Server rejecting key_type

[roel-gerrits]

I've run into an issue when trying to connect using a client_key.

asyncssh.connect("hostname", known_hosts=None, tunnel=other_conn, username="username", client_keys=["key_file.pem"])

(the connection is tunneled, but I'm assuming that is not the cause of the issue)

This results in the following error:

asyncssh.misc.PermissionDenied: Permission denied for user username on host hostname

In the sshd log I find the following messages:

Jun 24 19:29:00 XXX sshd[119216]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
Jun 24 19:29:00 XXX sshd[119216]: Connection closed by authenticating user XXX 11.0.0.221 port 57964 [preauth]

The ssh-rsa key type is indeed configured to be not accepted:

PubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com

And this is (I think) reflected in the asyncssh logs: (no ssh-rsa in the Host key algs line.

DEBUG:asyncssh:[conn=2] Received key exchange request
DEBUG:asyncssh:[conn=2]   Key exchange algs: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
DEBUG:asyncssh:[conn=2]   Host key algs: ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256
DEBUG:asyncssh:[conn=2]   Client to server:
DEBUG:asyncssh:[conn=2]     Encryption algs: aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
DEBUG:asyncssh:[conn=2]     MAC algs: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
DEBUG:asyncssh:[conn=2]     Compression algs: none,zlib@openssh.com
DEBUG:asyncssh:[conn=2]   Server to client:
DEBUG:asyncssh:[conn=2]     Encryption algs: aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
DEBUG:asyncssh:[conn=2]     MAC algs: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
DEBUG:asyncssh:[conn=2]     Compression algs: none,zlib@openssh.com

However, it appears that for some reason the ssh-rsa key type is chosen anyway.

I've fiddled around with the code and when I modify the _choose_signature_alg function to look like this:

    def _choose_signature_alg(self, keypair: _ClientHostKey) -> bool:
        """Choose signature algorithm to use for key-based authentication"""

        if self._server_sig_algs:
            for alg in keypair.sig_algorithms:
                if keypair.use_webauthn and not alg.startswith(b'webauthn-'):
                    continue

                if alg in self._sig_algs and alg in self._server_sig_algs:
                    keypair.set_sig_algorithm(alg)
                    return True
        
        # ----- I'VE ADDED THESE LINES -------
        remaining_algs = [algo for algo in keypair.sig_algorithms if algo in self._sig_algs]
        if remaining_algs:
            keypair.set_sig_algorithm(remaining_algs[0])
            return True
        # ------------------------------------

        return keypair.sig_algorithms[-1] in self._sig_algs

Then it's all working correctly.

Did I find a bug in asyncssh (or a missing feature)?

Thinks to note:

1. I'm not an expert on ssh. I'm not sure if this is really the good way to fix the problem.
2. When using the openssh client or paramiko with the same key_file things are also working correctly, so I assume the ssh server configuration and the key_file are not the issue.

Versions:
asyncss: 2.21
sshd server: OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021

[ronf]

Host key algorithms applies only to validating the server's host key on the client. It does not have an impact on the allowed algorithms for public key authentication of the client, and the negotiation for that doesn't really show up in the handshake, but it might show up later if the server sends 'sig-algs' in an EXT_INFO message. Are you seeing that in the AsyncSSH debug log?
The server should be deciding what to send there based on its configuration of 'PubkeyAcceptedKeyTypes'. As you noted above, this is currently set on the server to allow RSA with SHA-2 signature algorithms (rsa-sha2-256 and rsa-sha2-512), but not RSA with SHA-1 (ssh-rsa).

By default, AsyncSSH should prefer using RSA with SHA-2, but it looks like it will fall back to 'ssh-rsa' if the server doesn't send a list of the signature algs it supports. That may be what you are seeing here. OpenSSH 8.0p1 should be new enough (just barely) to support sending server-sig-algs, though.

You'll also want to make sure that AsyncSSH's "signature_algs" is set to include the RSA SHA-2 algorithms, but this should be the case by default if you don't specify anything here.

[roel-gerrits]

Ah ok so I indeed misinterpreted the Host key algs line.

Here are the full AsyncSSH logs, with debug level 2:

