Zero Trust SSH Connections no longer working

A few months ago now I set up Gitea on my local K8s cluster and got it and the SSH connection working following the Zero Trust documentation. Everything was fine for a bit, but now when I try and connect via SSH I get the following:

Unable to negotiate with UNKNOWN port 65535: no matching host key type found. Their offer: ssh-rsa
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I thought maybe it was due to using an old version of the cloudflared client, so I updated that but no dice. I also tried adding HostKeyAlgorithms=+ssh-rsa to my SSH config but that also didn’t work. I feel like I am probably missing something simple, but any help would be appreciated.

Can you confirm / make sure that you are running with cloudflared 2021.10.5 on the Tunnel side?

I was running 2021.10.3. Just upgraded to 2021.10.5 and am seeing the same behavior.

Have you tried connecting from another machine?

Spun up a fresh VM and tried it, and low and behold it works! Is there some kind of cache that I could clear on my other machine? Or perhaps I should kill the config file and start over?

1 Like

You may try this first.

By the way, do you remember having a system/software update before you had this issue?

maybe FS#72250 : [openssh] Fails to use loaded ssh keys ?

HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

Yep I use Arch on my local workstation so this is indeed the issue. I figured it was somewhere in the Argo → Gitea chain, but I was wrong.

For others looking here is the thread for Gitea on the issue. Seems Gitea generates RSA keys by default. There are workarounds there for specifying the key type manually.

Thanks for all the help everyone!

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.