ssh public key authentication in Leap 15.6
A local server I used to regularly use to logon to with public key authentication in Leap 15.5 now reports: 92.168.33.2: Permission denied (publickey,keyboard-interactive) in Leap 15.6 using the same configuration within ~/.ssh of both distros. Obviously, the IdentityFile is unchanged. Any obvious suggestions on where I look for the change in Leap 15.6?
On 2024-06-19 20:42, Rick Smegal via openSUSE Users wrote:
A local server I used to regularly use to logon to with public key authentication in Leap 15.5 now reports: 92.168.33.2: Permission denied (publickey,keyboard-interactive) in Leap 15.6 using the same configuration within ~/.ssh of both distros. Obviously, the IdentityFile is unchanged. Any obvious suggestions on where I look for the change in Leap 15.6?
Do you have access to both client and server? Check logs on server, and run the client with "-v" (up to -vvv is possible.) Which machine has been updated, the client, the server, or both? Possibly some protocol version has been dropped. -- Cheers / Saludos, Carlos E. R. (from 15.5 x86_64 at Telcontar)
Thanks. This will give me a good starting point to follow. Only the client has been upgraded; the server version of ssh is very, very old. I can still access the server with Leap 15.5 on my laptop so I can poke around on it. Running ssh -v on both versions and comparing may be useful.
On Wed, 19 Jun 2024 18:42:55 +0000 Rick Smegal <rsmegal@aardvarr.ca> wrote:
A local server I used to regularly use to logon to with public key authentication in Leap 15.5 now reports: 92.168.33.2: Permission denied (publickey,keyboard-interactive) in Leap 15.6 using the same configuration within ~/.ssh of both distros. Obviously, the IdentityFile is unchanged. Any obvious suggestions on where I look for the change in Leap 15.6?
Check "/etc/ssh/ssh_config and "/etc/ssh/sshd_config Leap 15.6 is using a newer version of openssh. I noticed that it replaced my normal config with the default versions. It renamed my original versions a "ssh_config.rpmsave" and "sshd_config.rpmsave". For the newer openssh, it is better to put any of your own configuration in dropin files in "/etc/ssh/ssh_config.d" and "/etc/ssh/sshd_config.d" Apart from that change, all is working fine here.
On Wed, 19 Jun 2024 18:42:55 +0000 Rick Smegal <rsmegal@aardvarr.ca> wrote: I think there was another change, although it did not affect me. I seem to recall that it won't accept RSA keys smaller than 2048 bit, and maybe it won't accept DSA keys (not sure of that). I am using an "ed25519" key.
I'll start the debugging process with ssh -v. I'll mention here that some of these servers use interactive-keyboard authentication and I was unable to access these with Leap 15.6 until I appended the line: HostKeyAlgorithms +ssh-rsa,ssh-dss in the /etc/ssh/ssh_config file. I understand that these algorithms are not secure and have been deprecated although I am not overly concerned as these servers are on the way out. This fix does not appear to affect the problem with servers using the public-key authentication. The suse security manual is quite good and I should peruse that in regard to Leap 15.6 installation.
Solved! ssh-rsa algorithm for public key authentication (using SHA1 hash) has been deprecated (https://levelup.gitconnected.com/demystifying-ssh-rsa-in-openssh-deprecation...) and is excluded from the general crypto policies of Leap_15.6 (/usr/share/crypto-policies/DEFAULT/openssh.txt). The clue using ssh -vv were the lines: debug1: send_pubkey_test: no mutual signature algorithm debug2: we did not send a packet, disable method The fix was to add: HostKeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms=+ssh-rsa to the user configuration (~/.ssh/config) related to particular host servers and remove them for all other host servers with: # Disable SSH forwarding on all other machines # remove public key algorithm ssh-rsa since it is deprecated Host * ForwardAgent no HostKeyAlgorithms -ssh-rsa PubkeyAcceptedAlgorithms= -ssh-rsa
On 2024-06-21 23:24, Rick Smegal via openSUSE Users wrote:
Solved! ssh-rsa algorithm for public key authentication (using SHA1 hash) has been deprecated (https://levelup.gitconnected.com/demystifying-ssh-rsa-in-openssh-deprecation...) and is excluded from the general crypto policies of Leap_15.6 (/usr/share/crypto-policies/DEFAULT/openssh.txt).
The clue using ssh -vv were the lines: debug1: send_pubkey_test: no mutual signature algorithm debug2: we did not send a packet, disable method
The fix was to add: HostKeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms=+ssh-rsa
to the user configuration (~/.ssh/config) related to particular host servers and remove them for all other host servers with:
# Disable SSH forwarding on all other machines # remove public key algorithm ssh-rsa since it is deprecated Host * ForwardAgent no HostKeyAlgorithms -ssh-rsa PubkeyAcceptedAlgorithms= -ssh-rsa
That's a very interesting solution, thanks for sharing! :-) -- Cheers / Saludos, Carlos E. R. (from 15.5 x86_64 at Telcontar)
participants (4)
-
Carlos E. R. -
Knurpht-openSUSE -
Neil Rickert -
Rick Smegal