DEBUG:asyncio:Using selector: EpollSelector
DEBUG:asyncssh:Reading config from "<REDACTED>"
INFO:asyncssh:Host canonicalization disabled
INFO:asyncssh:Opening SSH connection to <REDACTED>, port 22
INFO:asyncssh:[conn=0] Connected to SSH server at <REDACTED>, port 22
INFO:asyncssh:[conn=0]   Local address: 10.161.40.13, port 33422
INFO:asyncssh:[conn=0]   Peer address: 10.161.28.161, port 22
DEBUG:asyncssh:[conn=0] Sending version SSH-2.0-AsyncSSH_2.21.0
DEBUG:asyncssh:[conn=0] Received version SSH-2.0-OpenSSH_7.4
DEBUG:asyncssh:[conn=0] Requesting key exchange
DEBUG:asyncssh:[conn=0]   Key exchange algs: gss-curve25519-sha256-92scGTGZyysGniM+s/4xLA==,gss-curve25519-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-curve448-sha512-92scGTGZyysGniM+s/4xLA==,gss-curve448-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp521-sha512-92scGTGZyysGniM+s/4xLA==,gss-nistp521-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp384-sha384-92scGTGZyysGniM+s/4xLA==,gss-nistp384-sha384-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp256-sha256-92scGTGZyysGniM+s/4xLA==,gss-nistp256-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-1.3.132.0.10-sha256-92scGTGZyysGniM+s/4xLA==,gss-1.3.132.0.10-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha256-92scGTGZyysGniM+s/4xLA==,gss-gex-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha256-92scGTGZyysGniM+s/4xLA==,gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group15-sha512-92scGTGZyysGniM+s/4xLA==,gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-group16-sha512-92scGTGZyysGniM+s/4xLA==,gss-group16-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-group17-sha512-92scGTGZyysGniM+s/4xLA==,gss-group17-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-group18-sha512-92scGTGZyysGniM+s/4xLA==,gss-group18-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-92scGTGZyysGniM+s/4xLA==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256@ssh.com,diffie-hellman-group14-sha1,rsa2048-sha256,ext-info-c,kex-strict-c-v00@openssh.com
DEBUG:asyncssh:[conn=0]   Host key algs: rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-ed448-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-1.3.132.0.10-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,ssh-rsa-sha224@ssh.com,ssh-rsa-sha256@ssh.com,ssh-rsa-sha384@ssh.com,ssh-rsa-sha512@ssh.com,ssh-rsa,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ssh-ed448,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ecdsa-sha2-1.3.132.0.10
DEBUG:asyncssh:[conn=0]   Encryption algs: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
DEBUG:asyncssh:[conn=0]   MAC algs: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha256-2@ssh.com,hmac-sha224@ssh.com,hmac-sha256@ssh.com,hmac-sha384@ssh.com,hmac-sha512@ssh.com
DEBUG:asyncssh:[conn=0]   Compression algs: none,zlib@openssh.com
DEBUG:asyncssh:[conn=0] Received key exchange request
DEBUG:asyncssh:[conn=0]   Key exchange algs: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
DEBUG:asyncssh:[conn=0]   Host key algs: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
DEBUG:asyncssh:[conn=0]   Client to server:
DEBUG:asyncssh:[conn=0]     Encryption algs: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
DEBUG:asyncssh:[conn=0]     MAC algs: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
DEBUG:asyncssh:[conn=0]     Compression algs: none,zlib@openssh.com
DEBUG:asyncssh:[conn=0]   Server to client:
DEBUG:asyncssh:[conn=0]     Encryption algs: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
DEBUG:asyncssh:[conn=0]     MAC algs: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
DEBUG:asyncssh:[conn=0]     Compression algs: none,zlib@openssh.com
DEBUG:asyncssh:[conn=0] Beginning key exchange
DEBUG:asyncssh:[conn=0]   Key exchange alg: curve25519-sha256
DEBUG:asyncssh:[conn=0]   Client to server:
DEBUG:asyncssh:[conn=0]     Encryption alg: chacha20-poly1305@openssh.com
DEBUG:asyncssh:[conn=0]     MAC alg: chacha20-poly1305@openssh.com
DEBUG:asyncssh:[conn=0]     Compression alg: none
DEBUG:asyncssh:[conn=0]   Server to client:
DEBUG:asyncssh:[conn=0]     Encryption alg: chacha20-poly1305@openssh.com
DEBUG:asyncssh:[conn=0]     MAC alg: chacha20-poly1305@openssh.com
DEBUG:asyncssh:[conn=0]     Compression alg: none
DEBUG:asyncssh:[conn=0] Requesting service ssh-userauth
DEBUG:asyncssh:[conn=0] Completed key exchange
DEBUG:asyncssh:[conn=0] Request for service ssh-userauth accepted
INFO:asyncssh:[conn=0] Beginning auth for user <user>
DEBUG:asyncssh:[conn=0] Remaining auth methods: publickey,gssapi-keyex,gssapi-with-mic,password
DEBUG:asyncssh:[conn=0] Preferred auth methods: gssapi-keyex,gssapi-with-mic,hostbased,publickey,keyboard-interactive,password
DEBUG:asyncssh:[conn=0] Trying GSS MIC auth
INFO:asyncssh:[conn=0] Auth for user <user>succeeded
DEBUG:asyncssh:Reading config from "<REDACTED>"
DEBUG:asyncssh:[conn=0] Ignoring server host key message: no handler
INFO:asyncssh:Host canonicalization disabled
INFO:asyncssh:[conn=0] Opening SSH connection to <REDACTED>, port 22 via SSH tunnel
INFO:asyncssh:[conn=0] Opening direct TCP connection to <REDACTED>, port 22
INFO:asyncssh:[conn=0]   Client address: dynamic port
DEBUG:asyncssh:[conn=0, chan=0] Set write buffer limits: low-water=16384, high-water=65536
DEBUG:asyncssh:[conn=0, chan=0]   Initial recv window 2097152, packet size 32768
DEBUG:asyncssh:[conn=0, chan=0]   Initial send window 2097152, packet size 32768
INFO:asyncssh:[conn=1] Connected to SSH server at <REDACTED>, port 22
INFO:asyncssh:[conn=1]   Local address: <REDACTED>, port 33422
INFO:asyncssh:[conn=1]   Peer address: dynamic port
DEBUG:asyncssh:[conn=1] Sending version SSH-2.0-AsyncSSH_2.21.0
DEBUG:asyncssh:[conn=0, chan=0] Sending 25 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Reading from channel started
DEBUG:asyncssh:[conn=0, chan=0] Received 21 data bytes
DEBUG:asyncssh:[conn=1] Received version SSH-2.0-OpenSSH_8.0
DEBUG:asyncssh:[conn=1] Requesting key exchange
DEBUG:asyncssh:[conn=1]   Key exchange algs: gss-curve25519-sha256-92scGTGZyysGniM+s/4xLA==,gss-curve25519-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-curve448-sha512-92scGTGZyysGniM+s/4xLA==,gss-curve448-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp521-sha512-92scGTGZyysGniM+s/4xLA==,gss-nistp521-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp384-sha384-92scGTGZyysGniM+s/4xLA==,gss-nistp384-sha384-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp256-sha256-92scGTGZyysGniM+s/4xLA==,gss-nistp256-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-1.3.132.0.10-sha256-92scGTGZyysGniM+s/4xLA==,gss-1.3.132.0.10-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha256-92scGTGZyysGniM+s/4xLA==,gss-gex-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha256-92scGTGZyysGniM+s/4xLA==,gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group15-sha512-92scGTGZyysGniM+s/4xLA==,gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-group16-sha512-92scGTGZyysGniM+s/4xLA==,gss-group16-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-group17-sha512-92scGTGZyysGniM+s/4xLA==,gss-group17-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-group18-sha512-92scGTGZyysGniM+s/4xLA==,gss-group18-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-92scGTGZyysGniM+s/4xLA==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256@ssh.com,diffie-hellman-group14-sha1,rsa2048-sha256,ext-info-c,kex-strict-c-v00@openssh.com
DEBUG:asyncssh:[conn=1]   Host key algs: rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-ed448-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-1.3.132.0.10-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,ssh-rsa-sha224@ssh.com,ssh-rsa-sha256@ssh.com,ssh-rsa-sha384@ssh.com,ssh-rsa-sha512@ssh.com,ssh-rsa,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ssh-ed448,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ecdsa-sha2-1.3.132.0.10
DEBUG:asyncssh:[conn=1]   Encryption algs: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
DEBUG:asyncssh:[conn=1]   MAC algs: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha256-2@ssh.com,hmac-sha224@ssh.com,hmac-sha256@ssh.com,hmac-sha384@ssh.com,hmac-sha512@ssh.com
DEBUG:asyncssh:[conn=1]   Compression algs: none,zlib@openssh.com
DEBUG:asyncssh:[conn=0, chan=0] Sending 3312 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Received 1040 data bytes
DEBUG:asyncssh:[conn=1] Received key exchange request
DEBUG:asyncssh:[conn=1]   Key exchange algs: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
DEBUG:asyncssh:[conn=1]   Host key algs: ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa
DEBUG:asyncssh:[conn=1]   Client to server:
DEBUG:asyncssh:[conn=1]     Encryption algs: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
DEBUG:asyncssh:[conn=1]     MAC algs: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
DEBUG:asyncssh:[conn=1]     Compression algs: none,zlib@openssh.com
DEBUG:asyncssh:[conn=1]   Server to client:
DEBUG:asyncssh:[conn=1]     Encryption algs: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
DEBUG:asyncssh:[conn=1]     MAC algs: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
DEBUG:asyncssh:[conn=1]     Compression algs: none,zlib@openssh.com
DEBUG:asyncssh:[conn=1] Beginning key exchange
DEBUG:asyncssh:[conn=1]   Key exchange alg: curve25519-sha256
DEBUG:asyncssh:[conn=0, chan=0] Sending 48 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Received 888 data bytes
DEBUG:asyncssh:[conn=1]   Client to server:
DEBUG:asyncssh:[conn=1]     Encryption alg: chacha20-poly1305@openssh.com
DEBUG:asyncssh:[conn=1]     MAC alg: chacha20-poly1305@openssh.com
DEBUG:asyncssh:[conn=1]     Compression alg: none
DEBUG:asyncssh:[conn=1]   Server to client:
DEBUG:asyncssh:[conn=1]     Encryption alg: chacha20-poly1305@openssh.com
DEBUG:asyncssh:[conn=1]     MAC alg: chacha20-poly1305@openssh.com
DEBUG:asyncssh:[conn=1]     Compression alg: none
DEBUG:asyncssh:[conn=0, chan=0] Sending 16 data bytes
DEBUG:asyncssh:[conn=1] Requesting service ssh-userauth
