Devolutions ForumDevolutions Forum

RDM Windows doest not support SSH certificate based authentication

RDM Windows doest not support SSH certificate based authentication

avatar
pirate585

RDM windows version: 2024.3.22.0 64-bit

Problem: after setup SSH based authentication on Ubuntu 22.04, I can use open-ssh client with the private key to login, but I cannot do the same on RDM windows.

Steps to reproduce the issue

  1. provision a Ubuntu 22.04
  2. follow the steps in https://goteleport.com/blog/how-to-configure-ssh-certificate-based-authentication/ to setup SSH based authentication on the Ubuntu server. (I dont use host_ca to reduce complexity)
    1. on Ubuntu server
      1. generate user_ca keypair: ssh-keygen -t rsa -b 4096 -f user_ca -C user_ca
      2. generate user keypair: ssh-keygen -f honda -b 4096 -t rsa
      3. sign honda.pub by user_ca private key: ssh-keygen -s user_ca -I honda@goteleport.com -n honda -V +4w honda.pub
      4. create user "honda" and lock password: useradd -m honda && passwd -l honda
      5. cp user_ca.pub to /etc/ssh
      6. config ssh server: add TrustedUserCAKeys /etc/ssh/user_ca.pub to /etc/ssh/sshd_config and restart sshd
    2. on SSH client (another Ubuntu server) to test login by ssh client
      1. mkdir ~/.ssh
      2. cp user keypair (honda, honda.pub and honda-cert.pub) to ~/.ssh
      3. test login: ssh honda@ubuntu_server -i ~/.ssh/honda
      4. result: pub key auth success
    3. on RDM windows
      1. create SSH key entry by importing the user private key (honda)
      2. create SSH terminal for the Ubuntu server and use the SSH key entry to login
      3. result: pub key auth failure


from what I observed, ssh client uses both user private key (honda) and signed user pub key (honda-cert.pub) for ssh key auth, but RDM didnt use signed user pub key so RDM fails to pass key auth.

Maybe you can help on this matter. Thanks for your support.

Regards,
Eric

avatar
Carl Marien

Recommended Answer

Hello,

Thank you for your patience.

The latest version of RDM includes a fix for your issue.
Could you please test if the issue persists in this version?

Best regards,

Carl Marien

All Comments (13)

avatar
pirate585

additional info, if I do the following steps
on Ubuntu server

  1. mkdir /home/honda/.ssh
  2. touch /home/honda/.ssh/authorized_keys
  3. cat honda.pub >> /home/honda/.ssh/authorized_keys


then RDM can do pub key auth, but that means SSH certificate based auth is not used.

avatar
Carl Marien

Hello,

Thank you for reaching out to Devolutions Support.

Could you please let us know the data source you are using, as well as the version you are currently on?

Additionally, could you try setting the SSH key directly in the entry within RDM ( embedded data ), instead of using the file on your computer, and check if the issue persists?

Best regards,

Carl Marien

avatar
pirate585

Hi Carl,

RDM windows version: 2024.3.22.0 64-bit
the data source: Devolutions Hub Personal.

I tried SSH Key (Credential) and SSH Key (embedded data) and both methods failed.

Best regards,
Eric

avatar
Carl Marien

Hello

After conducting further research, I wanted to confirm if both of the following key files are stored correctly in the entry:

- The public key should be stored in the general section of the SSH entry.



- The private key should be stored in the SSH key section.



Could you please confirm if this is the correct configuration?

Best regards,

Carl Marien

private key.png

public key.png

avatar
pirate585

hmm...maybe we have a misunderstanding.
On RDM, SSH public key authentication works well and no issue at all. The problem is when the host server switching to SSH certificate based authentication, RDM will fail to authenticate.
for SSH certificate based authentication to work, aside public key and private key, it also required the signed public key. This is what RDM not supported yet. In the example of this post, the private key file is honda, the public key is honda.pub and the signed public key is honda-cert.pub

avatar
Carl Marien

Hello,

Apologies for the misunderstanding. In this case, would it be possible for you to send us the SSH logs with a verbose level set to 2? You can follow the steps outlined in this documentation to do so: https://docs.devolutions.net/rdm/kb/how-to-articles/send-ssh-logs-verbose/.

When sending the email, please include the link to this forum for reference.

Best regards,

Carl Marien

avatar
pirate585

Hi Carl,

I've email the logs to service@devolutions.net.

Best regards,
Eric

avatar
Carl Marien

Hello

Thank you for sharing the logs. Based on the information provided, it seems the issue might be due to the absence of the private key in the entry. Could you kindly double-check if the SSH key is configured correctly on your end?

I suspect the SSH key entry type might be set as "embedded data," but the private key may not have been pasted in. Could you confirm if this is the case?

Once the SSH key is verified, could you also check the certificate tab to ensure the certificate is properly configured?

Best regards,

Carl Marien

avatar
pirate585

Hi Carl,

SSH key on RDM is configured correctly. I tested with public key authentication and it works. Here're the tests I had done previously.

  1. on the SSH server, setup public key authentication (add my public key to ~/.ssh/authorized_keys). On RDM, setup SSH key (credential) entry with my private/public keys and use it to connect to the SSH server. The result is public key authentication passed and worked.
  2. on the same SSH server, remove public key authentication (delete my public key from ~/.ssh/authorized_keys) and setup SSH certificated based authentication (see 1F of this post). On RDM, use the same SSH key (credential) entry in the previous step to connect to the SSH server. The login result is failure.


The private key is correctly configured.
757f6e1b-c8e6-4986-aa92-d6c8eeff1627716b1c92-d2f9-4806-a110-2df2f7ad26b6
quote "Once the SSH key is verified, could you also check the certificate tab to ensure the certificate is properly configured?"
In SSH key entry, there is no certificate tab nor a field to store signed public key (honda-cert.pub) which is needed key for SSH certificate based authentication.
I do not use SSH key tab in the SSH terminal entry. Since you mentioned certificate tab in SSH key tab in SSH terminal entry, so I give it a try. The result is negative. It didnt work for SSH certificate based authentication.

If you got an opportunity to provision a Ubuntu 22.04 or 24.04 VM, you can try the steps in 1F of this post. It's easy and straightforward to setup SSH certificate based authentication.

Best regards,
Eric

716b1c92-d2f9-4806-a110-2df2f7ad26b6.png

757f6e1b-c8e6-4986-aa92-d6c8eeff1627.png

avatar
Carl Marien

Hello,

Thank you for the information.

Would it be possible to schedule a remote session? Unfortunately, we are unable to recreate the issue on our end, and I believe a session would be beneficial.

I have sent a link to your email to arrange the session.

Best regards,

Carl Marien

avatar
Carl Marien

Hello,

I wanted to update the entire community about what happened during the session and outline the next steps.

In the session, we were able to better understand the issue. Unfortunately, it seems we currently don’t have the necessary setup to recreate the problem.

I have already contacted the QA department to replicate the issue and will keep you informed about any progress on this case.

Best regards,

Carl Marien

avatar
Carl Marien

Hello,

Thank you for your patience.

The latest version of RDM includes a fix for your issue.
Could you please test if the issue persists in this version?

Best regards,

Carl Marien

avatar
pirate585

Hi Carl,

Thank you. Confirmed the issue is fixed on RDS Windows 2025.1.25.0 64-bit.

Regards,
Eric