buptczq / wincryptsshagent Goto Github PK

This is probably similar to #12

But when I try to login, I typically have to click ok on a few popups containing the above message before WinCryptSSHAgent will present the correct key.

I keep deleting the invalid certs from my user certificate store but they magically reappear???

Certs used for disk encryption are usually not used for SSH, so I think filtering out ones that only have the BitLocker Drive Encryption (1.3.6.1.4.1.311.67.1.1) and/or Encrypting File System (1.3.6.1.4.1.311.10.3.4) EKU would make sense.

I can look into this if it sounds reasonable.

I guess the stricter alternative would be to accept only certs that have no EKU at all or include the Client Authentication (1.3.6.1.5.5.7.3.2) EKU.

I've followed the documentation with a yubikey 5 nano. I think I got the key+cert generated properly:

PS C:\Program Files\Yubico\YubiKey Manager> .\ykman.exe piv info
PIV version: 5.2.7
PIN tries remaining: 5
Management key is stored on the YubiKey, protected by PIN.
CHUID:  3019d4e739da739ced39ce739d836858210842108421c84210c3eb3410267fe50fcf07fc42e1ba43c44da4ee24350832303330303130313e00fe00
CCC:    f015a000000116ff02230430b9ad5abd47da454f25692cf10121f20121f300f40100f50110f600f700fa00fb00fc00fd00fe00
Slot 9a:
        Algorithm:      ECCP384
        Subject DN:     CN=ssh key
        Issuer DN:      CN=ssh key
        Serial:         298459723518337060306122328112569747814676727990
        Fingerprint:    3f87ca892b6461659a5eff2db490ab06c954373d13f68aadbbbaab40a9c33a53
        Not before:     2021-03-06 22:56:51
        Not after:      2023-11-10 00:00:00

but despite re-plugging the key, windows doesn't see the cert:

I'm not all that familiar with win10's plumbing involved here - anything that I might have missed?

Thanks!

My Public Key list within WinCryptSSHAgent is currently loading 5 keys, mostly from my PIV smart card. Only one of those keys supports Smart Card Login, and it is currently placed 5th in the list.
Our Linux servers reject the SSH session after 4 failed attempts, so I'm thinking the 5th key never makes the request.

It would be nice if I could rearrange the order, or if I can filter for Smart Card Login certs.

I have correct certificate based authentication to my VPS server.

How to configure WinCryptSSHAgent to use of my id_rsa and id_rsa.pub files?

Hi,

First of all, thx for your great project, it's very useful! Not issue, just feature request.

Any plan supporting PKCS11? I'm currently using ssh -I libykcs11.so user@host with self-compiled Win32-OpenSSH, but seems not convenient at some point.

But I really like this project, so any plan or road map to implement PKCS11 support for yubikey? thx a lot.

Not a bug per-se, just wanted to let you know:

PS C:\windows\system32> choco install wincrypt-sshagent
Chocolatey v0.10.15 Professional
Installing the following packages:
wincrypt-sshagent
By installing you accept licenses for the packages.
Progress: Downloading wincrypt-sshagent 1.1.7... 100%

wincrypt-sshagent v1.1.7 [Approved]
wincrypt-sshagent package files install completed. Performing other installation steps.
Downloading wincrypt-sshagent 64 bit
  from 'https://github.com/buptczq/WinCryptSSHAgent/releases/download/v1.1.7/WinCryptSSHAgent.exe'
Using download CDN cache instead of original url.
Progress: 100% - Completed download of 'WinCryptSSHAgent.exe' (4.05 MB).
Download of 'WinCryptSSHAgent.exe' (4.05 MB) completed.
Virus check: 3/70 scan engines flagged this assembly.
 Due to possible false positives we fail at 4 minimum positives.
 Virus scan engine 'Bkav' found potential 'W32.AIDetect.malware1'.
 Virus scan engine 'Cylance' found potential 'Unsafe'.
 Virus scan engine 'APEX' found potential 'Malicious'.
Hashes match.

