... results in the output appended. Can anyone help explain what is
going wrong and help fix the problem? My first suspicion is that a
newer version of ssh in the Ubuntu 22 builds is not accepting the older
keys accepted by Ubuntu 18, so, if this is true, I need to know what configuration changes to make in /etc/ssh_config to get backward compatibility. Nothing leaps out at me from reading the online manual
and so far searches have produced the usual advice about how to set up public key use, and the standard advice to try when it goes wrong, all
of which I've done. I've not yet found anything covering this exact situation.
As per subject, I have a number of Windows 7 PCs which are running an
old-ish 32-bit version of ssh via CygWin and PuTTy. Several of these machines dual-boot between Windows and Ubuntu22. I also have a number
of servers and network media players, 4 pretty old, 2 much newer.
The machines running under Windows can log into the old servers via
the old-ish 32-bit ssh and Cygwin using a public key file, no password
is required, but to log into the newer servers, I have to use PuTTy.
However, when booted into Ubuntu 22 none of the machines, even though
they're using the *SAME* key files, can login in using just these
public keys, a password is requested for both old and new servers. I
never had this problem with Ubuntu 18.
I've checked all the usual suspects:
+ The id_rsa* copied into ~/.ssh are identical to those used by the
Windows builds.
... results in the output appended. Can anyone help explain what is
going wrong and help fix the problem? My first suspicion is that a
newer version of ssh in the Ubuntu 22 builds is not accepting the
older keys accepted by Ubuntu 18, so, if this is true,
Debug output:
debug1: Will attempt key: /user/.ssh/id_rsa.pub RSA SHA256:<an unknown
key, not the one in id_rsa or id_rsa.pub> explicit
debug1: Offering public key: /user/.ssh/id_rsa.pub RSA SHA256:<same
unknown key, not the one in id_rsa or id_rsa.pub> explicit
debug1: send_pubkey_test: no mutual signature algorithm
However, the same key file
As per subject, I have a number of Windows 7 PCs which are running anese
old-ish 32-bit version of ssh via CygWin and PuTTy.=C2=A0 Several of th=
machines dual-boot between Windows and Ubuntu22.=C2=A0 I also have a nu=mber
of servers and network media players, 4 pretty old, 2 much newer.c
=20
The machines running under Windows can log into the old servers via the=
old-ish 32-bit ssh and Cygwin using a public key file, no password is required, but to log into the newer servers, I have to use PuTTy.
=20
However, when booted into Ubuntu 22 none of the machines, even though
they're using the *SAME* key files, can login in using just these publi=
keys, a password is requested for both old and new servers.=C2=A0 I nev=er had
this problem with Ubuntu 18.
=20
Java Jive <java@evij.com.invalid> wrote:
If it is a mismatch in what key types are accepted you'll need
... results in the output appended. Can anyone help explain what is
going wrong and help fix the problem? My first suspicion is that a
newer version of ssh in the Ubuntu 22 builds is not accepting the older
keys accepted by Ubuntu 18, so, if this is true, I need to know what
configuration changes to make in /etc/ssh_config to get backward
compatibility. Nothing leaps out at me from reading the online manual
and so far searches have produced the usual advice about how to set up
public key use, and the standard advice to try when it goes wrong, all
of which I've done. I've not yet found anything covering this exact
situation.
something like this (this is a section from my ~/.ssh/config):-
#
#
# D-Link NAS, not in use at the moment but the configuration for an old ssh
# version is good to know
#
Host dlink dlink-5CA453
HostName dlink-5CA453.zbmc.eu
HostKeyAlgorithms=+ssh-dss
I have to use PuTTy.
Java Jive <java@evij.com.invalid> writes:
As per subject, I have a number of Windows 7 PCs which are running an
old-ish 32-bit version of ssh via CygWin and PuTTy. Several of these
machines dual-boot between Windows and Ubuntu22. I also have a number
of servers and network media players, 4 pretty old, 2 much newer.
The machines running under Windows can log into the old servers via
the old-ish 32-bit ssh and Cygwin using a public key file, no password
is required, but to log into the newer servers, I have to use PuTTy.
However, when booted into Ubuntu 22 none of the machines, even though
they're using the *SAME* key files, can login in using just these
public keys, a password is requested for both old and new servers. I
never had this problem with Ubuntu 18.
I've checked all the usual suspects:
+ The id_rsa* copied into ~/.ssh are identical to those used by the
Windows builds.
What size is the key? To find out:
ssh-keygen -l -f .ssh/id_rsa.pub
debug1: Will attempt key: /user/.ssh/id_rsa.pub RSA SHA256:<an unknown
key, not the one in id_rsa or id_rsa.pub> explicit
How are you determining that it’s not the same key?
debug1: Offering public key: /user/.ssh/id_rsa.pub RSA SHA256:<same
unknown key, not the one in id_rsa or id_rsa.pub> explicit
debug1: send_pubkey_test: no mutual signature algorithm
The server did not accept your key.
However, the same key file
Your message seems to be truncated.
There’s not enough information here to be sure (server debug output
might help) but my guess is that you’re trying to use an RSA-1024 key
with a modern SSH server, which rejects it as too weak. If you are still using RSA-1024 then it’s time for new keys.
