SHA2 support broke SHA1 support when server is OpenSSH <7.8

[adarsh-chauhan]

simply running nornir with following command

devdsk.run(task=netmiko_file_transfer, source_file='./test_sbc_cert_file.pem', dest_file='/tmp/test_sbc_cert_file.pem')

Name: netmiko
Version: 4.0.0
Summary: Multi-vendor library to simplify legacy CLI connections to network devices
Home-page: https://github.com/ktbyers/netmiko
Author: Kirk Byers
Author-email: ktbyers@twb-tech.com
License: MIT
Location: /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages
Requires: paramiko, ntc-templates, pyserial, tenacity, scp, textfsm, setuptools
Required-by: nornir-netmiko

Name: nornir
Version: 3.2.0
Summary: Pluggable multi-threaded framework with inventory management to help operate collections of devices
Home-page: https://github.com/nornir-automation/nornir
Author: David Barroso
Author-email: dbarrosop@dravetech.com
License: Apache 2.0
Location: /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages
Requires: mypy_extensions, ruamel.yaml, typing_extensions
Required-by: nornir-utils

Pramiko 2.10.3 Does not work with cert authentication

Name: paramiko
Version: 2.10.3
Summary: SSH2 protocol library
Home-page: https://paramiko.org
Author: Jeff Forcier
Author-email: jeff@bitprophet.org
License: LGPL
Location: /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages
Requires: bcrypt, cryptography, six, pynacl
Required-by: scp, netmiko

INFO:nornir.core:Running task 'netmiko_file_transfer' with args {'source_file': './test_sbc_cert_file.pem', 'dest_file': '/tmp/test_sbc_cert_file.pem'} on 1 hosts
DEBUG:nornir.core.task:Host 'devdsk': running task 'netmiko_file_transfer'
DEBUG:paramiko.transport:starting thread (client mode): 0xc9bdc60
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.10.3
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-OpenSSH_7.4
INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_7.4)
DEBUG:paramiko.transport:=== Key exchange possibilities ===
DEBUG:paramiko.transport:kex algos: curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
DEBUG:paramiko.transport:server key: ssh-rsa, rsa-sha2-512, rsa-sha2-256, ecdsa-sha2-nistp256, ssh-ed25519
DEBUG:paramiko.transport:client encrypt: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc, blowfish-cbc, cast128-cbc, 3des-cbc
DEBUG:paramiko.transport:server encrypt: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc, blowfish-cbc, cast128-cbc, 3des-cbc
DEBUG:paramiko.transport:client mac: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
DEBUG:paramiko.transport:server mac: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
DEBUG:paramiko.transport:client compress: none, zlib@openssh.com
DEBUG:paramiko.transport:server compress: none, zlib@openssh.com
DEBUG:paramiko.transport:client lang: <none>
DEBUG:paramiko.transport:server lang: <none>
DEBUG:paramiko.transport:kex follows: False
DEBUG:paramiko.transport:=== Key exchange agreements ===
DEBUG:paramiko.transport:Kex: curve25519-sha256@libssh.org
DEBUG:paramiko.transport:HostKey: ssh-ed25519
DEBUG:paramiko.transport:Cipher: aes128-ctr
DEBUG:paramiko.transport:MAC: hmac-sha2-256
DEBUG:paramiko.transport:Compression: none
DEBUG:paramiko.transport:=== End of kex handshake ===
DEBUG:paramiko.transport:kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Got EXT_INFO: {'server-sig-algs': b'rsa-sha2-256,rsa-sha2-512'}
DEBUG:paramiko.transport:Adding ssh-ed25519 host key for <redacted>: b'b4c8c90d11ba08dc8243bb8312554ad6'
DEBUG:paramiko.transport:Trying discovered key b'fc9db78e21554336dba204b193502cde' in /Users/<redacted>/.ssh/id_rsa
DEBUG:paramiko.transport:Adding public certificate /Users/<redacted>/.ssh/id_rsa-cert.pub
DEBUG:paramiko.transport:userauth is OK
DEBUG:paramiko.transport:Finalizing pubkey algorithm for key of type 'ssh-rsa-cert-v01@openssh.com'
DEBUG:paramiko.transport:Our pubkey algorithm list: ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa']
DEBUG:paramiko.transport:Server-side algorithm list: ['rsa-sha2-256', 'rsa-sha2-512']
DEBUG:paramiko.transport:Agreed upon 'rsa-sha2-512' pubkey algorithm
INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:Trying discovered key b'f7b9889d1f44f0058ded06fa8bd4befa' in /Users/<redacted>/.ssh/id_rsa
ERROR:nornir.core.task:Host 'devdsk': task 'netmiko_file_transfer' failed with traceback:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir/core/task.py", line 99, in start
    r = self.task(self, **self.params)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir_netmiko/tasks/netmiko_file_transfer.py", line 24, in netmiko_file_transfer
    net_connect = task.host.get_connection(CONNECTION_NAME, task.nornir.config)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir/core/inventory.py", line 494, in get_connection
    self.open_connection(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir/core/inventory.py", line 546, in open_connection
    conn_obj.open(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir_netmiko/connections/netmiko.py", line 59, in open
    connection = ConnectHandler(**parameters)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/netmiko/ssh_dispatcher.py", line 344, in ConnectHandler
    return ConnectionClass(*args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/netmiko/base_connection.py", line 434, in __init__
    self._open()
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/netmiko/base_connection.py", line 439, in _open
    self.establish_connection()
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/netmiko/base_connection.py", line 1021, in establish_connection
    self.remote_conn_pre.connect(**ssh_connect_params)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/client.py", line 435, in connect
    self._auth(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/client.py", line 678, in _auth
    key = self._key_from_filepath(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/client.py", line 598, in _key_from_filepath
    key.load_certificate(cert_path)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/pkey.py", line 663, in load_certificate
    raise ValueError(err.format(blob.key_type, self.get_name()))
ValueError: PublicBlob type ssh-rsa-cert-v01@openssh.com incompatible with key type ssh-dss

