Issue
Even if I registered an SSH key on Heroku, I can not connect to Shield one-off dynos. The Heroku CLI command heroku run bash
shows the error like:
> There was a problem connecting to the dyno.
> Confirm that your ssh key is added to your agent by running `ssh-add`.
> Check that your ssh key has been uploaded to heroku with `heroku keys:add`.
> See https://devcenter.heroku.com/articles/one-off-dynos#shield-private-spaces
Resolution
First and foremost you want to ensure that you have an updated SSH key, you can follow this KB. You may also have to allow the SSH key to be used against 127.0.0.1
in ~/.ssh/config
. The Heroku CLI command creates a tunnel to the Shield Private Space with its entrance at 127.0.0.1
on a random port and runs ssh
command to connect to the tunnel.
It seems OpenSSH 8.2 disabled ssh-rsa
public key signature algorithm by default to avoid the use of the now-vulnerable SHA-1 hash algorithm. This makes it impossible to establish the SSH connection against the bastion which only supports ssh-rsa
for customers who uploaded RSA keys until a pull request that enables rsa-sha2-256, rsa-sha2-512, and ssh-rsa is merged and deployed to customers' Private Spaces. Until then, we'd need to ask customers to enable ssh-rsa
with adding the following to ~/.ssh/config
:
Host *
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa