Issue
Even if I registered an SSH key on Heroku, I can not connect to Shield one-off dynos. The Heroku CLI command heroku run bash
shows the error like:
⸠There was a problem connecting to the dyno.
⸠Confirm that your ssh key is added to your agent by running `ssh-add`.
⸠Check that your ssh key has been uploaded to heroku with `heroku keys:add`.
⸠See https://devcenter.heroku.com/articles/one-off-dynos#shield-private-spaces
Resolution
You may have to allow the SSH key to be used against 127.0.0.1
in ~/.ssh/config
. The Heroku CLI command creates a tunnel to the Shield Private Space with its entrance at 127.0.0.1
on a random port and runs ssh
command to connect to the tunnel.
It seems OpenSSH 8.2 disabled ssh-rsa
public key signature algorithm by default to avoid the use of the now-vulnerable SHA-1 hash algorithm. This makes it impossible to establish the SSH connection against the bastion which only supports ssh-rsa
for customers who uploaded RSA keys until a pull request that enables rsa-sha2-256, rsa-sha2-512, and ssh-rsa is merged and deployed to customers' Private Spaces. Until then, we'd need to ask customers to enable ssh-rsa
with adding the following to ~/.ssh/config
:
Host *
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa