Unsupported key format "ecdsa-sha2-nistp521"

ankit.khandelwal · May 3, 2023, 9:18am

Hello Guys,

I have setup SSH Engine for SSH based certificate but when i sign with public key end up getting following error:-

failed to generate signed SSH key: sign error: ssh: unsupported signature algorithm “rsa-sha2-512” for key format “ecdsa-sha2-nistp521”

i was following the document -

providing key_type = ecdsa-sha2-nistp521 but under role the Signing Algorithm is only three types which is rsa* values accepted and due to that its conflicting the same.

Please let me know if ecdsa-sha2-nistp521 is not supported or do we have any fix?

maxb · May 3, 2023, 10:05am

Using an algorithm_signer of default with non-RSA keys works fine for me (testing with Vault 1.13.1):

    vault secrets enable ssh
    vault write -format=json ssh/config/ca generate_signing_key=true key_type=ecdsa-sha2-nistp521 | jq -r .data.public_key > generated/ssh_ca.pub
    vault write ssh/roles/client - <<"END"
{
    "key_type": "ca",
    "allow_user_certificates": true,
    "allowed_users": "test",
    "algorithm_signer": "default",
    "default_extensions": {
        "permit-pty": "",
        "permit-port-forwarding": ""
    },
    "ttl": "10m"
}
END
    # Sign CA itself with the CA, just as a test signing works
    vault write -format=json ssh/sign/client public_key=@generated/ssh_ca.pub | jq -r .data.signed_key > generated/ssh_ca-cert.pub

ankit.khandelwal · May 3, 2023, 10:38am

Thanks its works well.

Topic		Replies	Views
Vault version 1.9.2 and ssh algorithm type Vault	0	101	November 14, 2023
Vault Transit Engine signing algorithm SHA256withECDSAinP1363Format support Vault vault	0	190	November 3, 2023
Hashicorp Vault for certificate signed ssh Vault vault	0	37	September 28, 2024
Connect to server linux using Hashicorp Vault SSH client signed from windows client Vault	8	947	April 28, 2022
Vault Transit signature: validate offline Vault	0	333	August 21, 2022

Unsupported key format "ecdsa-sha2-nistp521"

Related topics