VirusTotal also shows APEX marking the exe file as suspicious. Probably a false positive... right? :)

It appears that SecureCRT integration does not work. The instructions in the program have you point to the WinSSH pipe, but according to this: https://forums.vandyke.com/showthread.php?p=54676, they use their own internal protocol.

I would suggest disabling the SecureCRT feature and removing it from the docs until proper support is implemented.

Hello,

OS: Windows 10
Build: 17134.1304

Thanks alot for writing this program. I stumbled upon it while trying to install pageant-weasel for my Yubikey. Sadly however i'm encountering a bit of a problem.

I am trying to run the ssh-add command from Windows.
When i do so ( having started WinCryptSSHAgent) i get the following error:

I'm using the ssh-add that comes installed with Windows's implementation of OpenSSH.

I am assuming that WinCryptSSHAgent is a drop-in replacement for the Windows10 ssh-agent.

Windows Defender blocks the 1.0.2 release binary, detecting Trojan:Win32/Ludicrouz.Z in it.

What does this error mean? Appear when I try to get WinSSH help.

Hi

This may be caused by my impenitence when it comes to using smartcards in windows. But it the majority of times i use WinCryptSSHAgent with putty it doesnt work. I get this prompt:

The error message bellow shows up when i click ok. But when i click "Cancel" it works like 10% of the time. The other times i get the error "Pageant failed to provide a signature". Is my yubikey conflicting with some other device? I can't seem to figure it out. Any tips?

After an update of the windows, now this app will show all public key in the system, not only adobe but also microsoft,google,etc.
The issue #7 is also caused by this reason. I keep getting Too many authentication failures error during any login attempts.

It seems that the agent keeps the session alive on the Yubikey even after sleep. Would be nice to set a timeout of eg 15min to ensure PIN/tap is required.

If I switch user on my Win10 and the second user wants to launch his own agent, he gets an access denied error

When I quit and restart the app (v1.1.0 with WSL2 support) I (sometimes) get:

listen hvsock 00000000-0000-0000-0000-000000000000:22223333-facb-11e6-bd58-64006a7986d3: listen: Only one usage of each 
socket address (protocol/network address/port) is normally permitted.

I doublechecked that the process isn't actually running anymore, the only way to have this error go away is to reboot.

I have a weird problem on one machine. The WinCryptSSHAgent is running and working fine for WSL, but pageant based clients fail. They do recognize WCSA as the agent, but fail to obtain the keys. Running the original pageant, they work.

Event log from putty:

Pageant is running. Requesting keys.
Failed to get reply from Pageant.

The machine has Sophos Endpoint Protection 10.8 installed by the employer. I was able to add both putty and WinCryptSSHAgent to several whitelists, but nothing helps. I verified no other pageant was running while WCSA was running. Tried running with elevated privileges, both WCSA and putty. WinSCP shows the same problem.

Any ideas? Is Sophos the right direction, or might there be some Windows 10 settings interrupting the communication? Windows Event log shows nothing ...

Edit: tried both 32-bit and 64-bit versions of both putty and WCSA as well
Edit 2: and also a freshly generated openssh key with default settings

Currently I use the KeeAgent socket directly in WSL (1), but avoiding socket conversion stuff (msysgit2unix-socket.py) would be preferable.

请问这么删除,谢谢.

版本1.1.0.0 开启了Hyper-V agent
病毒类型: Trojan:Win32/Occamy.CAA

I am trying to understand L205 which I think explains how the container is able to make a socket connection to the agent.

My goal is to create a VM using VMware workstation and make this connection from inside the VM. Since the network settings will be different, I would like to understand how I can achieve this with a VM instead of a docker container.

The project is awesome and very useful! :)

EDIT: To be a little specific regarding my question, I am trying to understand SOCKET-CONNECT:40:0:x0000x33332222x02000000x00000000.

From reading the documentation, I gathered the syntax is SOCKET-CONNECT:<domain>:<protocol>:<remote-address> but I am not sure I understand how the values are assigned to SOCKET-CONNECT command. I tried to convert x0000x33332222x02000000x00000000 from hex to int but it still doesn't make much sense. What am I missing?

If someone can add some clarification, it would be helpful.

Many times I am running scripts and am not aware that they are waiting for a key press on my YubiKey.

It would be amazing if a pop-up or notification alert would appear. If you go for pop-up it should disappear when the YubiKey is pressed.

When using SecureCRT with environment variable VANDYKE_SSH_AUTH_SOCK set to \\.\pipe\openssh-ssh-agent, SSH agent forwarding not working. The remote SSH host has SSH_AUTH_SOCK variable set, but it's agent don't have any keys. ssh-add -l returns The agent has no identities.

If I remove VANDYKE_SSH_AUTH_SOCK variable everything works as expected.

While i try to launch, i see:

"Open as adminstrator" doesn't work.

Full control has been granted:

It would be nice if the Authentication Success message could show more information about which process requested the authentication. For instance did it come from ssh.exe or some other application. I know this may be tricky to implement.

Hi,

I found this project searching for a SSH Agent working with PowerShell as well as GitBash (MSYS).
I do (currently) not use the Windows-Cert (YubiKey) features, but use it as a "normal" SSH agent. While testing, I realized, ssh-add -c <key-file> does not work as expected. The key gets added, but no confirmation has to be done on usage. I took the following steps in a GitBash as PoC:

$ ssh-add -c <path-to-key-file>
Enter passphrase for <path-to-key-file> (will confirm each use):
Identity added: <path-to-key-file> (<name-of-key>)
The user must confirm each use of the key

When subsequently opening a ssh connection using this key from the agent, no confirmation is needed.

Is there any plan to implement the -c flag correctly? I tested -t (timeout) and this seems to work properly.

I'm using KeePassXC as my keyagent and each unlock adds my keys to wincryptssh again.
Provoking "too many authentication failures" when ssh tries too often.

Could you please implement a check so if the ssh-key to be added is already there, do not add it again?

MobaXterm is a very useful ssh client on Windows. It seems that its ssh module used putty(it uses putty ssh keys), however it doesn't work with WinCryptSSHAgent

Overview

I'm using a somewhat fresh install of Windows 10 + WSL Ubuntu 20.04 (installed from the Windows App Store). The WinCryptSSHAgent worked perfectly using the WSL(1) version, not so much when using the WSL2 version.

Upon some light investigation, I noticed that the instructions attempts to point SSH_AUTH_SOCK to a file within /tmp/wincrypt-hv.sock, which is nonexistent even when rebooting the PC.

I'm not on the Windows-Insiders version, so I upgraded the distro to WSL2 manually and followed the new instructions showed on WinCryptSSHAgent: WSL2 / Linux on Hyper-V Settings only to find that something broke.

To Recreate

0. Install WinCryptSSHAgent via Chocolatey
1. Install "Ubuntu 20.04" (not "Ubuntu") from App Store
2. Check wsl version on powershell wsl -l -v
3. Follow WinCryptSSHAgent WSL(1) instructions
4. Check keys with ssh-add -l
5. Upgrade to wsl2 using the instructions here
6. Follow new WinCryptSSHAgent instructions
7. Check keys with ssh-add -l

Hey,
it would be great to Limit the source of the SSH keys the agent provides.

Since Currently at my Work Pc it shows me a list of SSH keys that I have no glue about how they appeared their.
And my Yubikey isn't even inserted. If I insert it I would think that it adds my Authkey to the list but it does not.

Hello,

after the last 1.1.4 update on every authentication attempt a warning window appears saying "Smart Card Service is stopped! Do you want to restart it?" I have to
The service itself is in Manual state by default, but it doesn't matter if I change it to Automatic or to any other startup type.