DEBUG:asyncssh:[conn=0, chan=0] Sending 44 data bytes
DEBUG:asyncssh:[conn=1] Completed key exchange
DEBUG:asyncssh:[conn=0, chan=0] Received 44 data bytes
DEBUG:asyncssh:[conn=1] Request for service ssh-userauth accepted
INFO:asyncssh:[conn=1] Beginning auth for user <user>
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 68 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Received 384 data bytes
DEBUG:asyncssh:[conn=1] Received authentication banner
DEBUG:asyncssh:[conn=1] Remaining auth methods: publickey,password
DEBUG:asyncssh:[conn=1] Preferred auth methods: gssapi-keyex,gssapi-with-mic,hostbased,publickey,keyboard-interactive,password
DEBUG:asyncssh:[conn=1] Trying public key auth with ssh-rsa key
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 620 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Received 580 data bytes
DEBUG:asyncssh:[conn=1] Signing request with ssh-rsa key
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 1156 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Received 28 data bytes
INFO:asyncssh:[conn=1] Auth for user <user>succeeded
DEBUG:asyncssh:Reading config from "<REDACTED>"
INFO:asyncssh:Host canonicalization disabled
INFO:asyncssh:[conn=1] Opening SSH connection to <REDACTED>, port 22 via SSH tunnel
INFO:asyncssh:[conn=1] Opening direct TCP connection to <REDACTED>, port 22
INFO:asyncssh:[conn=1]   Client address: dynamic port
DEBUG:asyncssh:[conn=1, chan=0] Set write buffer limits: low-water=16384, high-water=65536
DEBUG:asyncssh:[conn=1, chan=0]   Initial recv window 2097152, packet size 32768
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 84 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Received 876 data bytes
DEBUG:asyncssh:[conn=1] Received debug message: /home/<REDACTED>/.ssh/authorized_keys:7: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
DEBUG:asyncssh:[conn=1] Received debug message: /home/<REDACTED>/.ssh/authorized_keys:7: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
DEBUG:asyncssh:[conn=1] Ignoring server host key message: no handler
DEBUG:asyncssh:[conn=0, chan=0] Received 44 data bytes
DEBUG:asyncssh:[conn=1, chan=0]   Initial send window 2097152, packet size 32768
INFO:asyncssh:[conn=2] Connected to SSH server at <REDACTED>, port 22
INFO:asyncssh:[conn=2]   Local address: 10.161.40.13, port 33422
INFO:asyncssh:[conn=2]   Peer address: dynamic port
DEBUG:asyncssh:[conn=2] Sending version SSH-2.0-AsyncSSH_2.21.0
DEBUG:asyncssh:[conn=1, chan=0] Sending 25 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 60 data bytes
DEBUG:asyncssh:[conn=1, chan=0] Reading from channel started
DEBUG:asyncssh:[conn=0, chan=0] Received 60 data bytes
DEBUG:asyncssh:[conn=1, chan=0] Received 21 data bytes
DEBUG:asyncssh:[conn=2] Received version SSH-2.0-OpenSSH_8.0
DEBUG:asyncssh:[conn=2] Requesting key exchange
DEBUG:asyncssh:[conn=2]   Key exchange algs: gss-curve25519-sha256-92scGTGZyysGniM+s/4xLA==,gss-curve25519-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-curve448-sha512-92scGTGZyysGniM+s/4xLA==,gss-curve448-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp521-sha512-92scGTGZyysGniM+s/4xLA==,gss-nistp521-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp384-sha384-92scGTGZyysGniM+s/4xLA==,gss-nistp384-sha384-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp256-sha256-92scGTGZyysGniM+s/4xLA==,gss-nistp256-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-1.3.132.0.10-sha256-92scGTGZyysGniM+s/4xLA==,gss-1.3.132.0.10-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha256-92scGTGZyysGniM+s/4xLA==,gss-gex-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha256-92scGTGZyysGniM+s/4xLA==,gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group15-sha512-92scGTGZyysGniM+s/4xLA==,gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-group16-sha512-92scGTGZyysGniM+s/4xLA==,gss-group16-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-group17-sha512-92scGTGZyysGniM+s/4xLA==,gss-group17-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-group18-sha512-92scGTGZyysGniM+s/4xLA==,gss-group18-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-92scGTGZyysGniM+s/4xLA==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256@ssh.com,diffie-hellman-group14-sha1,rsa2048-sha256,ext-info-c,kex-strict-c-v00@openssh.com
DEBUG:asyncssh:[conn=2]   Host key algs: rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-ed448-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-1.3.132.0.10-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,ssh-rsa-sha224@ssh.com,ssh-rsa-sha256@ssh.com,ssh-rsa-sha384@ssh.com,ssh-rsa-sha512@ssh.com,ssh-rsa,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ssh-ed448,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ecdsa-sha2-1.3.132.0.10
DEBUG:asyncssh:[conn=2]   Encryption algs: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
DEBUG:asyncssh:[conn=2]   MAC algs: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha256-2@ssh.com,hmac-sha224@ssh.com,hmac-sha256@ssh.com,hmac-sha384@ssh.com,hmac-sha512@ssh.com
DEBUG:asyncssh:[conn=2]   Compression algs: none,zlib@openssh.com
DEBUG:asyncssh:[conn=1, chan=0] Sending 3312 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 3348 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Received 804 data bytes
DEBUG:asyncssh:[conn=1, chan=0] Received 768 data bytes
DEBUG:asyncssh:[conn=2] Received key exchange request
DEBUG:asyncssh:[conn=2]   Key exchange algs: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
DEBUG:asyncssh:[conn=2]   Host key algs: ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256
DEBUG:asyncssh:[conn=2]   Client to server:
DEBUG:asyncssh:[conn=2]     Encryption algs: aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
DEBUG:asyncssh:[conn=2]     MAC algs: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
DEBUG:asyncssh:[conn=2]     Compression algs: none,zlib@openssh.com
DEBUG:asyncssh:[conn=2]   Server to client:
DEBUG:asyncssh:[conn=2]     Encryption algs: aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
DEBUG:asyncssh:[conn=2]     MAC algs: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
DEBUG:asyncssh:[conn=2]     Compression algs: none,zlib@openssh.com
DEBUG:asyncssh:[conn=2] Beginning key exchange
DEBUG:asyncssh:[conn=2]   Key exchange alg: ecdh-sha2-nistp521
DEBUG:asyncssh:[conn=1, chan=0] Sending 152 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 188 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Received 1276 data bytes
DEBUG:asyncssh:[conn=1, chan=0] Received 1240 data bytes
DEBUG:asyncssh:[conn=2]   Client to server:
DEBUG:asyncssh:[conn=2]     Encryption alg: aes256-gcm@openssh.com
DEBUG:asyncssh:[conn=2]     MAC alg: aes256-gcm@openssh.com
DEBUG:asyncssh:[conn=2]     Compression alg: none
DEBUG:asyncssh:[conn=2]   Server to client:
DEBUG:asyncssh:[conn=2]     Encryption alg: aes256-gcm@openssh.com
DEBUG:asyncssh:[conn=2]     MAC alg: aes256-gcm@openssh.com
DEBUG:asyncssh:[conn=2]     Compression alg: none
DEBUG:asyncssh:[conn=1, chan=0] Sending 16 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 52 data bytes
DEBUG:asyncssh:[conn=2] Requesting service ssh-userauth
DEBUG:asyncssh:[conn=1, chan=0] Sending 52 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 92 data bytes
DEBUG:asyncssh:[conn=2] Completed key exchange
DEBUG:asyncssh:[conn=0, chan=0] Received 92 data bytes
DEBUG:asyncssh:[conn=1, chan=0] Received 52 data bytes
DEBUG:asyncssh:[conn=2] Request for service ssh-userauth accepted
INFO:asyncssh:[conn=2] Beginning auth for user tpo
DEBUG:asyncssh:[conn=1, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 76 data bytes
DEBUG:asyncssh:[conn=1, chan=0] Sending 68 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 108 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Received 172 data bytes
DEBUG:asyncssh:[conn=1, chan=0] Received 136 data bytes
DEBUG:asyncssh:[conn=2] Received authentication banner
DEBUG:asyncssh:[conn=2] Remaining auth methods: publickey,password
DEBUG:asyncssh:[conn=2] Preferred auth methods: gssapi-keyex,gssapi-with-mic,hostbased,publickey,keyboard-interactive,password
DEBUG:asyncssh:[conn=2] Trying public key auth with ssh-rsa key
DEBUG:asyncssh:[conn=1, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 76 data bytes
DEBUG:asyncssh:[conn=1, chan=0] Sending 628 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 668 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Received 92 data bytes
DEBUG:asyncssh:[conn=1, chan=0] Received 52 data bytes
DEBUG:asyncssh:[conn=2] Remaining auth methods: publickey,password
DEBUG:asyncssh:[conn=2] Preferred auth methods: gssapi-keyex,gssapi-with-mic,hostbased,publickey,keyboard-interactive,password
INFO:asyncssh:[conn=2] Auth failed for user tpo
INFO:asyncssh:[conn=1, chan=0] Aborting channel
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
DEBUG:asyncssh:[conn=0, chan=0] Sending 36 data bytes
INFO:asyncssh:[conn=2] Connection failure: Permission denied for user tpo on host <REDACTED>
INFO:asyncssh:[conn=2] Aborting connection
INFO:asyncssh:[conn=1] Closing connection
INFO:asyncssh:[conn=1, chan=0] Closing channel
INFO:asyncssh:[conn=1] Sending disconnect: Disconnected by application (11)
DEBUG:asyncssh:[conn=0, chan=0] Sending 76 data bytes
INFO:asyncssh:[conn=0, chan=0] Aborting channel
INFO:asyncssh:[conn=1] Connection closed
INFO:asyncssh:[conn=1, chan=0] Closing channel due to connection close
INFO:asyncssh:[conn=1, chan=0] Channel closed
INFO:asyncssh:[conn=0] Closing connection
INFO:asyncssh:[conn=0, chan=0] Closing channel
INFO:asyncssh:[conn=0] Sending disconnect: Disconnected by application (11)
DEBUG:asyncssh:[conn=0, chan=0] Received 36 data bytes
INFO:asyncssh:[conn=0] Connection closed
INFO:asyncssh:[conn=0, chan=0] Closing channel due to connection close
INFO:asyncssh:[conn=0, chan=0] Channel closed
Traceback (most recent call last):
<REDACTED>
asyncssh.misc.PermissionDenied: Permission denied for user <REDACTED>on host <REDACTED>