netmiko_file_transfer***********************************************************
* devdsk ** changed : False ****************************************************
vvvv netmiko_file_transfer ** changed : False vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv ERROR
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir/core/task.py", line 99, in start
    r = self.task(self, **self.params)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir_netmiko/tasks/netmiko_file_transfer.py", line 24, in netmiko_file_transfer
    net_connect = task.host.get_connection(CONNECTION_NAME, task.nornir.config)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir/core/inventory.py", line 494, in get_connection
    self.open_connection(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir/core/inventory.py", line 546, in open_connection
    conn_obj.open(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir_netmiko/connections/netmiko.py", line 59, in open
    connection = ConnectHandler(**parameters)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/netmiko/ssh_dispatcher.py", line 344, in ConnectHandler
    return ConnectionClass(*args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/netmiko/base_connection.py", line 434, in __init__
    self._open()
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/netmiko/base_connection.py", line 439, in _open
    self.establish_connection()
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/netmiko/base_connection.py", line 1021, in establish_connection
    self.remote_conn_pre.connect(**ssh_connect_params)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/client.py", line 435, in connect
    self._auth(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/client.py", line 678, in _auth
    key = self._key_from_filepath(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/client.py", line 598, in _key_from_filepath
    key.load_certificate(cert_path)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/pkey.py", line 663, in load_certificate
    raise ValueError(err.format(blob.key_type, self.get_name()))
ValueError: PublicBlob type ssh-rsa-cert-v01@openssh.com incompatible with key type ssh-dss

^^^^ END netmiko_file_transfer ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Downgrading to paramiko 2.8.1 Works

Name: paramiko
Version: 2.8.1
Summary: SSH2 protocol library
Home-page: https://paramiko.org
Author: Jeff Forcier
Author-email: jeff@bitprophet.org
License: LGPL
Location: /Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages
Requires: pynacl, bcrypt, cryptography
Required-by: scp, netmiko