My OS version is: Windows 10 Home, Version 20H2, Build 19042.746

Hi,

Perhaps you think this doesn't have sense, but it can:

• The idea is to provide (over the command line) the option to select which protocols to use.

One use case is that you can enable only the UNIX socket mode, and not the others. Then start another Key Manager that speaks a different protocol.

I hope you think this has sense.
Regards.

Hi,

I've tried switching from GPG4Win to this, it works well in both KiTTY (a PuTTY fork) and WSL 2, however I noticed one major problem:

When I try opening the first SSH connection it works without any problems, however if I try to open another connection directly after that, I'm getting this window:

Only after waiting for around 15-30 seconds I can open another connection.
While this isn't an issue with manual connections, it makes automated connections for example with ansible almost impossible.

hello,

I found this appliation and it looked like a good way to use my yubikey for openssh on windows and WSL but i can't get it to work. I did have it working for openssh on windows with GPG however.

Can you give some more information on how this should be working? I am running the .exe and i have set the PATH variable like i should, but if i ssh i still get the prompt asking me for my password in stead of a popup for unlocking the yubikey.

Hi,

I'm using a YubiKey 5 NFC with WinCryptSSHAgent. I've generated a certificate in PIV certificate Slot 9a:

and it works well with WinSSH. However, after each time I perform any GPG operation (e.g., gpg --card-status, gpg --sign, etc.), I can no longer use my YubiKey with WinCryptSSHAgent to authenticate SSH connections:
"The smart card cannot perform the requested operation or the operation requires a different smart card."

Seems like that once I've performed any GPG operation, Windows will no longer read the PIV certificates stored in YubiKey until replugging.

Any idea or solution on this issue? Thanks a lot!

I only just installed it and when I try to start it I see this:

Image is an error dialog that reads:
open C:\ProgramData\chocolately\lib\wincrypt-sshagent\wincrypt-cygwin.sock: Access is denied.

Update: When attempting to "Open as adminstrator" I see the following:

open \\.\pipe\openssh-ssh-agent: Access is denied

I have successfully configured the agent to use my PIV cert on my yubikey for use with win32_openssh, I am prompted for PIN when connecting via:

ssh -A host.fqdn -l certuser

I also found that running sudo -l prompts for PIN as well. However I do not get prompted when disconnecting and reconnecting as well as subsequent sudo attempts (after the timeout).

Is there a way to enforce a timeout or force PIN re-auth everytime?

See https://www.virustotal.com/gui/file/aaea99d492c7387ab0b0acc6ddcf54779197c4a0a04f1493927e494d042a932b/detection

Now, I don't think there is a virus but it is a nuissance. Tnx for the software! Very useful.

Some noob in my team just had "broken his SSH". Turned out he deleted the wincrypt-wsl.sock and wincrypt-cygwin.sock files.
I think they should at least be created as hidden, if not system files. Then again maybe they'd better be placed in ~.ssh

I was using vscode, trying to open a remote ssh session. The Windows credential prompt pops under the windows, waiting for me to insert my yubikey.

That window should be topmost.

Also, debugging doesn't really work. I set the env variable, and while yes it creates the file, it stays empty.

I followed the Yubikey with WSL tutorial
and I generated a private key and a certificate for 9a slot of my yubikey
but when I repluged the yubikey, I cannot find my ceritificate in certmgr.msc(Group Policy is edited)
I runed certutil -scinfo , and it showed the result:

我按照 Yubikey with WSL tutorial
为我的Yubikey slot 9a生成了私钥和证书
但是我拔插yubikey后，证书存储中没有显示我的证书（组策略已经修改）
以下是运行certutil -scinfo的结果

