsa_sam": agent refused operation
debug1: Offering public key: id_rsa_sam RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU agent
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /Users/nik/.ssh/id_rsa
debug1: Trying private key: /Users/nik/.ssh/id_dsa
debug1: Trying private key: /Users/nik/.ssh/id_ecdsa
debug1: Trying private key: /Users/nik/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/nik/.ssh/id_ed25519
debug1: Trying private key: /Users/nik/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/nik/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive

nielsk

Now a CentOS7-system: sshd -d
debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: private host key #0: ssh-rsa SHA256:E2Z+0Q54ppdUjWDbepZ7BoHDdoyZ2jt1JVWXlGSXE4o
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:f1EeoqcSK2I55McM/nHddnSnkYzJjMwZ29mEsoxflb8
debug1: private host key #2: ssh-ed25519 SHA256:aeiz4bhAS1fsewpgQ5rdgIvHa7Hs8vW/CiUU+unbKWM
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p'
debug1: rexec_argv[2]='2222'
debug1: rexec_argv[3]='-d'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from xxx.xxx.xxx.xxx port 9131 on 84.23.253.134 port 2222
debug1: Client protocol version 2.0; client software version OpenSSH_8.6
debug1: match: OpenSSH_8.6 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Enabling compatibility mode for protocol 2.0
debug1: SELinux support disabled [preauth]
debug1: permanently_set_uid: 74/74 [preauth]
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ssh-ed25519 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none [preauth]
debug1: kex: curve25519-sha256 need=64 dh_need=64 [preauth]
debug1: kex: curve25519-sha256 need=64 dh_need=64 [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user myuser service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: user myuser matched 'User myuser' at line 27
debug1: PAM: initializing for "myuser"
debug1: PAM: setting PAM_RHOST to "some.host.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user myuser service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA-CERT SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU [preauth]
debug1: temporarily_use_uid: 1006/1006 (e=0/0)
debug1: trying authorized principals file /etc/ssh/principals/myuser
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Accepted certificate ID "user_Niels_Kobschaetzki" (serial 0) signed by RSA CA SHA256:dbPkt/BpG+pUiXeMeO387oREZt1WLHrOePiArCNautE via /etc/ssh/user-ca-keys.pub
Postponed publickey for myuser from xxx.xxx.xxx.xxx port 9131 ssh2 [preauth]
debug1: userauth-request for user myuser service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 0 [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU [preauth]
Failed publickey for myuser from xxx.xxx.xxx.xxx port 9131 ssh2: RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU
Connection closed by xxx.xxx.xxx.xxx port 9131 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: PAM: cleanup
debug1: Killing privsep child 11978

nielsk

and the ssh -v:
OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /Users/nik/.ssh/config
debug1: /Users/nik/.ssh/config line 666: Applying options for lbp-beta
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: auto-mux: Trying existing master
debug1: Control socket "/Users/nik/.ssh/connections/mux_f13923b06c905842fb0135c98f243b441ae95199" does not exist
debug1: Connecting to lbp-beta.snafu.de port 2222.
debug1: Connection established.
debug1: identity file /Users/nik/.ssh/id_rsa type -1
debug1: identity file /Users/nik/.ssh/id_dsa type -1
debug1: identity file /Users/nik/.ssh/id_ecdsa type -1
debug1: identity file /Users/nik/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/nik/.ssh/id_ed25519 type -1
debug1: identity file /Users/nik/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/nik/.ssh/id_xmss type -1
debug1: certificate file /Users/nik/.ssh/id_rsa_sam-cert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: compat_banner: match: OpenSSH_7.4 pat OpenSSH_7.0,OpenSSH_7.1,OpenSSH_7.2,OpenSSH_7.3,OpenSSH_7.4,OpenSSH_7.5,OpenSSH_7.6,OpenSSH_7.7 compat 0x04000002
debug1: Authenticating to lbp-beta.snafu.de:2222 as 'snafu'
debug1: load_hostkeys: fopen /Users/nik/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:aeiz4bhAS1fsewpgQ5rdgIvHa7Hs8vW/CiUU+unbKWM
debug1: load_hostkeys: fopen /Users/nik/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[lbp-beta.snafu.de]:2222' is known and matches the ED25519 host key.
debug1: Found key in /Users/nik/.ssh/known_hosts:1752
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/nik/.ssh/id_rsa_sam-cert.pub RSA-CERT SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU explicit
debug1: Will attempt key: id_rsa_sam RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU agent
debug1: Will attempt key: /Users/nik/.ssh/id_rsa
debug1: Will attempt key: /Users/nik/.ssh/id_dsa
debug1: Will attempt key: /Users/nik/.ssh/id_ecdsa
debug1: Will attempt key: /Users/nik/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/nik/.ssh/id_ed25519
debug1: Will attempt key: /Users/nik/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/nik/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/nik/.ssh/id_rsa_sam-cert.pub RSA-CERT SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU explicit
debug1: Server accepts key: /Users/nik/.ssh/id_rsa_sam-cert.pub RSA-CERT SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU explicit
sign_and_send_pubkey: signing failed for RSA "id_rsa_sam": agent refused operation
debug1: Offering public key: id_rsa_sam RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU agent
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /Users/nik/.ssh/id_rsa
debug1: Trying private key: /Users/nik/.ssh/id_dsa
debug1: Trying private key: /Users/nik/.ssh/id_ecdsa
debug1: Trying private key: /Users/nik/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/nik/.ssh/id_ed25519
debug1: Trying private key: /Users/nik/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/nik/.ssh/id_xmss
debug1: No more authentication methods to try.
snafu@lbp-beta.snafu.de: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