Process finished with exit code 1

Full code that produces above outputs:

import asyncio
import logging
import asyncssh

logging.basicConfig(level=logging.DEBUG)
asyncssh.set_debug_level(2)


async def main():
    async with asyncssh.connect("<REDACTED>", known_hosts=None) as conn1:
        async with asyncssh.connect("<REDACTED>", known_hosts=None, tunnel=conn1, username="<REDACTED>", client_keys=["<REDACTED>"]) as conn2:
            async with asyncssh.connect("<REDACTED>", known_hosts=None, tunnel=conn2, username="<REDACTED>", client_keys=["<REDACTED>"]) as conn3:
                print(conn3)


asyncio.run(main())

[ronf]

I don't see any sign of the server sending EXT_INFO here. It should look something like:

DEBUG:asyncssh:[conn=0] Received extension info
DEBUG:asyncssh:[conn=0]   server-sig-algs: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,webauthn-sk-ecdsa-sha2-nistp256@openssh.com

This would appear just after the "Completed key exchange".

Without this message, AsyncSSH is conservative about the signature algorithms used, which in the case of RSA means using only "ssh-rsa", the last signature algorithm in the list for any given key type. Here's the line which does this from _choose_signature_alg:

        return keypair.sig_algorithms[-1] in self._sig_algs

The `-1' there picks the last algorithm in the list.

With an older server like that, I'm not sure it would be safe to send anything else. AsyncSSH could potential try more than one signature algorithm here, but with authentication you only get a few tries, and you may need those to try multiple key types (e.g. RSA, ECDA, and Ed25519, or other variants like SSH certificates).

Perhaps I could make AsyncSSH check its local signature_algs when the server doesn't send a list, so that it chooses the best option from that list rather than always falling back to ssh-rsa. This would provide control on the client side without needing multiple attempts for the same key. I just don't understand why the server isn't sending server-sig-algs. That should have been added in OpenSSH 7.3 or 7.4.

[roel-gerrits]

Without this message, AsyncSSH is conservative about the signature algorithms used, which in the case of RSA means using only "ssh-rsa", the last signature algorithm in the list for any given key type. Here's the line which does this from _choose_signature_alg:

    return keypair.sig_algorithms[-1] in self._sig_algs

The `-1' there picks the last algorithm in the list.

That line only checks if the last algorithm is in self._sig_algs, not actually set the sig_algorithm to the last entry in the list... right?

[roel-gerrits]

I tried logging in via ssh client, which works fine. See verbose logging below.

I do see the following lines in there

debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>

Is this the message we need?
I'm suprised however that ssh-rsa appears in that list...

[<user>@xssuite-proc-testpc1 ~]$ ssh -vvv -i .ssh/<user>.pem <host>
OpenSSH_8.0p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021
debug1: Reading configuration data /home/<user>/.ssh/config
debug1: /home/<user>/.ssh/config line 3: Applying options for sv*
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 3: Including file /etc/ssh/ssh_config.d/00-host.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/00-host.conf
debug3: /etc/ssh/ssh_config line 5: Including file /etc/ssh/ssh_config.d/01-global.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/01-global.conf
debug1: /etc/ssh/ssh_config line 7: Applying options for *
debug3: /etc/ssh/ssh_config line 15: Including file /etc/crypto-policies/back-ends/openssh.config depth 0
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]
debug2: resolving "<host>" port 22
debug2: ssh_connect_direct
debug1: Connecting to <host> [11.1.0.1] port 22.
debug1: Connection established.
debug1: identity file .ssh/<user>.pem type -1
debug1: identity file .ssh/<user>.pem-cert type -1
debug1: identity file /home/<user>/.ssh/<user>.pem type -1
debug1: identity file /home/<user>/.ssh/<user>.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to <host>:22 as '<user>'
debug3: hostkeys_foreach: reading file "/home/<user>/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/<user>/.ssh/known_hosts:63
debug3: load_hostkeys: loaded 1 keys from <host>
debug3: order_hostkeyalgs: have matching best-preference key type ecdsa-sha2-nistp256-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: rekey after 1073741824 bytes, 3600 seconds
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
debug2: host key algorithms: ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: ciphers stoc: aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:MDGORA8S+O+rTqqEwxwmADMoRqr8uyqbG9vTDeJYJ5o
debug3: hostkeys_foreach: reading file "/home/<user>/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/<user>/.ssh/known_hosts:63
debug3: load_hostkeys: loaded 1 keys from <host>
debug3: hostkeys_foreach: reading file "/home/<user>/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/<user>/.ssh/known_hosts:62
debug3: load_hostkeys: loaded 1 keys from 11.1.0.1
debug1: Host '<host>' is known and matches the ECDSA host key.
debug1: Found key in /home/<user>/.ssh/known_hosts:63
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 67108864 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 67108864 blocks
debug1: Will attempt key: .ssh/<user>.pem  explicit
debug1: Will attempt key: /home/<user>/.ssh/<user>.pem  explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
I've read & consent to terms in IS user agreem't
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: .ssh/<user>.pem
debug3: sign_and_send_pubkey: RSA SHA256:7A3rJNgUzOs5f/sYy7UAHVj2+WdG//22q9EXbA8FeEE
debug3: sign_and_send_pubkey: signing using rsa-sha2-256
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
    debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to <host> ([11.1.0.1]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: receive packet: type 4
debug1: Remote: /home/<user>/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 4 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x48
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env LS_COLORS
debug3: Ignored env SSH_CONNECTION
debug1: Sending env LC_MONETARY = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env HISTCONTROL
debug3: Ignored env GUESTFISH_RESTORE
debug3: Ignored env HOSTNAME
debug3: Ignored env GUESTFISH_INIT
debug3: Ignored env which_declare
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env USER
debug3: Ignored env GUESTFISH_PS1
debug1: Sending env LC_COLLATE = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env SELINUX_ROLE_REQUESTED
debug3: Ignored env PWD
debug3: Ignored env SSH_ASKPASS
debug3: Ignored env HOME
debug1: Sending env LC_CTYPE = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env SSH_CLIENT
debug3: Ignored env SELINUX_LEVEL_REQUESTED
debug3: Ignored env XDG_DATA_DIRS
debug1: Sending env LC_NUMERIC = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env SSH_TTY
debug3: Ignored env MAIL
debug3: Ignored env TERM
debug3: Ignored env SHELL
debug1: Sending env LC_MESSAGES = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug1: Sending env XMODIFIERS = @im=ibus
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env SELINUX_USE_CURRENT_RANGE
debug3: Ignored env TMOUT
debug3: Ignored env SHLVL
debug3: Ignored env LOGNAME
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env PATH
debug3: Ignored env GUESTFISH_OUTPUT
debug3: Ignored env HISTSIZE
debug3: Ignored env LESSOPEN
debug1: Sending env LC_TIME = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env BASH_FUNC_which%%
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
[<user>@<host> ~]$ 