On 24/08/2024 09:51, Richard Kettlewell wrote:^^^^^^^
Java Jive <java@evij.com.invalid> writes:
As per subject, I have a number of Windows 7 PCs which are running an
old-ish 32-bit version of ssh via CygWin and PuTTy. Several of these
debug1: Offering public key: /user/.ssh/id_rsa.pub RSA SHA256:<sameThe server did not accept your key.
unknown key, not the one in id_rsa or id_rsa.pub> explicit
debug1: send_pubkey_test: no mutual signature algorithm
Really odd, seeing it accepts exactly the same key from Windows 7 and formerly Ubuntu 18.
debug1: Will attempt key: /user/.ssh/id_rsa.pub RSA SHA256:<an unknown key, not the one in id_rsa or id_rsa.pub> explicit
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /user/.ssh/id_rsa.pub RSA SHA256:<same unknown key, not the one in id_rsa or id_rsa.pub> explicit
debug1: send_pubkey_test: no mutual signature algorithm
[…]
Java Jive <java@evij.com.invalid> writes:OpenSSH_5.1p1, OpenSSL 0.9.8i 15 Sep 2008
^^^^^^^
On 24/08/2024 09:51, Richard Kettlewell wrote:
Java Jive <java@evij.com.invalid> writes:
As per subject, I have a number of Windows 7 PCs which are running an
old-ish 32-bit version of ssh via CygWin and PuTTy. Several of these
What version exactly?
ssh -v
debug1: Offering public key: /user/.ssh/id_rsa.pub RSA SHA256:<sameThe server did not accept your key.
unknown key, not the one in id_rsa or id_rsa.pub> explicit
debug1: send_pubkey_test: no mutual signature algorithm
Really odd, seeing it accepts exactly the same key from Windows 7 and
formerly Ubuntu 18.
If the client is attempted SHA1-based signature that would probably also
be rejected by a modern server. I’m not convinced that’s a likely explanation since based on the debug trace it is using SHA256 key hashes
and understands SHA2 ECDSA signatures.
At this point I’d be reaching for server-side debug logging to shed some light on why the server doesn’t like your key (or at least the signature
it makes).
This is what the failure looks like from the server with maximum[...]
debugging options:
debug1: sshd version OpenSSH_5.9p1
debug3: Incorrect RSA1 identifier
debug1: Client protocol version 2.0; client software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521 [preauth]
debug2: kex_parse_kexinit: ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
Java Jive <java@evij.com.invalid> writes:
This is what the failure looks like from the server with maximum
debugging options:
[...]
Server is OpenSSH 5.9p1:
debug1: sshd version OpenSSH_5.9p1
debug3: Incorrect RSA1 identifier
Server has (among others) an ECDSA host key.
Client is OpenSSH 8.9p1:
debug1: Client protocol version 2.0; client software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
Server’s supported host key mechanisms:
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521 [preauth]
Client’s supported host key mechanisms:
debug2: kex_parse_kexinit:
ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
ecdsa-sha2-nistp521 appears in both and the server has an ECDSA host
key, so host key verification is possible.
The public key authentication mechanism aren’t logged but there is no shared RSA mechanism - the server only has ssh-rsa (i.e. RSA with SHA-1) while the client only has rsa-sha2-512 and rsa-sha2-256 (i.e. RSA with SHA-512 or SHA-256).
Looking at the OpenSSH release notes:
* ssh-rsa was disabled in OpenSSH 8.7 because it’s broken;
your OpenSSH 8.9p1 client therefore has it disabled by default.
* rsa-sha2-256 and rsa-sha2-512 were added in OpenSSH 7.2;
your OpenSSH 5.9p1 client therefore cannot use them.
So my guess was basically right, although I’d got client and server the wrong way round.
I think your options are:
* Upgrade the server to something from this decade; it should start
using one of the SHA2 mechanisms with your existing RSA keys.
* Create an ECDSA key on the client(s) and use that to authenticate to
the server.
* Re-enable ssh-rsa in the OpenSSH 8.9p1 client, if you don’t care about
security.
* Create an ECDSA key on the client(s) and use that to authenticate to
the server.
I'll investigate that.
The machines running under Windows can log into the old servers via the old-ish 32-bit ssh and Cygwin using a public key file, no password is required, but to log into the newer servers, I have to use PuTTy.
However, when booted into Ubuntu 22 none of the machines, even though they're using the *SAME* key files, can login in using just these public keys, a password is requested for both old and new servers. I never had this problem with Ubuntu 18.
On 2024-08-23, Java Jive <java@evij.com.invalid> wrote:
The machines running under Windows can log into the old servers via the
old-ish 32-bit ssh and Cygwin using a public key file, no password is
required, but to log into the newer servers, I have to use PuTTy.
However, when booted into Ubuntu 22 none of the machines, even though
they're using the *SAME* key files, can login in using just these public
keys, a password is requested for both old and new servers. I never had
this problem with Ubuntu 18.
try adding this to your ssh command:
-o PubkeyAcceptedAlgorithms=+ssh-rsa
I encountewred s similar problem a few months back and that was the work-around
Sysop: | Luis Silva |
---|---|
Location: | Lisbon |
Users: | 763 |
Nodes: | 10 (0 / 10) |
Uptime: | 179:36:26 |
Calls: | 111 |
Files: | 46,971 |
Messages: | 11,214 |