Open Radar

 
Summary: 

This is an upstream bug in OpenSSH itself. As per the release notes (https://www.openssh.com/releasenotes.html) It was introduced in 7.8 and fixed in 7.9:

>  * ssh(1): fix regression in OpenSSH 7.8 that could prevent public-
>   key authentication using certificates hosted in a ssh-agent(1)
>   or against sshd(8) from OpenSSH <7.8.

It appears that the specific fix for this issue was https://github.com/openssh/openssh-portable/commit/1a4a9cf80f5b92b9d1dadd0bfa8867c04d195391

Steps to Reproduce:

1. Generate a ssh certificate authority keypair:

$ ssh-keygen -N '' -C ca_key -f ca_key

2. Configure a server running an older version of OpenSSH (for example, CentOS 7, which distributes OpenSSH 7.4p1) to trust that certificate authority for user logins. For example, edit a user's ~/.ssh/authorized_keys file to contain a line like:

cert-authority ssh-rsa AAAA...

(where the "ssh-rsa AAAA..." string is the contents of ca_key.pub, created in step 1)

3. Use the CA key to sign a user key; for example:

$ ssh-keygen -N '' -C user_key -f user_key
$ ssh-keygen -s ca_key -I user_cert user_key.pub

4. Attempt to connect to the remote host using the certificate:

$ ssh -v -i user_key remote_user@server.hostname.com

Expected Results: SSH pubkey authentication succeeds

Actual Results: SSH pubkey authentication fails. With verbose logging enabled, you see the following message:

debug1: send_pubkey_test: no mutual signature algorithm

Version/Build:

OS X 10.14.1
OpenSSH_7.8p1, LibreSSL 2.7.3