[roel-gerrits]

Another observation (of which I don't know its significance).

Based on the logging I got from the ssh client, and the logging from AsyncSSH, filtered out what messages are send exactly, and there appear to be some differences (which may or may not contribute to the issue)

Message flow from ssh client:

debug3: send packet: type 20 MSG_KEXINIT
debug3: receive packet: type 20 MSG_KEXINIT
debug3: send packet: type 30 MSG_KEX_FIRST
debug3: receive packet: type 31 MSG_KEX_ECDH_REPLY
debug3: send packet: type 21 MSG_NEWKEYS
debug3: receive packet: type 21 MSG_NEWKEYS
debug3: send packet: type 5 MSG_SERVICE_REQUEST
debug3: receive packet: type 7 MSG_EXT_INFO
debug3: receive packet: type 6 MSG_SERVICE_ACCEPT
debug3: send packet: type 50 MSG_USERAUTH_REQUEST
debug3: receive packet: type 53 MSG_USERAUTH_BANNER
debug3: receive packet: type 51 MSG_USERAUTH_FAILURE
debug3: send packet: type 50 MSG_USERAUTH_REQUEST
debug3: receive packet: type 52 MSG_USERAUTH_SUCCESS

Message flow from AsyncSSH:

DEBUG:asyncssh:[conn=2, pktid=0] Sent MSG_KEXINIT (20), 3302 bytes
DEBUG:asyncssh:[conn=2, pktid=0] Received MSG_KEXINIT (20), 756 bytes
DEBUG:asyncssh:[conn=2, pktid=1] Sent MSG_KEX_ECDH_INIT (30), 138 bytes
DEBUG:asyncssh:[conn=2, pktid=1] Received MSG_KEX_ECDH_REPLY (31), 1213 bytes
DEBUG:asyncssh:[conn=2, pktid=3] Sent MSG_SERVICE_REQUEST (5), 17 bytes
DEBUG:asyncssh:[conn=2, pktid=3] Received MSG_SERVICE_ACCEPT (6), 17 bytes
DEBUG:asyncssh:[conn=2, pktid=4] Sent MSG_IGNORE (2), 5 bytes
DEBUG:asyncssh:[conn=2, pktid=5] Sent MSG_USERAUTH_REQUEST (50), 34 bytes
DEBUG:asyncssh:[conn=2, pktid=4] Received MSG_USERAUTH_BANNER (53), 58 bytes
DEBUG:asyncssh:[conn=2, pktid=5] Received MSG_USERAUTH_FAILURE (51), 24 bytes
DEBUG:asyncssh:[conn=2, pktid=6] Sent MSG_IGNORE (2), 5 bytes
DEBUG:asyncssh:[conn=2, pktid=7] Sent MSG_USERAUTH_REQUEST (50), 590 bytes
DEBUG:asyncssh:[conn=2, pktid=6] Received MSG_USERAUTH_FAILURE (51), 24 bytes

The ssh client is sending a MSG_NEWKEYS after the MSG_KEX_ECDH_REPLY packet is received, AsyncSSH does not.
I've no idea what this means, could this be related to the issue?

[ronf]

Without this message, AsyncSSH is conservative about the signature algorithms used, which in the case of RSA means using only "ssh-rsa", the last signature algorithm in the list for any given key type. Here's the line which does this from _choose_signature_alg:

    return keypair.sig_algorithms[-1] in self._sig_algs

The `-1' there picks the last algorithm in the list.

That line only checks if the last algorithm is in self._sig_algs, not actually set the sig_algorithm to the last entry in the list... right?

Keypair objects default to the last signature algorithm in the list. So, in the case where you want to use that one, you don't need to call set_sig_algorithm(). However, this code does check to see if that algorithm is in the allowed sig algorithms and will return False if it's not, which should cause it to skip that key if the default sig algorithm is not allowed.

The problem here is that it never tries the RSA SHA-2 algorithms even though they are in the local allowed sig algorithms, because it's not getting the list of allowed server sig algorithms for some reason.

What's strange is that the test you did with OpenSSH as the client did have that same server sending server-sig-algs, making me wonder if there's a bug in old versions of OpenSSH that don't properly recognize ext-info-c from the client if it's not the very last item in the kex algorithms list. According to https://datatracker.ietf.org/doc/html/draft-ietf-curdle-ssh-ext-info-00, that should be recognized no matter what position it appears at, but something seems to be stopping the server from sending the EXT_INFO message when AsyncSSH is connecting. Do you have a never version of the OpenSSH client you can try using (something that supports strict_kex, ideally) to see what happens?

Regarding the messages you saw, was that captured at debug level 3? I can't see how things could possibly proceed without MSG_NEWKEYS being sent in both directions before user auth begins. Can you try adding some additional debugging to see if it really is skipping that message in your tests? I can't reproduce that here, but I don't have the version of OpenSSH you're testing against.

I can imagine making AsyncSSH try out locally allowed sig algorithms even if it doesn't receive the server-sig-algs, but it seems like we should get to the bottom of why EXT_INFO is not being sent by the server. If the client really isn't sending NEWKEYS and trying to begin user auth, that would potentially explain EXT_INFO not showing up. That would definitely cause the handshake to fail, though, even if we did get it to use RSA SHA-2 algorithms, as the session would never switch to encrypting the packets.

[roel-gerrits]

The problem here is that it never tries the RSA SHA-2 algorithms even though they are in the local allowed sig algorithms, because it's not getting the list of allowed server sig algorithms for some reason.

Ok thanks for explaining!

Regarding the messages you saw, was that captured at debug level 3? I can't see how things could possibly proceed without MSG_NEWKEYS being sent in both directions before user auth begins. Can you try adding some additional debugging to see if it really is skipping that message in your tests? I can't reproduce that here, but I don't have the version of OpenSSH you're testing against.

