I recently started using the SSH agent feature in Bitwarden and has hit the following issue. I have an old server that only supports SSH-RSA keys and I’ve got it working with Windows OpenSSH agent by specifying PubkeyAcceptedAlgorithms +ssh-rsa in the SSH config file. However, when I switched to the Bitwarden SSH Agent, login fails. Output from ssh -v is as follows:
debug1: Offering public key: bfg@PC-Master RSA SHA256:C/8dh94mdHj45WeD0G88vb7aK7Qk2SV0m8F8gltT+Mc agent
debug1: Server accepts key: bfg@PC-Master RSA SHA256:C/8dh94mdHj45WeD0G88vb7aK7Qk2SV0m8F8gltT+Mc agent
agent key RSA SHA256:C/8dh94mdHj45WeD0G88vb7aK7Qk2SV0m8F8gltT+Mc returned incorrect signature type
sign_and_send_pubkey: signing failed for RSA “bfg@PC-Master” from agent: signature algorithm not supported
I read in multiple places that Bitwarden agent supports RSA but I guessing it does not support the ssh-rsa algorithm specifically?
Server is running dropbear v2019.78 and client is OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2.
Can anyone confirm that they have ssh-rsa keys working with the Bitwarden agent? If so, then the problem is my configuration. Else I will go put in a feature request.
That client should be fine, the server I couldn’t tell, I have not played much with dropbear.
Yes:
kiko@penguin:~ $ ssh -v kiko@localhost
OpenSSH_9.2p1 Debian-2+deb12u6, OpenSSL 3.0.16 11 Feb 2025
debug1: Reading configuration data /home/kiko/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/kiko.conf
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/kiko/.ssh/id_rsa type -1
debug1: identity file /home/kiko/.ssh/id_rsa-cert type -1
debug1: identity file /home/kiko/.ssh/id_ecdsa type -1
debug1: identity file /home/kiko/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/kiko/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/kiko/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/kiko/.ssh/id_ed25519 type -1
debug1: identity file /home/kiko/.ssh/id_ed25519-cert type -1
debug1: identity file /home/kiko/.ssh/id_ed25519_sk type -1
debug1: identity file /home/kiko/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/kiko/.ssh/id_xmss type -1
debug1: identity file /home/kiko/.ssh/id_xmss-cert type -1
debug1: identity file /home/kiko/.ssh/id_dsa type -1
debug1: identity file /home/kiko/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u6
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.2p1 Debian-2+deb12u6
debug1: compat_banner: match: OpenSSH_9.2p1 Debian-2+deb12u6 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:22 as 'kiko'
debug1: load_hostkeys: fopen /home/kiko/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x25519-sha512
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:eK8B1QZlkpzg2gleyKvW+kE2hqVQy7HMvV6uyubUnb8
DNS lookup error: data does not exist
debug1: load_hostkeys: fopen /home/kiko/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'localhost' is known and matches the ED25519 host key.
debug1: Found key in /home/kiko/.ssh/known_hosts:635
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: test item 05 sshkey RSA SHA256:q4xxNOm6RDsy/qD4Iyn07OMr9ogJ+dKj6equl5Z/qF4 agent
debug1: Will attempt key: /home/kiko/.ssh/id_rsa
debug1: Will attempt key: /home/kiko/.ssh/id_ecdsa
debug1: Will attempt key: /home/kiko/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/kiko/.ssh/id_ed25519
debug1: Will attempt key: /home/kiko/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/kiko/.ssh/id_xmss
debug1: Will attempt key: /home/kiko/.ssh/id_dsa
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: test item 05 sshkey RSA SHA256:q4xxNOm6RDsy/qD4Iyn07OMr9ogJ+dKj6equl5Z/qF4 agent
debug1: Server accepts key: test item 05 sshkey RSA SHA256:q4xxNOm6RDsy/qD4Iyn07OMr9ogJ+dKj6equl5Z/qF4 agent
debug1: Enabling compression at level 6.
Authenticated to localhost ([127.0.0.1]:22) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /home/kiko/.ssh/authorized_keys:6: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/kiko/.ssh/authorized_keys:6: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_US.UTF-8"
debug1: channel 0: setting env LC_TIME = "C"
debug1: pledge: fork
Linux penguin 6.6.76-08024-gb30cb4a129c2 #1 SMP PREEMPT_DYNAMIC Fri, 25 Apr 2025 05:08:33 -0700 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jun 12 06:33:28 2025 from 127.0.0.1
kiko@penguin:~ $
As it can be checked, server and client are the same, OpenSSH_9.2.
Thanks for looking into this. I just realised I have a couple of other hosts in my environment to test (using the same ssh-rsa key) and I think I have narrowed it to be an issue with dropbear and the Bitwarden agent specifically.
server - Synology DSM 7.2 running OpenSSH_8.2 - WORK
server - OpenWRT 24.10 running dropbear v2024.86 - DON’T WORK (same error as before)
I recently encountered the same issue when using it, and obtained the following log output with the -vvv parameter:
debug1: Server accepts key: JumpServer RSA SHA256:oQRKBHshVwa7EbjV/k2yKvXJScHNPeFHoTp5vMyzu88 agent
debug3: sign_and_send_pubkey: using publickey with RSA SHA256:oQRKBHshVwa7EbjV/k2yKvXJScHNPeFHoTp5vMyzu88
debug3: sign_and_send_pubkey: signing using ssh-rsa SHA256:oQRKBHshVwa7EbjV/k2yKvXJScHNPeFHoTp5vMyzu88
agent key RSA SHA256:oQRKBHshVwa7EbjV/k2yKvXJScHNPeFHoTp5vMyzu88 returned incorrect signature type
debug3: sign_and_send_pubkey: signing using ssh-rsa SHA256:oQRKBHshVwa7EbjV/k2yKvXJScHNPeFHoTp5vMyzu88
sign_and_send_pubkey: signing failed for RSA "JumpServer" from agent: signature algorithm not supported
It’s clear that the server accepted my key request, but the authentication failed because the agent does not support RSA signing. I believe this is a bug, since it’s really strange that ssh-agent allows you to import RSA keys but then cannot actually use them.