nielsk

ssh -d from a CentOS7-system:
debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: private host key #0: ssh-rsa SHA256:E2Z+0Q54ppdUjWDbepZ7BoHDdoyZ2jt1JVWXlGSXE4o
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:f1EeoqcSK2I55McM/nHddnSnkYzJjMwZ29mEsoxflb8
debug1: private host key #2: ssh-ed25519 SHA256:aeiz4bhAS1fsewpgQ5rdgIvHa7Hs8vW/CiUU+unbKWM
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p'
debug1: rexec_argv[2]='2222'
debug1: rexec_argv[3]='-d'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from xxx.xxx.xxx.xxx port 9131 on 84.23.253.134 port 2222
debug1: Client protocol version 2.0; client software version OpenSSH_8.6
debug1: match: OpenSSH_8.6 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Enabling compatibility mode for protocol 2.0
debug1: SELinux support disabled [preauth]
debug1: permanently_set_uid: 74/74 [preauth]
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ssh-ed25519 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none [preauth]
debug1: kex: curve25519-sha256 need=64 dh_need=64 [preauth]
debug1: kex: curve25519-sha256 need=64 dh_need=64 [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user snafu service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: user snafu matched 'User snafu' at line 27
debug1: PAM: initializing for "snafu"
debug1: PAM: setting PAM_RHOST to "access.snafu.de"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user snafu service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA-CERT SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU [preauth]
debug1: temporarily_use_uid: 1006/1006 (e=0/0)
debug1: trying authorized principals file /etc/ssh/principals/snafu
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Accepted certificate ID "user_First_Last" (serial 0) signed by RSA CA SHA256:dbPkt/BpG+pUiXeMeO387oREZt1WLHrOePiArCNautE via /etc/ssh/user-ca-keys.pub
Postponed publickey for snafu from xxx.xxx.xxx.xxx port 9131 ssh2 [preauth]
debug1: userauth-request for user snafu service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 0 [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU [preauth]
Failed publickey for snafu from xxx.xxx.xxx.xxx port 9131 ssh2: RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU
Connection closed by xxx.xxx.xxx.xxx port 9131 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: PAM: cleanup
debug1: Killing privsep child 11978

nielsk

ssh -d from a CentOS7-system:
debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: private host key #0: ssh-rsa SHA256:E2Z+0Q54ppdUjWDbepZ7BoHDdoyZ2jt1JVWXlGSXE4o
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:f1EeoqcSK2I55McM/nHddnSnkYzJjMwZ29mEsoxflb8
debug1: private host key #2: ssh-ed25519 SHA256:aeiz4bhAS1fsewpgQ5rdgIvHa7Hs8vW/CiUU+unbKWM
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p'
debug1: rexec_argv[2]='2222'
debug1: rexec_argv[3]='-d'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from xxx.xxx.xxx.xxx port 9131 on 84.23.253.134 port 2222
debug1: Client protocol version 2.0; client software version OpenSSH_8.6
debug1: match: OpenSSH_8.6 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Enabling compatibility mode for protocol 2.0
debug1: SELinux support disabled [preauth]
debug1: permanently_set_uid: 74/74 [preauth]
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ssh-ed25519 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none [preauth]
debug1: kex: curve25519-sha256 need=64 dh_need=64 [preauth]
debug1: kex: curve25519-sha256 need=64 dh_need=64 [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user snafu service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: user snafu matched 'User snafu' at line 27
debug1: PAM: initializing for "snafu"
debug1: PAM: setting PAM_RHOST to "access.snafu.de"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user snafu service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA-CERT SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU [preauth]
debug1: temporarily_use_uid: 1006/1006 (e=0/0)
debug1: trying authorized principals file /etc/ssh/principals/snafu
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Accepted certificate ID "user_First_Last" (serial 0) signed by RSA CA SHA256:dbPkt/BpG+pUiXeMeO387oREZt1WLHrOePiArCNautE via /etc/ssh/user-ca-keys.pub
Postponed publickey for snafu from xxx.xxx.xxx.xxx port 9131 ssh2 [preauth]
debug1: userauth-request for user snafu service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 0 [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU [preauth]
Failed publickey for snafu from xxx.xxx.xxx.xxx port 9131 ssh2: RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU
Connection closed by xxx.xxx.xxx.xxx port 9131 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: PAM: cleanup
debug1: Killing privsep child 11978

nielsk

What is the state of ssh-certificates nowadays? Any progress?