aad_certhandler: The public key is of type ssh-rsa, not a certificate.
June 6, 2023 Leave a comment
Problem:
I am currently experiencing difficulty connecting to the Azure VM using AD authentication. I am receiving an error message that states:
~ az ssh vm -n rac1 -g marirac OpenSSH_9.0p1, LibreSSL 3.3.6 ...: Permission denied (publickey). The OpenSSH server version in the target VM 7.4 is too old. Version incompatible with OpenSSH client version 9.0. Refer to https://bugzilla.mindrot.org/show_bug.cgi?id=3351 for more information.
When I check /var/log/secure
log on the server side, it shows:
Jun 6 16:49:54 rac1 sshd[27249]: Connection closed by ... port 51572 [preauth] Jun 6 16:54:44 rac1 sshd[31386]: nss_aad: This is an Azure machine Jun 6 16:54:44 rac1 aad_certhandler[31393]: Version: 1.0.022600002; user: ... Jun 6 16:54:44 rac1 aad_certhandler[31393]: The public key is of type ssh-rsa, not a certificate. Jun 6 16:54:44 rac1 sshd[31386]: error: AuthorizedKeysCommand /usr/sbin/aad_certhandler ... Jun 6 16:54:44 rac1 sshd[31386]: Connection closed by ... port 52092 [preauth]
I have intentionally redacted certain portions of the information for security reasons, although errors are still apparent.
Troubleshooting:
Client and server versions are different:
Server:
[root@rac1 ~]# ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
Client:
~ ssh -V OpenSSH_9.0p1, LibreSSL 3.3.6
Workaround:
Pass the following option to ssh when using az ssh
Command:
~ az ssh vm -n rac1 -g marirac -- -o PubkeyAcceptedKeyTypes=+ssh-rsa-cert-v01@openssh.com