C:\Users\x>certutil -scinfo
Microsoft 智能卡资源管理器正在运行。
当前读卡器/卡状态:
读卡机: 1
  0: Yubico YubiKey OTP+FIDO+CCID 0
--- 读卡器: Yubico YubiKey OTP+FIDO+CCID 0
--- 状态: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- 状态: 此卡可用。
---   卡: Identity Device (NIST SP 800-73 [PIV])
---    ATR:
         xxxx


=======================================================
正在分析读卡器中的卡: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ 证书 0 ================
--- 读卡器: Yubico YubiKey OTP+FIDO+CCID 0
---   卡: Identity Device (NIST SP 800-73 [PIV])
提供程序 = Microsoft Base Smart Card Crypto Provider
密钥容器 = (null) [默认容器]

无法打开读卡器的 AT_SIGNATURE 密钥: Yubico YubiKey OTP+FIDO+CCID 0
无法打开读卡器的 AT_KEYEXCHANGE 密钥: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ 证书 0 ================
--- 读卡器: Yubico YubiKey OTP+FIDO+CCID 0
---   卡: Identity Device (NIST SP 800-73 [PIV])
提供程序 = Microsoft Smart Card Key Storage Provider
密钥容器 = (null) [默认容器]

无法打开读卡器的  密钥: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------

完成。
CertUtil: -SCInfo 命令成功完成。

As the title, F.Y.I.

When connecting to the server using XShell6, the smart card window won't pop up anymore.

Seems they have dropped the support of pageant and using Xagent instead, maybe it is a good idea to remove this software from the supported list. :P

Similar to #4

Adobe inserts certs and CAs in to the store for their validation purposes. This adds a handful of entries for authentication checks and most sshds will reject on Too many authentication failures.

I have Adobe Content Certificate 10-5, 10-6, and Adobe Intermediate CA 10-3.

Happy to provide any information needed.

我参考了你的教程，现在putty里可以成功的使用SMARTCARD密钥登录
但是XShell v7.0里通过PKCS#11证书缺无法登录。
我参考了官方文档，但是连接后直接弹出输入密码登陆提示对话框。
SSH Connections with YubiKey PKCS#11 User Authentication(PIV) - Technical Support - NetSarang Computer
https://netsarang.atlassian.net/wiki/spaces/ENSUP/pages/796426271/

当我打开WinCryptSSHAgent再连接时，会弹出智能卡窗口，提示输入PIN，输入之后又弹出输入密码提示对话框。
上面提示 SSH服务器拒绝了用户密钥。请尝试其他用户密钥或者其他身份验证方法...

这个问题被困扰好几天了，烦请指点一下，谢谢。

Hi,

I just got it to build with 32 bit go pretty easily and would like to ask if you'd consider putting out an installer for 32 bit =] I'm using a surface pro x, which is an arm64 processor but has 32 bit emulation support. Since golang isn't out for windows / arm64 having a build for 32 bit is the next best thing but at least lets us use the tool on this and other windows arm devices =]

Thanks for thinking about it!

Hi,

I just had a play around with WinCryptSSHAgent and I'm really liking it, however there seem to be some security issues with the current backend when using it with a Yubikey.
Compared to Gpg4win it uses the PIV functionality of a Yubikey instead of the GPG functionality.

When using Gpg4win, the Yubikey always needs to be plugged in and the first access to the GPG key after restarting or plugging in the Yubikey needs to be validated by entering the GPG PIN. When pulling out the Yubikey no further key access is possible anymore, so no new SSH sessions can be created.

When using WinCryptSSHAgent, it seems the Yubikey only needs to be plugged in the very first time starting it. After that I can remove the Yubikey, close and restart WinCryptSSHAgent and I can still open new SSH sessions.

While this makes authentication a lot easier, it also seems to circumvents a lot of the added security a Yubikey offers. I'm no expert on this by any means, so maybe I just got something wrong.

