Unable to connect to rsync.net ssh: handshake failed: ssh: unsupported DSA key size 2048

Help and Support
1

What is the problem you are having with rclone?

Having trouble connecting to rsync.net via SFTP from two different servers (which might mean this is their problem and not a bug with rclone).

I'm seeing errors with ssh handshake failing due to DSA key too large. I don't see this problem when connecting to SFTP servers. Not sure if this is user error on my part, or if a problem with rsync.net? I get the same error regardless of whether I use the SSH password in the config file, or via --sftp-ask-password option on the command line:

2020/05/11 20:21:55 Failed to create file system for "rsyncnet:": NewFs: couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048

I am able to connect directly via ssh. The server asks me for a password, I enter it and get a list of the files on the server just fine:

ssh username@subdomain.rsync.net ls
Password:
folder1
folder2

What is your rclone version

rclone v1.51.0-303-g962fbc82-beta
- os/arch: linux/amd64
- go version: go1.14.2

Which OS you are using and how many bits

Crostini Linux Virtual Machine in Chrome OS 64 bit Version 81.0.4044.141

uname -a
Linux penguin 4.19.98-08076-g24ab33fb8e14 #1 SMP PREEMPT Wed Apr 1 17:14:27 PDT 2020 x86_64 GNU/Linux

Vultr cloud server

Linux vultr.guest 5.4.0-26-generic #30-Ubuntu SMP Mon Apr 20 16:58:30 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Which cloud storage system are you using?

SFTP

The command you were trying to run

rclone lsd rsyncnet: using a config file as follows

[rsyncnet]
type = sftp
host = subdomain.rsync.net
user = username
pass = *** ENCRYPTED ***

rclone --sftp-ask-password lsd rsyncnet: using following config

[rsyncnet]
type = sftp
host = subdomain.rsync.net
user = username

A log from the command with the -vv flag:

rclone -vv lsd rsyncnet:

2020/05/11 20:17:12 DEBUG : rclone: Version "v1.51.0-303-g962fbc82-beta" starting with parameters ["rclone" "-vv" "lsd" "rsyncnet:"]
2020/05/11 20:17:12 DEBUG : Using config file from "/home/user/.config/rclone/rclone.conf"
2020/05/11 20:17:16 DEBUG : pacer: low level retry 1/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:17:16 DEBUG : pacer: Rate limited, increasing sleep to 200ms
2020/05/11 20:17:20 DEBUG : pacer: low level retry 2/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:17:20 DEBUG : pacer: Rate limited, increasing sleep to 400ms
2020/05/11 20:17:29 DEBUG : pacer: low level retry 3/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:17:29 DEBUG : pacer: Rate limited, increasing sleep to 800ms
2020/05/11 20:18:00 DEBUG : pacer: low level retry 4/10 (error couldn't connect SSH: dial tcp 69.43.165.6:22: connect: connection timed out)
2020/05/11 20:18:00 DEBUG : pacer: Rate limited, increasing sleep to 1.6s
2020/05/11 20:18:01 DEBUG : pacer: low level retry 5/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:18:01 DEBUG : pacer: Rate limited, increasing sleep to 2s
2020/05/11 20:18:04 DEBUG : pacer: low level retry 6/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:18:04 DEBUG : pacer: low level retry 7/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:18:10 DEBUG : pacer: low level retry 8/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:18:10 DEBUG : pacer: low level retry 9/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:18:28 DEBUG : pacer: low level retry 10/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:18:28 Failed to create file system for "rsyncnet:": NewFs: couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048

rclone -vv --sftp-ask-password lsd rsyncnet:

2020/05/11 20:14:07 DEBUG : rclone: Version "v1.51.0-303-g962fbc82-beta" starting with parameters ["rclone" "-vv" "--sftp-ask-password" "lsd" "rsyncnet:"]
2020/05/11 20:14:07 DEBUG : Using config file from "/home/user/.config/rclone/rclone.conf"
Enter SFTP password:
2020/05/11 20:14:12 DEBUG : pacer: low level retry 1/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:14:12 DEBUG : pacer: Rate limited, increasing sleep to 200ms
2020/05/11 20:14:12 DEBUG : pacer: low level retry 2/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:14:12 DEBUG : pacer: Rate limited, increasing sleep to 400ms
2020/05/11 20:14:16 DEBUG : pacer: low level retry 3/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:14:16 DEBUG : pacer: Rate limited, increasing sleep to 800ms
2020/05/11 20:14:16 DEBUG : pacer: low level retry 4/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:14:16 DEBUG : pacer: Rate limited, increasing sleep to 1.6s
2020/05/11 20:14:20 DEBUG : pacer: low level retry 5/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:14:20 DEBUG : pacer: Rate limited, increasing sleep to 2s
2020/05/11 20:14:20 DEBUG : pacer: low level retry 6/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:14:23 DEBUG : pacer: low level retry 7/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:14:25 DEBUG : pacer: low level retry 8/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:14:28 DEBUG : pacer: low level retry 9/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:14:29 DEBUG : pacer: low level retry 10/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048)
2020/05/11 20:14:29 Failed to create file system for "rsyncnet:": NewFs: couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048

