Coder logo

SSH no mutual signature supported

When using coder ssh to reach your workspace, you may encounter the following error:

sign_and_send_pubkey: no mutual signature supported
sign_and_send_pubkey: no mutual signature supported
user@coder.workspace: Permission denied (publickey).

Why this happens

Some versions of ssh, including the version that is included in macOS Ventura (Version 13) fail to select a supported authentication algorithm when connecting to Coder with an RSA SSH key. The ssh client incorrectly determines that only the deprecated ssh-rsa algorithm is supported by the server.

Resolution

Option 1: Use elliptic curve SSH keys

Elliptic curve key authentication does not appear to suffer the negotiation failure. A Coder administrator should configure either Ed25519 or ECDSA SSH keys under Manage > Admin > Security.

After this configuration change, regenerate your SSH key by clicking your avatar in the top right, then select Account > SSH keys, and finally, click the Regenerate button.

Lastly, rebuild your workspace(s) to pick up the new keys.

Option 2: Configure your SSH client

If you cannot switch to elliptic curve SSH keys, as a workaround, you can configure your SSH client to use the ssh-rsa authentication algorithm.

NOTE: Although this algorithm is considered cryptographically insecure, using it does not alter the overall security properties of coder ssh because all SSH protocol traffic is sent via an authenticated and encrypted tunnel to your workspace.

Generate SSH configuration entries for your workspaces:

$ coder config-ssh
Your private ssh key was written to "/Users/user/.ssh/coder_enterprise"
An auto-generated ssh config was written to "/Users/user/.ssh/config"
You should now be able to ssh into your workspace
For example, try running

    $ ssh coder.workspace

Open your ssh configuration file in a text editor (this is usually at ~/.ssh/config but check the output of the previous command if unsure).

For each workspace config block, add the line PubkeyAcceptedAlgorithms +ssh-rsa

For example:

SSH Config
Host coder.workspace
    HostName coder.workspace
    ProxyCommand "/opt/homebrew/bin/coder" tunnel --retry 0 workspace 12213 stdio
    StrictHostKeyChecking no
    ConnectTimeout=0
    IdentitiesOnly yes
    IdentityFile="/Users/spike/.ssh/coder_enterprise"
    ControlMaster auto
    ControlPath ~/.ssh/.connection-coder.f6fd39b24f3a813ecc60e43f5063bbcf
    ControlPersist 600
    PubkeyAcceptedAlgorithms +ssh-rsa

You will need to repeat this process if you create new workspaces and re-run coder config-ssh

If this doesn't resolve the issue, please contact us for further support.