INFO:nornir.core:Running task 'netmiko_file_transfer' with args {'source_file': './test_sbc_cert_file.pem', 'dest_file': '/tmp/test_sbc_cert_file.pem'} on 1 hosts
DEBUG:nornir.core.task:Host 'devdsk': running task 'netmiko_file_transfer'
DEBUG:paramiko.transport:starting thread (client mode): 0x10b12950
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.8.1
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-OpenSSH_7.4
INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_7.4)
DEBUG:paramiko.transport:kex algos:['curve25519-sha256', 'curve25519-sha256@libssh.org', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha256', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'rsa-sha2-512', 'rsa-sha2-256', 'ecdsa-sha2-nistp256', 'ssh-ed25519'] client encrypt:['chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-gcm@openssh.com', 'aes256-gcm@openssh.com', 'aes128-cbc', 'aes192-cbc', 'aes256-cbc', 'blowfish-cbc', 'cast128-cbc', '3des-cbc'] server encrypt:['chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-gcm@openssh.com', 'aes256-gcm@openssh.com', 'aes128-cbc', 'aes192-cbc', 'aes256-cbc', 'blowfish-cbc', 'cast128-cbc', '3des-cbc'] client mac:['umac-64-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'umac-64@openssh.com', 'umac-128@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] server mac:['umac-64-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'umac-64@openssh.com', 'umac-128@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] client compress:['none', 'zlib@openssh.com'] server compress:['none', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False
DEBUG:paramiko.transport:Kex agreed: curve25519-sha256@libssh.org
DEBUG:paramiko.transport:HostKey agreed: ssh-ed25519
DEBUG:paramiko.transport:Cipher agreed: aes128-ctr
DEBUG:paramiko.transport:MAC agreed: hmac-sha2-256
DEBUG:paramiko.transport:Compression agreed: none
DEBUG:paramiko.transport:kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Adding ssh-ed25519 host key for <redacted>: b'b4c8c90d11ba08dc8243bb8312554ad6'
DEBUG:paramiko.transport:Trying discovered key b'fc9db78e21554336dba204b193502cde' in /Users/<redacted>/.ssh/id_rsa
DEBUG:paramiko.transport:Adding public certificate /Users/<redacted>/.ssh/id_rsa-cert.pub
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) successful!
DEBUG:paramiko.transport:[chan 0] Max packet in: 32768 bytes
DEBUG:paramiko.transport:Received global request "hostkeys-00@openssh.com"
DEBUG:paramiko.transport:Rejecting "hostkeys-00@openssh.com" global request from server.
DEBUG:paramiko.transport:[chan 0] Max packet out: 32768 bytes
DEBUG:paramiko.transport:Secsh channel 0 opened.
DEBUG:paramiko.transport:[chan 0] Sesch channel 0 request ok
DEBUG:paramiko.transport:[chan 0] Sesch channel 0 request ok

disabled_algorithm as pointed out it in https://docs.paramiko.org/en/stable/api/transport.html does not work for me.

[jun66j5]

Please provide debug logging and the code when disabled_algorithm is used.

[adarsh-chauhan]

@jun66j5 what all you would like me to disable ?

DEBUG:paramiko.transport:Our pubkey algorithm list: ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa']
DEBUG:paramiko.transport:Server-side algorithm list: ['rsa-sha2-256', 'rsa-sha2-512']

i added following for debug, is there anything else you are looking for

paramiko.common.logging.basicConfig(level=paramiko.common.DEBUG)

[tomoyoirl]

I do not have all the helpful output just this moment but I am experiencing the same problem and this bug report was a godsend; I downgraded to 2.8.1 and things actually just worked

Before (Paramiko 2.9.2)

DEBUG:paramiko.transport:Trying SSH key b'7f28b4bbc4483078d6cc75cf46ca9db6'
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Auth banner: <redacted>
DEBUG:paramiko.transport:Finalizing pubkey algorithm for key of type 'ssh-rsa-cert-v01@openssh.com'
DEBUG:paramiko.transport:Our pubkey algorithm list: ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa']
DEBUG:paramiko.transport:Server-side algorithm list: ['ssh-ed25519', 'ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512', 'ssh-dss', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521']
DEBUG:paramiko.transport:Agreed upon 'rsa-sha2-512' pubkey algorithm
INFO:paramiko.transport:Authentication (publickey) failed.

After

DEBUG:paramiko.transport:Trying SSH key b'a09e99115e14bc2f061f0e93755bffc6'
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Auth banner: <redacted>
INFO:paramiko.transport:Authentication (publickey) successful!

(The differing key is expected; it is generated and signed each run.)

I have not performed further analysis and am surprised that there are fewer messages about the pubkey algorithm negotiation.

[jun66j5]

DEBUG:paramiko.transport:Our pubkey algorithm list: ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa']
DEBUG:paramiko.transport:Server-side algorithm list: ['rsa-sha2-256', 'rsa-sha2-512']

I think that your usage of disabled_algorithms is wrong.