2

It looks like the key you made is a DSA key when rsync.net wants a RSA key.

https://www.rsync.net/resources/howto/ssh_keys.html

4

Thanks for your reply. I would edit my original post but it has been locked

I just want to highlight that I am using password only SFTP configuration, and yet am still receiving the odd error message:

2020/05/11 20:21:55 Failed to create file system for "rsyncnet:": NewFs: couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048

5

Ah, I expect rclone is picking up your ssh agent...

Try disabling your ssh agent with

unset SSH_AUTH_SOCK

And run rclone again in the same terminal.

If that works then it should probably be fixed properly as I don't think we want rclone using the agent if you've supplied a username and password.

6

I ran unset SSH_AUTH_SOCK and then ran rclone --sftp-ask-password lsd rsyncnet: again and still receive same error

7

I have an `rsync.net account with config like this

[rsyncnet]
type = sftp
host = usw-sXXX.rsync.net
user = 5XXXX
pass = *** ENCRYPTED ***
md5sum_command = md5 -r
sha1sum_command = sha1 -r

And it works just fine.

I found a relevant issue

Which seems to suggest it is something to do with out of range DSA keys. I'm not sure where that key is though. Is it in your .authorized_keys on your rsync net server? Or maybe there is an .ssh/id_dsa file?

8

Thanks for your help on this. I tried it just now using your config, and it still throws the error. I don't have an .authorized_keys file on my rsync net server. I don't even have an .ssh directory

I can ssh just fine into my server: ssh user@subdomain.rsync.net ls works great

I am having this same issue with a fresh install of rclone on both my linux VM inside chromeOS, and also a fresh Vultr vps running Debian 10.

Here's my exact steps:

  1. spin up vultr vps and ssh into it
  2. ssh into my rsync.net account from the vps to test the connection
  3. install rclone using the one-liner from rclone.org
  4. configure rclone, exactly as you described in the post above
  5. run rclone lsd rsyncnet:
  6. get error: 2020/05/13 21:38:09 Failed to create file system for "rsyncnet:": NewFs: couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048

Is DSA being used somewhere in the SSH handshake?

I've emailed rsync.net support and they asked if there's a way to choose a cipher other than DSA?

Is there an 'ssh options' option where you can specify ssh command line
switches and, with those, you could choose a cipher other than DSA ?

Update: just tried with ask_password in the config instead of pass and I'm getting the exact same problem. Very confusing.

9

I am facing the same problem.

I can add from my side, that the same error is thrown on my fresh Fedora 32 server as well as my Windows Server 2019. Both are running rclone 1.51.0, installed through package managers (dnf on Fedora, chocolatey on Windows).

Since at least the Windows system never has seen a ssh key, I suspected that mysterious DSA key to be on rsync net's side, but ssh-keyscan shows no DSA key fingerprint:

❯ ssh-keyscan ch-s010.rsync.net
# ch-s010.rsync.net:22 SSH-2.0-OpenSSH_7.5-hpn14v5 FreeBSD-openssh-portable-7.5.p1_1,1
# ch-s010.rsync.net:22 SSH-2.0-OpenSSH_7.5-hpn14v5 FreeBSD-openssh-portable-7.5.p1_1,1
# ch-s010.rsync.net:22 SSH-2.0-OpenSSH_7.5-hpn14v5 FreeBSD-openssh-portable-7.5.p1_1,1
ch-s010.rsync.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBxDZv64oRMzRkywjmRRrml2pr0XFSZhlL46nUSmM60
# ch-s010.rsync.net:22 SSH-2.0-OpenSSH_7.5-hpn14v5 FreeBSD-openssh-portable-7.5.p1_1,1
# ch-s010.rsync.net:22 SSH-2.0-OpenSSH_7.5-hpn14v5 FreeBSD-openssh-portable-7.5.p1_1,1

my authorized_keys file is also empty on both sides.

So from my understanding of SSH there seems to be no DSA key involved at allon any side.
I'd be quite interested in the answer from rsync net (could contact them myself, but documenting the problem and steps to solve it is a better way, I think).

1 Like
10

I'm grateful this thread exists, because I couldn't find anyone else reporting this problem. I'd encourage you to open an email with rsync.net so that they have more information to work with if the problem is on their end. Perhaps they can identify a commonality with our accounts that is causing the issue. It's odd that @ncw's account is working fine, perhaps you and I have an account on a different server, or service level?

