openssh unix dev - Dec 2024 - Better reporting for signature algorithm mismatch?

An issue that I come across from time to time is when I try to ssh into 
a box with an RSA key, and it fails because the target host is old and 
only does sha1 signatures.? However, the reason is not reported unless I 
turn on debugging. For example, all I see is:

% ssh foo at bar
foo at bar: Permission denied (publickey,keyboard-interactive).

I find this confusing, since my first inclination is that the public key 
has not been installed properly on the target host.

But if I remember to try again with debugging, then I see:

% ssh -v foo at bar
...
debug1: Will attempt key: /Users/brian/.ssh/id_rsa RSA 
SHA256:mVV81jWVCP/SDRFA7vRM/SDQniylCAcBoSERWyhAXEo agent
...
debug1: Offering public key: /Users/brian/.ssh/id_rsa RSA 
SHA256:mVV81jWVCP/SDRFA7vRM/SDQniylCAcBoSERWyhAXEo agent
debug1: send_pubkey_test: no mutual signature algorithm <<<< *THIS*
...
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
foo at bar: Permission denied (publickey,keyboard-interactive).

% ssh -o PubkeyAcceptedAlgorithms=+ssh-rsa foo at bar
<< success >>

I wonder if there could there be some way to highlight the "no mutual 
signature algorithm" message more prominently in normal operation? IMO 
it's not a problem with a specific key, but a protocol configuration 
issue which would affect *all* keys of that type.? Admittedly it is 
non-fatal, in the sense that other non-RSA keys or other auth methods 
can be tried, including falling back to password auth. Even then, I find 
it confusing to get a password prompt when I though I'd set up key 
authentication.

Other, fatal protocol compatibility problems *do* get reported, e.g.

Unable to negotiate with bar port 22: no matching key exchange method found.
Their offer: 
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

That's clear and explicit. However, because I'm so used to seeing this 
type of error when protocols don't match, it makes it more surprising 
that I don't see them for the ssh-rsa signature problem.? I'd like to 
see a warning for the first key tried, something like:

Warning: unable to authenticate with rsa key: no mutual signature algorithm
Their offer: ssh-rsa
Our offer: rsa-sha2-256, rsa-sha2-512

Anyway, just an idea.

Regards,

Brian.

On 04.12.24 19:47, Brian Candler wrote:
> debug1: Offering public key: /Users/brian/.ssh/id_rsa RSA [...]
> debug1: send_pubkey_test: no mutual signature algorithm <<<<
*THIS*
> 
> I wonder if there could there be some way to highlight the "no mutual 
> signature algorithm" message more prominently in normal operation?
Wouldn't the extra output, even in cases where a different keypair 
succeeds later on, threaten to hose applications that expect the 
connection to be transparent (or fail completely)? As in, rsync, git, etc.?

In general, the client may try a number of keypairs and every try has a 
number of possible reasons to fail, from cryptalgorithm-related ones 
(including "cipher (here: RSA) rejected" and "hash (here: SHA2 
variant(s)) rejected") to "unknown keypair" to less-frequent ones
(like
"pubkey has a ForceCommand option and I can't execute that" etc.).
I
don't think that we should try to triage these cases into "interesting 
ones" that do emit a(n interim) warning, and the rest that doesn't.

*If* the login fails *altogether*, however, doing a "post mortem" and 
adding a line to the effect of "oh, by the way, *one* of the keypairs 
failed only because of rare condition XY" could still be helpful.

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4336 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20241205/c53d4d5a/attachment.p7s>