Using disabled_algorithms={'pubkeys': ['rsa-sha2-512', 'rsa-sha2-256']}, the following line is logged:

DEB [20220329-08:47:47.641] thr=1   paramiko.transport: Our pubkey algorithm list: ['ssh-rsa']

[adarsh-chauhan]

@jun66j5 I haven't disabled anything yet, those logs lines were just to make you aware of available of algorithms from the debug output above.

what should i disable?
if I disable rsa-sha2-512 rsa-sha2-256 auth will fail since there is nothing common between server and client.

[jun66j5]

@jun66j5 I haven't disabled anything yet, those logs lines were just to make you aware of available of algorithms from the debug output above.

What? You said: "disabled_algorithm as pointed out it in https://docs.paramiko.org/en/stable/api/transport.html does not work for me.". I think you've tried disabled_algorithm.

[adarsh-chauhan]

@jun66j5 sorry for the confusion, the two output of working and non-working are without disabled_algorithm.
if i disable rsa-sha2-512 rsa-sha2-256 i get the following error, which is obvious and hence i asked you what should i disable?

DEBUG:paramiko.transport:starting thread (client mode): 0xbf7c520
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.10.3
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-OpenSSH_7.4
INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_7.4)
DEBUG:paramiko.transport:=== Key exchange possibilities ===
DEBUG:paramiko.transport:kex algos: curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
DEBUG:paramiko.transport:server key: ssh-rsa, rsa-sha2-512, rsa-sha2-256, ecdsa-sha2-nistp256, ssh-ed25519
DEBUG:paramiko.transport:client encrypt: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc, blowfish-cbc, cast128-cbc, 3des-cbc
DEBUG:paramiko.transport:server encrypt: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc, blowfish-cbc, cast128-cbc, 3des-cbc
DEBUG:paramiko.transport:client mac: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
DEBUG:paramiko.transport:server mac: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
DEBUG:paramiko.transport:client compress: none, zlib@openssh.com
DEBUG:paramiko.transport:server compress: none, zlib@openssh.com
DEBUG:paramiko.transport:client lang: <none>
DEBUG:paramiko.transport:server lang: <none>
DEBUG:paramiko.transport:kex follows: False
DEBUG:paramiko.transport:=== Key exchange agreements ===
DEBUG:paramiko.transport:Kex: curve25519-sha256@libssh.org
DEBUG:paramiko.transport:HostKey: ssh-ed25519
DEBUG:paramiko.transport:Cipher: aes128-ctr
DEBUG:paramiko.transport:MAC: hmac-sha2-256
DEBUG:paramiko.transport:Compression: none
DEBUG:paramiko.transport:=== End of kex handshake ===
DEBUG:paramiko.transport:kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Adding ssh-ed25519 host key for <redacted>: b'b4c8c90d11ba08dc8243bb8312554ad6'
DEBUG:paramiko.transport:Got EXT_INFO: {'server-sig-algs': b'rsa-sha2-256,rsa-sha2-512'}
DEBUG:paramiko.transport:Trying discovered key b'fc9db78e21554336dba204b193502cde' in /Users/<redacted>/.ssh/id_rsa
DEBUG:paramiko.transport:Adding public certificate /Users/<redacted>/.ssh/id_rsa-cert.pub
DEBUG:paramiko.transport:userauth is OK
DEBUG:paramiko.transport:Finalizing pubkey algorithm for key of type 'ssh-rsa-cert-v01@openssh.com'
DEBUG:paramiko.transport:Our pubkey algorithm list: ['ssh-rsa']
DEBUG:paramiko.transport:Server-side algorithm list: ['rsa-sha2-256', 'rsa-sha2-512']
DEBUG:paramiko.transport:No common pubkey algorithms exist! Dying.
ERROR:paramiko.transport:Exception (client): Unable to agree on a pubkey algorithm for signing a 'ssh-rsa-cert-v01@openssh.com' key!
ERROR:paramiko.transport:Traceback (most recent call last):
ERROR:paramiko.transport:  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/transport.py", line 2163, in run
ERROR:paramiko.transport:    handler(self.auth_handler, m)
ERROR:paramiko.transport:  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/auth_handler.py", line 368, in _parse_service_accept
ERROR:paramiko.transport:    algorithm = self._finalize_pubkey_algorithm(key_type)
ERROR:paramiko.transport:  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/auth_handler.py", line 334, in _finalize_pubkey_algorithm
ERROR:paramiko.transport:    raise AuthenticationException(err.format(key_type))
ERROR:paramiko.transport:paramiko.ssh_exception.AuthenticationException: Unable to agree on a pubkey algorithm for signing a 'ssh-rsa-cert-v01@openssh.com' key!
ERROR:paramiko.transport:
DEBUG:paramiko.transport:Trying discovered key b'f7b9889d1f44f0058ded06fa8bd4befa' in /Users/<redacted>/.ssh/id_rsa
netmiko_send_command************************************************************
* devdsk ** changed : False ****************************************************
vvvv netmiko_send_command ** changed : False vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv ERROR
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir/core/task.py", line 99, in start
    r = self.task(self, **self.params)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir_netmiko/tasks/netmiko_send_command.py", line 26, in netmiko_send_command
    net_connect = task.host.get_connection(CONNECTION_NAME, task.nornir.config)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir/core/inventory.py", line 494, in get_connection
    self.open_connection(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir/core/inventory.py", line 546, in open_connection
    conn_obj.open(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/nornir_netmiko/connections/netmiko.py", line 59, in open
    connection = ConnectHandler(**parameters)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/netmiko/ssh_dispatcher.py", line 344, in ConnectHandler
    return ConnectionClass(*args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/netmiko/base_connection.py", line 434, in __init__
    self._open()
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/netmiko/base_connection.py", line 439, in _open
    self.establish_connection()
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/netmiko/base_connection.py", line 1021, in establish_connection
    self.remote_conn_pre.connect(**ssh_connect_params)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/client.py", line 435, in connect
    self._auth(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/client.py", line 678, in _auth
    key = self._key_from_filepath(
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/client.py", line 598, in _key_from_filepath
    key.load_certificate(cert_path)
  File "/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/paramiko/pkey.py", line 663, in load_certificate
    raise ValueError(err.format(blob.key_type, self.get_name()))