It's actually worked for me a couple of times over the last 1.5 weeks, but it would be very random and I'd have trouble duplicating the connection. Over time it connected less and less often, no matter how often I'd try, and just a few days ago it quit connecting entirely.

11

you are correct and I just sent a mail to them with some more details from my side and linking to this thread in case they want to take a look.

rsync net also publishes the fingerprints of their servers, which lists a DSA fingerprint. But a fingerprint isn't a key and to my knowledge shouldn't trigger the function described in the linked Github issue with the same error message.

But I also don't know Golang very good or the internals of how the ssh command initializes the connection. I was of the impression that fingerprinting comes after aquiring a key to fingerprint against.

I can easily fall back to rsync or scp, but I'd rather use rclone for my specific use case.

12

This is definitely something to do with the rsync.net host

Here is me attempting to login with user test and random password which will fail, but checks the auth.

Here is @saschatrebbin 's host which shows the error

$ rclone lsd --sftp-host ch-s010.rsync.net --sftp-user test --sftp-ask-password :sftp:
Enter SFTP password: 
2020/05/14 11:42:48 Failed to create file system for ":sftp:": NewFs: couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048

And here is mine which doesn't

$ rclone lsd --sftp-host usw-s009.rsync.net --sftp-user test --sftp-ask-password :sftp:
Enter SFTP password: 
2020/05/14 11:43:51 Failed to create file system for ":sftp:": NewFs: couldn't connect SSH: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
13

And here is my host also showing the error

rclone lsd --sftp-host usw-s001.rsync.net --sftp-user test --sftp-ask-password :sftp:
Enter SFTP password:
2020/05/14 17:55:49 Failed to create file system for ":sftp:": NewFs: couldn't connect SSH: ssh: handshake failed: ssh: unsupported DSA key size 2048
14

@ncw is correct, this is on rsync.nets side. This is the the answer I got from rsync net:

Hi,

While rclone figures out how to get around this, we would like to solve this for you by moving your account to a server that offers a DSA key with a length of 1024.

You can test this by connecting to this TEST account:
account: <TEST_LOGIN_NAME>@ch-s011.rsync.net
pass: <TEST_PASSWORD>

This would require a hostname and login ID change and we can move your existing data over. May we do this now?

I'd rather not post the full login here, even if it is a test account. But using that login info with rclone 1.51.0 on Windows worked. I'll let them move my account to another server, then this is solved for me. @jjaarrvviiss I expect a similar answer to your mail to their support.

this is enough to test the behavior:

λ  rclone lsd --sftp-host ch-s011.rsync.net --sftp-user test --sftp-ask-password :sftp:
Enter SFTP password:
2020/05/15 07:07:19 Failed to create file system for ":sftp:": NewFs: couldn't connect SSH: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
15

I received a similar email albeit with less details and also a request to move my account. I agreed to the move and am waiting to hear back. Glad to hear things are working for you!

16

I tried patching the ssh library to allow 2048 bit DSA keys

Can you give this a go please?

https://beta.rclone.org/branch/v1.51.0-325-gc4700f4b-fix-ssh-dsa-length-beta/ (uploaded in 15-30 mins)

I've no idea whether it will actually work though!

17

Damn, my account was just migrated.

But the basic test you provided above now works with my old host:

C:\Users\saschatrebbin\Downloads\rclone-v1.51.0-325-gc4700f4b-fix-ssh-dsa-length-beta-windows-amd64\rclone-v1.51.0-325-gc4700f4b-fix-ssh-dsa-length-beta-windows-amd64
λ  .\rclone lsd --sftp-host ch-s011.rsync.net --sftp-user test --sftp-ask-password :sftp:
Enter SFTP password:
2020/05/15 11:46:46 Failed to create file system for ":sftp:": NewFs: couldn't connect SSH: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

So I guess that patch works and allows these non standard DSA keys.
Since seemingly both affected users are migrated to new hosts that do not need this patched behavior, do you feel the need to go forward with that patch, @ncw?

For me the migration to another server was painless, so I'd view your patch as an unnecessary burden on the rclone project. But my case might not be representative.

18

I don't know whether that is enough of a test to see it works - I'd like to see a successful login!

If it works I was going to submit it to the upstream ssh library that rclone uses. It is a very simple patch...

19

My account hasn't been moved yet, so it's still on the old server. testing this patched version of rclone works well for me! rclone ls and rclone sync work fine both ways!

20

They migrated my account now too, so I am able to use version 1.51.0 with their existing servers. Until they migrated I was able to use version 1.51.0-325-gc4700f4b-fix-ssh-dsa-length-beta just fine, your patch works great.

21

Great! I'll send the little patch I made upstream which will make its way back into rclone eventually.

1 Like