I've gone through the standard setup in the instructions to get a SSH tunnel running for a connection to PostgreSQL. I've run into the following issue
When retool makes the ssh login to my EC2 instance running Amazon's AMI, I get the following error:
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
I have modified /etc/ssh/sshd_config to include
PubkeyAcceptedAlgorithms=+ssh-rsa
I have verified this via
[root@]# ssh -Q PubkeyAcceptedAlgorithms
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ssh-rsa <-
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256@openssh.com
webauthn-sk-ecdsa-sha2-nistp256@openssh.com
ssh-rsa-cert-v01@openssh.com
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
How can I get the tunnel to work?
Other things I've checked:
Permissions on the /home/retool, .ssh and authorized_keys files/dirs.
Below is the full, debug handshake of Retool trying to log into
1: Forked child 8853.
1: Set /proc/self/oom_score_adj to 0
1: rexec start in 7 out 7 newsock 7 pipe 9 sock 10
1: inetd sockets after dupping: 5, 5
Mar 29 21:16:12 <some secret ip>sshd[8853]: Connection from 35.90.103.133 port 12474 on 172.17.3.110 port 22 rdomain ""
1: Local version string SSH-2.0-OpenSSH_8.7
1: Remote protocol version 2.0, remote software version ssh2js1.4.0
1: compat_banner: no match: ssh2js1.4.0
1: SELinux support enabled [preauth]
1: ssh_selinux_change_context: setting context from 'system_u:system_r:sshd_t:s0-s0:c0.c1023' to 'system_u:system_r:sshd_net_t:s0-s0:c0.c1023' [preauth]
1: permanently_set_uid: 74/74 [preauth]
1: list_hostkey_types: ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
1: SSH2_MSG_KEXINIT sent [preauth]
1: SSH2_MSG_KEXINIT received [preauth]
1: kex: algorithm: curve25519-sha256@libssh.org [preauth]
1: kex: host key algorithm: ssh-ed25519 [preauth]
1: kex: client->server cipher: aes128-gcm@openssh.com MAC: <implicit> compression: none [preauth]
1: kex: server->client cipher: aes128-gcm@openssh.com MAC: <implicit> compression: none [preauth]
1: kex: curve25519-sha256@libssh.org need=16 dh_need=16 [preauth]
1: kex: curve25519-sha256@libssh.org need=16 dh_need=16 [preauth]
1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
1: rekey out after 4294967296 blocks [preauth]
1: SSH2_MSG_NEWKEYS sent [preauth]
1: expecting SSH2_MSG_NEWKEYS [preauth]
1: SSH2_MSG_NEWKEYS received [preauth]
1: rekey in after 4294967296 blocks [preauth]
1: KEX done [preauth]
1: userauth-request for user retool service ssh-connection method none [preauth]
1: attempt 0 failures 0 [preauth]
1: PAM: initializing for "retool"
1: PAM: setting PAM_RHOST to "35.90.103.133"
1: PAM: setting PAM_TTY to "ssh"
1: userauth-request for user retool service ssh-connection method publickey [preauth]
1: attempt 1 failures 0 [preauth]
Mar 29 21:16:12 <some secret ip>sshd[8853]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth] <- broken
1: userauth-request for user retool service ssh-connection method keyboard-interactive [preauth]
1: attempt 2 failures 1 [preauth]
Mar 29 21:16:12 <some secret ip>sshd[8853]: Received disconnect from 35.90.103.133 port 12474:11: [preauth]
Mar 29 21:16:12 <some secret ip>sshd[8853]: Disconnected from authenticating user retool 35.90.103.133 port 12474 [preauth]
1: do_cleanup [preauth]
1: monitor_read_log: child log fd closed
1: do_cleanup
1: PAM: cleanup
1: Killing privsep child 8854