[jun66j5]

Thanks for the reply. Okay, I understand disable_algorithm cannot help the issue because OpenSSH 7.4 doesn't advertise ssh-rsa in server-sig-algs.

I try to reproduce it with OpenSSH 7.4 on CentOS 7....

[jun66j5]

Reproduced the issue. The publickey authentication with RSA certificates signed key OpenSSH 8.4 works fine, however OepnSSH 7.4 doesn't work.

OpenSSH 7.4 says while testing with signed key:

# /usr/sbin/sshd -eD
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
userauth_pubkey: unsupported public key algorithm: rsa-sha2-512-cert-v01@openssh.com [preauth]
Connection closed by 10.0.2.100 port 54204 [preauth]

I found the following note in OpenSSH 7.8 release notes:

 * ssh(1)/sshd(8): add new signature algorithms "rsa-sha2-256-cert-
   v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to
   explicitly force use of RSA/SHA2 signatures in authentication.

It doesn't work with OpenSSH 7.7 or early probably.

[bskinn]

@jun66j5 Do you think there's any sort of fix to be done here? Or is this broken from the OpenSSH side?

[jun66j5]

OpenSSH client uses different signature based on remote server version.

• https://github.com/openssh/openssh-portable/blob/master/compat.c#L43
• https://github.com/openssh/openssh-portable/blob/V_8_9_P1/sshconnect2.c#L1191-L1197

OpenSSH 7.4

debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
...
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
...
debug1: Server accepts key: /home/jun66j5/etc/ssh-ca/ssh-rsa.key RSA-CERT SHA256:+E2P7mi6ZPqAOlRU4bKOy+AlwUNdD0buVck153h0js4 explicit
debug3: sign_and_send_pubkey: RSA-CERT SHA256:+E2P7mi6ZPqAOlRU4bKOy+AlwUNdD0buVck153h0js4
debug2: sign_and_send_pubkey: using private key "/home/jun66j5/etc/ssh-ca/ssh-rsa.key" for certificate
debug3: sign_and_send_pubkey: signing using ssh-rsa-cert-v01@openssh.com SHA256:+E2P7mi6ZPqAOlRU4bKOy+AlwUNdD0buVck153h0js4

