Problems connecting with ed25519 key

[pizkaz]

Hello there!

First of all: Thanks for the great work!

I have a question: I created an authorized_keys file in the well-known format and wrote it to the SshDaemon directory. According to ADB the keys are also read successfully.
When trying to connect, I get the following stacktrace (some and authentication falls back to keyboard-interactive:

04-05 12:25:52.185 24361 29871 I System.out: 3441394 [sshd-SshServer[d4e6183](port=2222)-nio2-thread-3] WARN org.apache.sshd.server.session.ServerUserAuthService  - handleUserAuthRequestMessage(ServerSessionImpl[null@/10.2.0.2:45410]) Failed (SshException) to authenticate using factory method=publickey: EdDSA provider not supported
04-05 12:25:52.185 24361 29871 I System.out: org.apache.sshd.common.SshException: EdDSA provider not supported
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.util.buffer.Buffer.getRawPublicKey(SourceFile:2)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.util.buffer.Buffer.getRawPublicKey(SourceFile:1)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.server.auth.pubkey.UserAuthPublicKey.doAuth(Unknown Source:55)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.server.auth.AbstractUserAuth.auth(Unknown Source:14)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.server.session.ServerUserAuthService.handleUserAuthRequestMessage(Unknown Source:533)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.server.session.ServerUserAuthService.process(Unknown Source:24)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.session.helpers.CurrentService.process(Unknown Source:6)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(Unknown Source:83)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.session.helpers.AbstractSession.lambda$handleMessage$0(Unknown Source:0)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.session.helpers.AbstractSession.d0(Unknown Source:0)
04-05 12:25:52.185 24361 29871 I System.out: 	at e5.a.call(Unknown Source:23)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.util.threads.ThreadUtils.runAsInternal(SourceFile:2)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(Unknown Source:6)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.session.helpers.AbstractSession.decode(Unknown Source:433)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(Unknown Source:29)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(Unknown Source:4)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Unknown Source:66)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(SourceFile:1)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(SourceFile:2)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Unknown Source:0)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.a(Unknown Source:0)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.io.nio2.a.run(Unknown Source:19)
04-05 12:25:52.185 24361 29871 I System.out: 	at java.security.AccessController.doPrivileged(AccessController.java:43)
04-05 12:25:52.185 24361 29871 I System.out: 	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Unknown Source:5)
04-05 12:25:52.185 24361 29871 I System.out: 	at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
04-05 12:25:52.185 24361 29871 I System.out: 	at sun.nio.ch.Invoker$2.run(Invoker.java:221)
04-05 12:25:52.185 24361 29871 I System.out: 	at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
04-05 12:25:52.185 24361 29871 I System.out: 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
04-05 12:25:52.186 24361 29871 I System.out: 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
04-05 12:25:52.186 24361 29871 I System.out: 	at java.lang.Thread.run(Thread.java:1012)
04-05 12:25:52.186 24361 29871 I System.out: Caused by: java.security.NoSuchAlgorithmException: EdDSA provider not supported
04-05 12:25:52.186 24361 29871 I System.out: 	at org.apache.sshd.common.util.security.SecurityUtils.generateEDDSAPublicKey(Unknown Source:23)
04-05 12:25:52.186 24361 29871 I System.out: 	at org.apache.sshd.common.util.buffer.keys.ED25519BufferPublicKeyParser.getRawPublicKey(Unknown Source:13)
04-05 12:25:52.186 24361 29871 I System.out: 	at org.apache.sshd.common.util.buffer.keys.BufferPublicKeyParser$2.getRawPublicKey(Unknown Source:24)
04-05 12:25:52.186 24361 29871 I System.out: 	... 30 more

Also: Why do I see this message 122 times per connection attempt? 😨
The app seems to read the authorized_keys file 21 times as well during startup:

$ adb logcat | grep authorized_keys
04-05 12:51:58.676 31433 31433 I System.out: 307 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:58.676 31433 31433 I System.out: 307 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:58.676 31433 31433 I System.out: 307 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:58.890 31433 31433 I System.out: 522 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:58.891 31433 31433 I System.out: 522 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:58.891 31433 31433 I System.out: 522 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:58.891 31433 31433 I System.out: 522 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:58.891 31433 31433 I System.out: 522 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:58.891 31433 31433 I System.out: 522 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:58.891 31433 31433 I System.out: 522 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:59.059 31433 31433 I System.out: 691 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:59.059 31433 31433 I System.out: 691 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:59.060 31433 31433 I System.out: 691 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:59.060 31433 31433 I System.out: 691 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:59.060 31433 31433 I System.out: 691 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:59.060 31433 31433 I System.out: 691 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:59.060 31433 31433 I System.out: 691 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:59.060 31433 31433 I System.out: 691 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:59.060 31433 31433 I System.out: 691 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:59.060 31433 31433 I System.out: 691 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys
04-05 12:51:59.060 31433 31433 I System.out: 691 [main] DEBUG a3.a  - Try to add authorized key file /storage/emulated/0/SshDaemon/authorized_keys

Am I mis-reading the logs?