Would it be possible to implement something that uses the GPG functionality of a Yubikey instead of PIV to have the added security of the PIN and allow no further access as soon as the key is removed?
All other existing solutions for WSL2 only hook into a running Gpg4win instance, but don't offer a true replacement, so this would really be awesome to have.

As a sidenote, using the GPG functionality of the Yubikey would also keep the same keys compared to Gpg4win, so no new keys would have to be placed on the servers when switching from Gpg4win to WinCryptSSHAgent.

Hi, I'm having trouble getting WinCrypt SSH Agent to work. I'm trying to use it on Windows 10 2004 with WSL2 and Pageant. Pageant is set up to start and load my SSH key on login.

1. First I installed WinCrypt SSH Agent via chocolatey (as admin).
2. When starting the Agent I got an error that it couldn't create the .sock file in the C:\ProgramData\chocolatey\lib\wincrypt-sshagent\tools\ directory. Makes sense, since that directory is only writeable by admins by default. So I granted Users write permission to that directory.
3. Starting the Agent then gave no more errors and I could see the .sock file was created.
4. When right-clicking the systray icon and showing public keys, I could see some key but not the key that was loaded into Pageant.
5. I added the SSH_AUTH_SOCK environment variable to my WSL2 shell (zsh on Ubuntu): export SSH_AUTH_SOCK="/mnt/c/ProgramData/chocolatey/lib/wincrypt-sshagent/tools/wincrypt-wsl.sock"

When testing via ssh -Tv [email protected] I get a permission denied and the debug log shows pubkey_prepare: ssh_get_authentication_socket: Connection refused

The socket should be readable according to linux: -rwxrwxrwx 1 martijn martijn 0 Jul 29 12:34 /mnt/c/ProgramData/chocolatey/lib/wincrypt-sshagent/tools/wincrypt-wsl.sock

I'm not sure which part of the setup went wrong but it appears that my key from Pageant isn't visible to WinCrypt and that the socket is not responding to requests from apps in WSL.

I'd appreciate your help.

The version I'm using is Xshell7(Build 0073).I referenced "https://github.com/buptczq/WinCryptSSHAgent/blob/master/doc/wsl_tutorial.md".

When I touch input key and press twice YubiKey 5 NFC,I get following errors:Received an empty signature from ssh-agent.

The algorithm of my certificate is "ecdsa-sha2-nistp384"

