Local Community

Unable to pull site: Permission denied (publickey). rsync connection unexpectedly closed: ssh-rsa signature algorithm mismatch

Issue Summary

If you are using Ubuntu 22.04, or any other system that by default has RSA SHA-1 signature algorithms disabled, you’ll have a bad time pulling files from wpengine with Local. Things were working fine for me with Ubuntu 21.04, but after upgrading to 22.04, suddenly Local syncs stopped working.

Here’s debugging info I went through before figuring this out: the first indication was that no files appeared in the “MagicSync” file pane. The local-lightning-verbose.log showed the following errors:

{"thread":"main","class":"DevKitService","message":"wpe_cli+rsync+pull+efairsstg@efairsstg.ssh.wpengine.net: Permission denied (publickey).\r\n","level":"warn","timestamp":"2022-04-26T18:38:26.341Z"}
{"thread":"main","class":"DevKitService","message":"rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]\nrsync error: unexplained error (code 255) at io.c(228) [Receiver=3.2.3]\n","level":"warn","timestamp":"2022-04-26T18:38:26.344Z"}
{"thread":"main","class":"DevKitService","level":"info","message":"\u001b[1;31m\rError: \u001b[0mUnable to pull: exit status 255\n","timestamp":"2022-04-26T18:38:26.360Z"}

Over in ~/Local Sites/, after pulling files for a new site, this was all that showed – no wordpress files:

$ ls -R
public

./public:
_wpeprivate

./public/_wpeprivate:
autoload.sql

I finally tried the following to troubleshoot ssh’s ability to use the key created by Local for communication with wpengine:

ssh -vvvv -i ~/.config/Local/ssh/wpe-connect wpe_cli+rsync+pull+efairsstg@efairsstg.ssh.wpengine.net

This revealed the following error output:

debug1: Offering public key: wpe-connect RSA SHA256:H.... explicit
debug1: send_pubkey_test: no mutual signature algorithm
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
wpe_cli+rsync+pull+efairsstg@efairsstg.ssh.wpengine.net: Permission denied (publickey).

Workaround

To work around this, I edited /etc/ssh/ssh_config to re-enable the RSA SHA-1 signature algorithm for client use: add PubkeyAcceptedKeyTypes +ssh-rsa to a relevant Host section in the ssh client configuration, for example:

# /etc/ssh/ssh_config
Host *
    ...
    PubkeyAcceptedKeyTypes +ssh-rsa

And bingo, suddenly pulling works again! This is non-ideal because this signature algorithm is being deprecated for good reason. Upgrade your ssh server, wpengine!!

Replication

  1. Install a recent-ish SSH client where the default configuration disables the RSA SHA-1 signature algorithm. Ubuntu 22.04 in the default configuration works.
  2. Attempt to pull a site from wpengine through Local.

System Details

  • Which version of Local is being used?

6.4.0; though I had the same results with 6.3.0.

  • What Operating System (OS) and OS version is being used?
LSB Version:	core-11.1.0ubuntu4-noarch:security-11.1.0ubuntu4-noarch
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04 LTS
Release:	22.04
Codename:	jammy

SSH version: Ubuntu openssh-client 1:8.9p1-3

SSH config (/etc/ssh/ssh_config.d/ is empty):

Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
  • Attach the Local Log. See this Help Doc for instructions on how to do so:

local-lightning-verbose.log (38.6 KB)

Security Reminder

Local does a pretty good job of scrubbing private info from the logs and the errors it produces, however there’s always the possibility that something private can come through. Because these are public forums, always review the screenshots you are sharing to make sure there isn’t private info like passwords being displayed.

Instead of modifying the system-wide SSH config for all Hosts, you can reduce the scope to just your user and just wpengine. In your local SSH config file (~/.ssh/config), add:

Host *.wpengine.net
    PubkeyAcceptedKeyTypes +ssh-rsa

For me, this fixed the “Permission denied (publickey)” error when pulling from WPEngine on Ubuntu 22.04.