[jazzm0]

Hi, the keys are loaded several times, because their existence/absence will enable/disable certain UI features. Whenever the UI state changes the keys are re-read, so far so good. To be able to re-create your scenario it would be useful to have similar keys to yours, so I would need the command used to generate the keys.

[pizkaz]

Wow, thanks for the blazing fast response!

The keys were created with ssh-keygen -t ed25519 and a password but that should be irrelevant.

[jazzm0]

authorized_keys.txt
id_ed25519.txt

Hi, I've generated the following keypair:

• private: id_ed25519 (remove the txt extension and copy to your .ssh folder)
• public: authorized_keys.txt (remove the txt extension and copy to your device's SshDaemon folder)

If the key is successfully loaded the key icon is not strike-through, and the switch to disable password authentication is enabled. I tried exatly this setup, and it worked ...

[Strahinja]

SshDaemon seems to not accept comments in the authorized_keys file. When I removed all the comments from that file, it "worked", in the sense that the key icon is not crossed, and tapping it gives a small notification pop-up "Public key authentication enabled". However, when I try to connect to the server, my publickey authentication is rejected. I use the following command to connect:

ssh -vvvp8022 -i ~/.ssh/id_ed25519-mobile -o IdentitiesOnly=yes -F /dev/null myuser@192.168.0.X

where X is the last number from the IP address. I get, among other log lines:

debug1: Offering public key: /home/myuser/.ssh/id_ed25519-mobile ED25519 SHA256:<snip> explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive,publickey
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint

and then it tries password, which I disabled in SshDaemon, and fails.

The key was generated using the command:

$ ssh-keygen -t ed25519 -v -f /home/myuser/.ssh/id_ed25519-mobile

in OpenBSD-release 7.5.

[jazzm0]

Can you please try with the above public/private key?

[Strahinja]

Can you please try with the above public/private key?

I just tried using the keys you provided, and I can't connect. I'm getting what seem to be the same log messages as when I'm using my keys, ie:

debug1: Will attempt key: /home/myuser/.ssh/id_test ED25519 SHA256:aaRyxhUfyBB3DI8eUUlQsMOSV1F5+zSTqgIr9+WeD/k explicit
debug2: pubkey_prepare: done
debug1: Offering public key: /home/myuser/.ssh/id_test ED25519 SHA256:aaRyxhUfyBB3DI8eUUlQsMOSV1F5+zSTqgIr9+WeD/k explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive,publickey
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive,publickey
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
myuser@192.168.0.X: Permission denied (keyboard-interactive,publickey).

A bit more context: my phone is Honor X6a (Android 13), I installed SshDaemon 2.1.17 from F-Droid.

[jazzm0]

Hmm, this is weird, when I try the above I get
debug1: get_agent_identities: bound agent to hostkey debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities debug1: Will attempt key: id_ed25519 ED25519 SHA256:iJnY7QcG1q2WNCwEHOVR3z3QCGptk8YHT/8q2/jO90g explicit debug2: pubkey_prepare: done debug1: Offering public key: id_ed25519 ED25519 SHA256:iJnY7QcG1q2WNCwEHOVR3z3QCGptk8YHT/8q2/jO90g explicit debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: id_ed25519 ED25519 SHA256:iJnY7QcG1q2WNCwEHOVR3z3QCGptk8YHT/8q2/jO90g explicit debug3: sign_and_send_pubkey: using publickey with ED25519 SHA256:iJnY7QcG1q2WNCwEHOVR3z3QCGptk8YHT/8q2/jO90g debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:iJnY7QcG1q2WNCwEHOVR3z3QCGptk8YHT/8q2/jO90g debug3: send packet: type 50 debug3: receive packet: type 52 Authenticated to 127.0.0.1 ([127.0.0.1]:8022) using "publickey".

Then I get an interactive shell. I also disabled password authentication, just like you. Looks like it's a phone specific issue. I hope you understand, that I will close this ticket, as I can't fix device specific issues.

Kind Regards

[tenzap]

I also had problems with an ed25519 key.
I finally switched to an rsa key and it worked.

sshDaemon: v2.1.19 from f-droid.
Device: Xiaomi redmi note 9S, android 12

[jazzm0]

I just tried again with my own ED25519 256 key. It works as described. There are also tests to verify, that it's working, please have a look at https://github.com/jazzm0/ssh-daemon/blob/master/app/src/test/resources/authorized_keys#L3

[jech]

I can confirm the issue: need to use a password when using an ED25519 key, but works fine with an RSA key.

According to this stackoverflow post, this is a known issue and fixing it requires adding a dependency on net.i2p.crypto.

@jazzm0, perhaps you could reopen the issue? Even if you're not planning to work on it, having the issue open will make life easier for people who are trying to troubleshoot.