This is log of xshell:
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
[13:21:49] Version exchange initiated...
[13:21:49] server: SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
[13:21:49] client: SSH-2.0-nsssh2_7.0.0013 NetSarang Computer, Inc.
[13:21:49] SSH2 is selected.
[13:21:49] SSH_MSG_IGNORE(2)
[13:21:49] Outgoing packet: 20 (0x14: SSH2_MSG_KEXINIT)
[13:21:49] Incoming packet: 20 (0x14: SSH2_MSG_KEXINIT)
[13:21:49] Algorithm negotiation initiated... (Dialog mode)
[13:21:49] key exchange: [email protected]
[13:21:49] host key: ssh-rsa
[13:21:49] outgoing encryption: [email protected]
[13:21:49] incoming encryption: [email protected]
[13:21:49] outgoing mac: [email protected]
[13:21:49] incoming mac: [email protected]
[13:21:49] outgoing compression: none
[13:21:49] incoming compression: none
[13:21:50] Outgoing packet: 30 (0x1e: SSH2_MSG_KEXDH_INIT)
[13:21:50] Incoming packet: 31 (0x1f: SSH2_MSG_KEXDH_REPLY)
[13:21:50] Host authentication initiated...
[13:21:50] Hostkey fingerprint:
[13:21:50] rsa 2048 76:2b:84:45:42:98:64:0e:10:aa:98:c6:04:d7:a4:e6
[13:21:50] Accepted. Verifying host key...
[13:21:50] Verified.
[13:21:50] Outgoing packet: 21 (0x15: SSH2_MSG_NEWKEYS)
[13:21:50] Incoming packet: 21 (0x15: SSH2_MSG_NEWKEYS)
[13:21:50] Outgoing packet: 5 (0x05: SSH2_MSG_SERVICE_REQUEST)
[13:21:50] Incoming packet: 7 (0x07: SSH2_MSG_EXT_INFO)
[13:21:50] server-sig-algs = ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
[13:21:50] Incoming packet: 6 (0x06: SSH2_MSG_SERVICE_ACCEPT)
[13:21:50] User authentication initiated... (Dialog mode)
[13:21:50] Sent user name 'root'.
[13:21:50] Outgoing packet: 50 (0x32: SSH2_MSG_USERAUTH_REQUEST)
[13:21:50] Incoming packet: 51 (0x33: SSH2_MSG_USERAUTH_FAILURE)
[13:21:50] Server requested: publickey,password
[13:21:50] Server support public key authentication method.
[13:21:50] Trying to find ssh-agent...
[13:21:50] Xagent is running. Connecting to ssh-agent...
[13:21:50] Auth method is agent.
[13:21:50] Received 3 identity-blob(s) from ssh-agent.
[13:21:50] Trying next identity blob...
[13:21:50] Outgoing packet: 50 (0x32: SSH2_MSG_USERAUTH_REQUEST)
[13:21:50] UserKey type:ecdsa-sha2-nistp384 keylen:136
[13:21:50] Incoming packet: 60 (0x3c: SSH2_MSG_USERAUTH_PK_OK)
[13:21:50] Received PK_OK packet.
[13:21:50] Sent sign request to ssh-agent. alg: ecdsa-sha2-nistp384
[13:21:57] Received an empty signature from ssh-agent.
[13:21:57] Trying next identity blob...
[13:21:57] Outgoing packet: 50 (0x32: SSH2_MSG_USERAUTH_REQUEST)
[13:21:57] UserKey type:rsa-sha2-512 keylen:279
[13:21:57] Incoming packet: 51 (0x33: SSH2_MSG_USERAUTH_FAILURE)
[13:21:57] Server rejected the public blob,
[13:21:57] Trying next identity blob...
[13:21:57] Outgoing packet: 50 (0x32: SSH2_MSG_USERAUTH_REQUEST)
[13:21:57] UserKey type:rsa-sha2-512 keylen:151
[13:21:57] Incoming packet: 51 (0x33: SSH2_MSG_USERAUTH_FAILURE)
[13:21:57] Server rejected the public blob,
[13:21:57] No more keys to try.
[13:21:57] Fall back to normal user authentication steps.
[13:22:16] Canceled.
[13:22:16] Outgoing packet: 1 (0x01: SSH2_MSG_DISCONNECT)
Connection closing...Socket close.

I also used ssh and get same error:
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/lizhirui/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 129.226.226.236 [129.226.226.236] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/lizhirui/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/lizhirui/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 129.226.226.236:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: compression: none
debug1: kex: client->server cipher: [email protected] MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:JQ/sDZFLgWQkX53Kz7AQb5fgUaJgGw/9aIMxCLBLnDc
debug1: Host '129.226.226.236' is known and matches the ECDSA host key.
debug1: Found key in /home/lizhirui/.ssh/known_hosts:4
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: ECDSA SHA256:YO3/wDmZHhcCuXuj84QrMRaQg3eFi1Gs5crFhC/+wvc lizhirui-piv-yubikey
debug1: Server accepts key: pkalg ecdsa-sha2-nistp384 blen 136
sign_and_send_pubkey: signing failed: agent refused operation
debug1: Offering public key: RSA SHA256:+Y2eHGrNkHyEwZFLSGAlx+aBHLlC83VoXJOkiggAA00 DigiCert Global Root G1A
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: RSA SHA256:14hh9jXZPUU/QY+T0GrUC1fOLbER2jsdS6xD+Jia1w4 f7d8804a937a0515
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/lizhirui/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password