OpenSSH 8.4

debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5
debug1: match: OpenSSH_8.4p1 Debian-5 pat OpenSSH* compat 0x04000000
...
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
...
debug1: Server accepts key: /home/jun66j5/etc/ssh-ca/ssh-rsa.key RSA-CERT SHA256:+E2P7mi6ZPqAOlRU4bKOy+AlwUNdD0buVck153h0js4 explicit
debug3: sign_and_send_pubkey: RSA-CERT SHA256:+E2P7mi6ZPqAOlRU4bKOy+AlwUNdD0buVck153h0js4
debug2: sign_and_send_pubkey: using private key "/home/jun66j5/etc/ssh-ca/ssh-rsa.key" for certificate
debug3: sign_and_send_pubkey: signing using rsa-sha2-512-cert-v01@openssh.com SHA256:+E2P7mi6ZPqAOlRU4bKOy+AlwUNdD0buVck153h0js4

If paramiko does the same behavior, the following patch will fix the issue.

diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py
index e90236734..cfce8618d 100644
--- a/paramiko/auth_handler.py
+++ b/paramiko/auth_handler.py
@@ -22,6 +22,7 @@

 import weakref
 import time
+import re

 from paramiko.common import (
     cMSG_SERVICE_REQUEST,
@@ -298,6 +299,16 @@ class AuthHandler(object):
                 key_type
             ),
         )
+        # NOTE: When the key is RSA cert and the remote server is OpenSSH 7.7
+        # or early, always use ssh-rsa-cert-v01@openssh.com.
+        if (
+            key_type.endswith("-cert-v01@openssh.com") and
+            re.search(r'-OpenSSH_(?:[1-6]|7\.[0-7])',
+                      self.transport.remote_version)
+        ):
+            pubkey_algo = "ssh-rsa-cert-v01@openssh.com"
+            self.transport._agreed_pubkey_algorithm = pubkey_algo
+            return pubkey_algo
         # Only consider RSA algos from our list, lest we agree on another!
         my_algos = [x for x in self.transport.preferred_pubkeys if "rsa" in x]
         self._log(DEBUG, "Our pubkey algorithm list: {}".format(my_algos))

[bitprophet]

Digging into this now:

• Squinting very hard at the OpenSSH source linked, I think we can phrase the relevant behavior (SSH_BUG_SIGTYPE) as "server-sig-algs are ignored when the RSA key in question is a cert and the server is 7.7 or below"
  • SSH_BUG_SIGTYPE74, meanwhile, is specific to version 7.4, and says "pretend that 7.4 servers sent us a server-sig-algs containing just RSA-SHA2 options, when looking at RSA keys".
    • In this particular case, that seems pointless since ... the user's 7.4 sshd IS sending us a real server-sig-algs with those two key types! (Wonder if it's a patched 7.4?)
• The reason for this band-aid is that OpenSSH <=7.7 may not understand the RSA-SHA2 cert types (tho it does understand RSA-SHA2 keys?)
  • Plus those versions DO (or MAY) understand how to send server-sig-algs, and are offering SHA2 - implicitly, only for non-cert RSA keys. Which is what's confusing Paramiko here.

Looking at solutions (ideally minimalistic ones as this stuff is real sensitive and already a bit rocky):

• Jun's patch short-circuits very early on, which I don't love as it duplicates some code found farther down, but it otherwise fits the above - cert only, 7.7 or below only.
• Tempting to try and make this fit into the else case in the body of the function (which is kinda the legacy behavior, i.e. why downgrading to Paramiko 2.8 "works" in these cases).
  • Eg by having the if do the server version test, making it "did server send server-sig-algs, and can it be trusted (is above 7.7)?"
  • That won't work by default, because as of Paramiko 2.9, our preferred algo list is sha2, sha2, sha1 - so we'd still be trying to use a sha2 algorithm with a server that doesn't grok it, due to the "pick first in list" logic.
  • However, it should work if the user also uses disabled_algorithms to filter out sha2, as noted upthread.
  • Which is also the same path that an unpatched 7.4 sshd (not sending any server-sig-algs) would be hitting in this scenario (which I think means we don't ever need OpenSSH's code focused on SSH_BUG_SIGTYPE74?)