My bad! My grep'ing accidentally left out some packets: These are the packets that are send/recvd by AsyncSSH

DEBUG:asyncssh:[conn=2, pktid=0] Sent MSG_KEXINIT (20), 3302 bytes
DEBUG:asyncssh:[conn=2, pktid=0] Received MSG_KEXINIT (20), 756 bytes
DEBUG:asyncssh:[conn=2, pktid=1] Sent MSG_KEX_ECDH_INIT (30), 138 bytes
DEBUG:asyncssh:[conn=2, pktid=1] Received MSG_KEX_ECDH_REPLY (31), 1213 bytes
DEBUG:asyncssh:[conn=2, pktid=2] Sent MSG_NEWKEYS (21), 1 byte
DEBUG:asyncssh:[conn=2, pktid=3] Sent MSG_SERVICE_REQUEST (5), 17 bytes
DEBUG:asyncssh:[conn=2, pktid=2] Received MSG_NEWKEYS (21), 1 byte
DEBUG:asyncssh:[conn=2, pktid=3] Received MSG_SERVICE_ACCEPT (6), 17 bytes
DEBUG:asyncssh:[conn=2, pktid=4] Sent MSG_IGNORE (2), 5 bytes
DEBUG:asyncssh:[conn=2, pktid=5] Sent MSG_USERAUTH_REQUEST (50), 34 bytes
DEBUG:asyncssh:[conn=2, pktid=4] Received MSG_USERAUTH_BANNER (53), 58 bytes
DEBUG:asyncssh:[conn=2, pktid=5] Received MSG_USERAUTH_FAILURE (51), 24 bytes
DEBUG:asyncssh:[conn=2, pktid=6] Sent MSG_IGNORE (2), 5 bytes
DEBUG:asyncssh:[conn=2, pktid=7] Sent MSG_USERAUTH_REQUEST (50), 590 bytes
DEBUG:asyncssh:[conn=2, pktid=6] Received MSG_USERAUTH_FAILURE (51), 24 bytes

So the NEWKEYS packets are actually there! Sorry for the confusion.

Looking at the differences now:

1. AsyncSSH is sending NEWKEYS and SERVICE_REQUEST in parallel. OpenSSH client sends them sequentially. I've no idea if this matters though.
2. AsyncSSH is sending a IGNORE, where OpenSSH doesnt, again, I've no idea if this is relevant.

[roel-gerrits]

For completeness: I've also tried connecting via the paramiko library, this also works, I've added some print()s to discover the packet flow when using that lib:

139655087969664 ### send_message() 20 kexinit
139655087969664 ### read_message() 20 kexinit
139655087969664 ### send_message() 30 kex30
139655087969664 ### read_message() 31 kex31
139655087969664 ### send_message() 21 newkeys
139655087969664 ### read_message() 21 newkeys
139655087969664 ### read_message() 7 ext-info
139655087969664 ### send_message() 5 service-request
139655087969664 ### read_message() 6 service-accept
139655087969664 ### send_message() 50 userauth-request
139655087969664 ### read_message() 53 userauth--banner
139655087969664 ### read_message() 52 userauth-success

[roel-gerrits]

I did some more digging. I used wireshark to capture traffic during a login session using OpenSSH client, paramiko, and AsyncSSH.

Observations:

1. The algorithms in de KEX INIT packets all differ a bit. The ones in the AsyncSSH look a bit 'strange': gss-curve25519-sha256-92scGTGZyysGniM+s/4xLA== (might be totally normal, I'm not an expert on ssh)
2. After KEX INIT both OpenSSH and paramiko clients choose to use Elliptic Curve Diffie-Hellman Key Exchange Init while AsyncSSH uses Diffie-Hellman Key Exchange Init

I don't know how the clients decide what key exchange to use. I also don't know if either one is good or bad.

Here are the decoded messages for each session: (note after the NEWKEYS packet the communication is encrypted and can thus not be decomposed by wireshark)

OpenSSH client:

CLIENT:
SSH Protocol
    Protocol: SSH-2.0-OpenSSH_8.0

SERVER:
SSH Protocol
    Protocol: SSH-2.0-OpenSSH_8.0

CLIENT:
SSH Protocol
    SSH Version 2 (encryption:aes256-gcm@openssh.com mac:<implicit> compression:none)
        Packet Length: 1364
        Padding Length: 11
        Key Exchange
            Message Code: Key Exchange Init (20)
            Algorithms
                Cookie: 54391a98937b7f1158b5aff458dad1a0
                kex_algorithms length: 304
                kex_algorithms string [truncated]: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,di
                server_host_key_algorithms length: 358
                server_host_key_algorithms string [truncated]: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,r
                encryption_algorithms_client_to_server length: 119
                encryption_algorithms_client_to_server string: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
                encryption_algorithms_server_to_client length: 119
                encryption_algorithms_server_to_client string: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
                mac_algorithms_client_to_server length: 169
                mac_algorithms_client_to_server string: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
                mac_algorithms_server_to_client length: 169
                mac_algorithms_server_to_client string: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
                compression_algorithms_client_to_server length: 26
                compression_algorithms_client_to_server string: none,zlib@openssh.com,zlib
                compression_algorithms_server_to_client length: 26
                compression_algorithms_server_to_client string: none,zlib@openssh.com,zlib
                languages_client_to_server length: 0
                languages_client_to_server string: [Empty]
                languages_server_to_client length: 0
                languages_server_to_client string: [Empty]
                First KEX Packet Follows: 0
                Reserved: 00000000
            Padding String: 0000000000000000000000

SERVER:
SSH Protocol
    SSH Version 2 (encryption:aes256-gcm@openssh.com mac:<implicit> compression:none)
        Packet Length: 764
        Padding Length: 7
        Key Exchange
            Message Code: Key Exchange Init (20)
            Algorithms
                Cookie: a7d8b95c8053dae2145af9fe633f816c
                kex_algorithms length: 183
                kex_algorithms string: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
                server_host_key_algorithms length: 45
                server_host_key_algorithms string: ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256
                encryption_algorithms_client_to_server length: 89
                encryption_algorithms_client_to_server string: aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
                encryption_algorithms_server_to_client length: 89
                encryption_algorithms_server_to_client string: aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
                mac_algorithms_client_to_server length: 123
                mac_algorithms_client_to_server string: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
                mac_algorithms_server_to_client length: 123
                mac_algorithms_server_to_client string: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
                compression_algorithms_client_to_server length: 21
                compression_algorithms_client_to_server string: none,zlib@openssh.com
                compression_algorithms_server_to_client length: 21
                compression_algorithms_server_to_client string: none,zlib@openssh.com
                languages_client_to_server length: 0
                languages_client_to_server string: [Empty]
                languages_server_to_client length: 0
                languages_server_to_client string: [Empty]
                First KEX Packet Follows: 0
                Reserved: 00000000
            Padding String: 00000000000000

CLIENT:
SSH Protocol
    SSH Version 2 (encryption:aes256-gcm@openssh.com mac:<implicit> compression:none)
        Packet Length: 76
        Padding Length: 5
        Key Exchange
            Message Code: Elliptic Curve Diffie-Hellman Key Exchange Init (30)
            ECDH client's ephemeral public key length: 65
            ECDH client's ephemeral public key (Q_C): 043470e85bc7f8eeb7fa7bc0e0997ea9d8cd0bdc9ece50f2...
            Padding String: 0000000000


SERVER:
SSH Protocol
    SSH Version 2 (encryption:aes256-gcm@openssh.com mac:<implicit> compression:none)
        Packet Length: 292
        Padding Length: 10
        Key Exchange
            Message Code: Elliptic Curve Diffie-Hellman Key Exchange Reply (31)
            KEX host key (type: ecdsa-sha2-nistp256)
            ECDH server's ephemeral public key length: 65
            ECDH server's ephemeral public key (Q_S): 04a4bf77d0bacfc9ee04e25368fc5e18caebb4b87c85db9c...
            KEX H signature length: 99
            KEX H signature: 0000001365636473612d736861322d6e6973747032353600...
            Padding String: 00000000000000000000
    SSH Version 2 (encryption:aes256-gcm@openssh.com mac:<implicit> compression:none)
        Packet Length: 12
        Padding Length: 10
        Key Exchange
            Message Code: New Keys (21)
            Padding String: 00000000000000000000
    SSH Version 2 (encryption:aes256-gcm@openssh.com mac:<implicit> compression:none)
        Packet Length: 160
        Encrypted Packet: 4524afab5a36d1000a8e2d8404796ec87084fab46e93638a...
        MAC: c6c7360ce6bb352da49b95e729b3c3b4

CLIENT:
SSH Protocol
    SSH Version 2 (encryption:aes256-gcm@openssh.com mac:<implicit> compression:none)
        Packet Length: 12
        Padding Length: 10
        Key Exchange
            Message Code: New Keys (21)
            Padding String: 00000000000000000000

Paramiko:

CLIENT:
SSH Protocol
    Protocol: SSH-2.0-paramiko_3.5.1

SERVER:
SSH Protocol
    Protocol: SSH-2.0-OpenSSH_8.0

CLIENT:
SSH Protocol
    SSH Version 2 (encryption:aes128-ctr mac:hmac-sha2-256 compression:none)
        Packet Length: 1284
        Padding Length: 4
        Key Exchange
            Message Code: Key Exchange Init (20)
            Algorithms
                Cookie: 232e1becabf794a5a1c7c8efab338937
                kex_algorithms length: 312
                kex_algorithms string [truncated]: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group
                server_host_key_algorithms length: 395
                server_host_key_algorithms string [truncated]: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecd
                encryption_algorithms_client_to_server length: 120
                encryption_algorithms_client_to_server string: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com
                encryption_algorithms_server_to_client length: 120
                encryption_algorithms_server_to_client string: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com
                mac_algorithms_client_to_server length: 131
                mac_algorithms_client_to_server string: hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
                mac_algorithms_server_to_client length: 131
                mac_algorithms_server_to_client string: hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
                compression_algorithms_client_to_server length: 4
                compression_algorithms_client_to_server string: none
                compression_algorithms_server_to_client length: 4
                compression_algorithms_server_to_client string: none
                languages_client_to_server length: 0
                languages_client_to_server string: [Empty]
                languages_server_to_client length: 0
                languages_server_to_client string: [Empty]
                First KEX Packet Follows: 0
                Reserved: 00000000
            Padding String: 00000000

SERVER:
SSH Protocol
    SSH Version 2 (encryption:aes128-ctr mac:hmac-sha2-256 compression:none)
        Packet Length: 1036
        Padding Length: 9
        Key Exchange
            Message Code: Key Exchange Init (20)
            Algorithms
                Cookie: 913a3ec6101f6f81c9ed34cebe179e12
                kex_algorithms length: 293
                kex_algorithms string [truncated]: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,di
                server_host_key_algorithms length: 53
                server_host_key_algorithms string: ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa
                encryption_algorithms_client_to_server length: 119
                encryption_algorithms_client_to_server string: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
                encryption_algorithms_server_to_client length: 119
                encryption_algorithms_server_to_client string: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
                mac_algorithms_client_to_server length: 169
                mac_algorithms_client_to_server string: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
                mac_algorithms_server_to_client length: 169
                mac_algorithms_server_to_client string: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
                compression_algorithms_client_to_server length: 21
                compression_algorithms_client_to_server string: none,zlib@openssh.com
                compression_algorithms_server_to_client length: 21
                compression_algorithms_server_to_client string: none,zlib@openssh.com
                languages_client_to_server length: 0
                languages_client_to_server string: [Empty]
                languages_server_to_client length: 0
                languages_server_to_client string: [Empty]
                First KEX Packet Follows: 0
                Reserved: 00000000
            Padding String: 000000000000000000

CLIENT:
SSH Protocol
    SSH Version 2 (encryption:aes128-ctr mac:hmac-sha2-256 compression:none)
        Packet Length: 44
        Padding Length: 6
        Key Exchange
            Message Code: Elliptic Curve Diffie-Hellman Key Exchange Init (30)
            ECDH client's ephemeral public key length: 32
            ECDH client's ephemeral public key (Q_C): 19dcea57fabff064db72e7f9ec3ac4d8da65d2348efed451...
            Padding String: 000000000000

SERVER:
SSH Protocol
    SSH Version 2 (encryption:aes128-ctr mac:hmac-sha2-256 compression:none)
        Packet Length: 260
        Padding Length: 10
        Key Exchange
            Message Code: Elliptic Curve Diffie-Hellman Key Exchange Reply (31)
            KEX host key (type: ecdsa-sha2-nistp256)
            ECDH server's ephemeral public key length: 32
            ECDH server's ephemeral public key (Q_S): 079f468bec06f7926f81307744e373466b1d6d1ace627ac1...
            KEX H signature length: 100
            KEX H signature: 0000001365636473612d736861322d6e6973747032353600...
            Padding String: 00000000000000000000
    SSH Version 2 (encryption:aes128-ctr mac:hmac-sha2-256 compression:none)
        Packet Length: 12
        Padding Length: 10
        Key Exchange
            Message Code: New Keys (21)
            Padding String: 00000000000000000000
    SSH Version 2 (encryption:aes128-ctr mac:hmac-sha2-256 compression:none)
        Packet Length (encrypted): ca9bdbdc
        Encrypted Packet: 46417998f9cf8ff9adef98d1c15f3230ffa89779444171f0...
        MAC: c4d3b4efcd33c3f65e84916d98c85db93d84f024c156b0f6...


CLIENT:
SSH Protocol
    SSH Version 2 (encryption:aes128-ctr mac:hmac-sha2-256 compression:none)
        Packet Length: 12
        Padding Length: 10
        Key Exchange
            Message Code: New Keys (21)
            Padding String: 00000000000000000000

and AsyncSSH:

CLIENT:
SSH Protocol
    Protocol: SSH-2.0-AsyncSSH_2.21.0

SERVER:
SSH Protocol
    Protocol: SSH-2.0-OpenSSH_8.0

CLIENT:
SSH Protocol
    SSH Version 2 (encryption:chacha20-poly1305@openssh.com mac:<implicit> compression:none)
        Packet Length: 3308
        Padding Length: 5
        Key Exchange
            Message Code: Key Exchange Init (20)
            Algorithms
                Cookie: bf27a616f5ba4132281874204a52e8b4
                kex_algorithms length: 1606
                kex_algorithms string [truncated]: gss-curve25519-sha256-92scGTGZyysGniM+s/4xLA==,gss-curve25519-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-curve448-sha512-92scGTGZyysGniM+s/4xLA==,gss-curve448-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp521-sha512
                server_host_key_algorithms length: 746
                server_host_key_algorithms string [truncated]: rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-ce
                encryption_algorithms_client_to_server length: 108
                encryption_algorithms_client_to_server string: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
                encryption_algorithms_server_to_client length: 108
                encryption_algorithms_server_to_client string: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
                mac_algorithms_client_to_server length: 315
                mac_algorithms_client_to_server string [truncated]: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-
                mac_algorithms_server_to_client length: 315
                mac_algorithms_server_to_client string [truncated]: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-
                compression_algorithms_client_to_server length: 21
                compression_algorithms_client_to_server string: none,zlib@openssh.com
                compression_algorithms_server_to_client length: 21
                compression_algorithms_server_to_client string: none,zlib@openssh.com
                languages_client_to_server length: 0
                languages_client_to_server string: [Empty]
                languages_server_to_client length: 0
                languages_server_to_client string: [Empty]
                First KEX Packet Follows: 0
                Reserved: 00000000
            Padding String: ffd8d7f161

SERVER:
SSH Protocol
    SSH Version 2 (encryption:chacha20-poly1305@openssh.com mac:<implicit> compression:none)
        Packet Length: 1036
        Padding Length: 9
        Key Exchange
            Message Code: Key Exchange Init (20)
            Algorithms
                Cookie: 396d2ababa999fa9eee72daedc048da7
                kex_algorithms length: 293
                kex_algorithms string [truncated]: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,di
                server_host_key_algorithms length: 53
                server_host_key_algorithms string: ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa
                encryption_algorithms_client_to_server length: 119
                encryption_algorithms_client_to_server string: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
                encryption_algorithms_server_to_client length: 119
                encryption_algorithms_server_to_client string: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
                mac_algorithms_client_to_server length: 169
                mac_algorithms_client_to_server string: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
                mac_algorithms_server_to_client length: 169
                mac_algorithms_server_to_client string: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
                compression_algorithms_client_to_server length: 21
                compression_algorithms_client_to_server string: none,zlib@openssh.com
                compression_algorithms_server_to_client length: 21
                compression_algorithms_server_to_client string: none,zlib@openssh.com
                languages_client_to_server length: 0
                languages_client_to_server string: [Empty]
                languages_server_to_client length: 0
                languages_server_to_client string: [Empty]
                First KEX Packet Follows: 0
                Reserved: 00000000
            Padding String: 000000000000000000

CLIENT:
SSH Protocol
    SSH Version 2 (encryption:chacha20-poly1305@openssh.com mac:<implicit> compression:none)
        Packet Length: 44
        Padding Length: 6
        Key Exchange
            Message Code: Diffie-Hellman Key Exchange Init (30)
            Multi Precision Integer Length: 32
            DH client e: 1420cbe3fb7b9c8ed6af27465d6eff467a7aaf272d66ded2...
            Padding String: 047bbe5ecda9

SERVER:
SSH Protocol
    SSH Version 2 (encryption:chacha20-poly1305@openssh.com mac:<implicit> compression:none)
        Packet Length: 868
        Padding Length: 11
        Key Exchange
            Message Code: Diffie-Hellman Key Exchange Reply (31)
            KEX host key (type: ssh-rsa)
            Multi Precision Integer Length: 32
            DH server f: 5064f7a8e5f9819d39281c84cd9639524c9ed5f9da63c88d...
            KEX H signature length: 404
            KEX H signature: 0000000c7273612d736861322d323536000001800babb93e...
            Padding String: 0000000000000000000000
    SSH Version 2 (encryption:chacha20-poly1305@openssh.com mac:<implicit> compression:none)
        Packet Length: 12
        Padding Length: 10
        Key Exchange
            Message Code: New Keys (21)
            Padding String: 00000000000000000000

CLIENT:
SSH Protocol
    SSH Version 2 (encryption:chacha20-poly1305@openssh.com mac:<implicit> compression:none)
        Packet Length: 12
        Padding Length: 10
        Key Exchange
            Message Code: New Keys (21)
            Padding String: c9c1d101e608e613cb4a

[ronf]

Thanks for confirming that the NEWKEYS message is present. I don't think the other differences you saw are relevant to not sending the EXT_INFO, but it is possible that an IGNORE in the wrong place can cause problems for some other SSH implementations. I've had to work around this before.

My current guess is that OpenSSH is hitting a maximum buffer size for the key exchange algorithm list being sent by AsyncSSH. I seem to recall dropbear had an issue with this, and there may also be an issue with older versions of OpenSSH.

If you pass in kex_algs="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512", does it make a difference? It looks like the default kex list AsyncSSH is sending can be as much as 1600 bytes, which may be overflowing a buffer. There's evidence of that in one of your decoded packets, too:

                kex_algorithms length: 304
                kex_algorithms string [truncated]: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,di

I'm not sure if this truncation is in the decoding tool or not, but if there is a limit in OpenSSH itself, it may prevent it from seeing the ext-info-c toward the end, and that would explain why it isn't sending the server-sig-algs.

[roel-gerrits]

If you pass in kex_algs="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512", does it make a difference?

This works!

The weird thing is however: When I pass in those kex_algs manually, it works. But when I record the packets in wireshark, They look excactly the same... I would expect the kex_algorithms string in the KEX_INIT packet to be shorter, but it is same length as in the previous recording. Or am I looking at the wrong fields? Nevermind, I think I'm looking at wrong recordings.

There's evidence of that in one of your decoded packets, too:

                kex_algorithms length: 304
                kex_algorithms string [truncated]: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,di

I'm not sure if this truncation is in the decoding tool or not, but if there is a limit in OpenSSH itself, it may prevent it from seeing the ext-info-c toward the end, and that would explain why it isn't sending the server-sig-algs.

The truncation is actually done by wireshark.

[ronf]

I pulled that list from the one being sent by the OpenSSH server. When that is set, you should see a shorter version of the key exchange algs item in the client's KEXINIT, matching in this case what the server was previously sending.

Regarding the "gss-" entries, those are normal. They are used for GSSAPI key exchange and the weird looking value is a BASE64 encoded version of which GSS algorithm is supported (Kerberos, in this case). You can set gss_host=None if you want to disable GSS, which may be another way to shorten the key exchange list, though I don't know if that'll be enough to make the older OpenSSH server happy.

Note: You can shorten the manual list quite a bit more if you know what algorithm you want to use. It could even just be a single entry, as long as it's one that both the client and server support.

[roel-gerrits]

Just thinking: Could the fact that the connection is tunneled over (2) other ssh connections be of relevance here? Are packet sizes limited because of them being piped over a tunnel?

I've done a test with a different ssh server (but same OpenSSH version) and that one is working just fine. I'll also try to do some tests on the problematic ssh sever without using a tunnel (but I've to get a working python environment on there first).

Another observation:

Changing these lines (in https://github.com/ronf/asyncssh/blob/develop/asyncssh/connection.py#L1840):
from

        kex_algs = expand_kex_algs(self._kex_algs, gss_mechs,
                                   bool(self._server_host_key_algs)) + \
                   self._get_extra_kex_algs()

to

        kex_algs = self._get_extra_kex_algs() + expand_kex_algs(self._kex_algs, gss_mechs,
                                   bool(self._server_host_key_algs))

Also fixes the issue. Confirming your earlier thought about ext-info-c being 'too far in the back'

[ronf]

No - if the initial connection is opened successfully enough to even attempt running an SSH tunnel over it, that shouldn't really have any effect on the tunneled connection's key exchange or authentication.

Do you see any difference in the set of algorithms listed in the client's KEXINIT between the working and non-working cases? Do you see an EXT_INFO coming from the server in the working case? Are there any other noticeable differences?

Thanks for the confirmation on the ext-info-c positioning! Unfortunately, that suggests that it will be difficult to provide an "automatic" fix. The caller can choose to reduce the set of offered kex algorithms as a way to work around the limited buffer size on OpenSSH (which I think was increased in later versions), but I don't think it would make sense to change the default here, and I'd be a bit nervous trying to do something like re-ordering ext-info-c to be first, as there may be some SSH servers that aren't designed to handle that properly. Since the OpenSSH server version is pretty old here, I think your best bet is probably to specify a smaller set of kex_algs in your client, or maybe disable GSS if that's enough to get things to work.