You are not logged in.

#1 2019-11-25 01:14:55

hoWlExat
Member
Registered: 2019-11-15
Posts: 35

[SOLVED] Testing ssh locally with ed25519 gets errors

I've gone through and set up configuration for my build to have an ssh server running (in `/etc/ssh/sshd_config`). I've been using the ssh guide and configured my ssh server to listen on a non-22 port (let's say 12345). I've also configured port knocking with `iptables`, and set up Google Authenticator, but those things shouldn't even come into play for this first issue.

I've run into an issue with the first possible test. I want to do a local ssh as `sshuser` from a user called `user`. But, I get the following response:

user $ ssh -p 12345 sshuser@localhost
Unable to negotiate with 127.0.0.1 port 12345: no matching host key type found.
Their offer:

If all was working correctly, I would just expect this to hang until I ctrl-C out of it (no error message). Browsing other forums, it seems that there would typically be something sent after "Their offer:", like "ssh-dss" (although I'm using ed25519). And on the port knocking wiki page, it says that attempting an `ssh` to that port should just hang until you ctrl-C out of it (before any port knocking comes into play).

So in the end, what I want is for the above `ssh` call to hang, not to spit back that error of "no matching host key type found".

I can verify that the ssh server is listening on port 12345:

user $ systemctl status sshd | grep listening
sshd[...]: Server listening on 0.0.0.0 port 12345
sshd[...]: Server listening on :: port 12345

In `user`'s `.ssh` folder, I have generated a public/private key pair.
In `sshuser`'s `.ssh/authorized_keys` file, I have copied the contents of `user`'s newly generated public key into it.
In `/etc/ssh/sshd_config`, I have set these lines:

Port 12345
HostKey /etc/ssh/ssh_host_ed25519_key
AllowUsers sshuser

# From "Disable known weak algorithms and ciphers" section of [url=https://wiki.archlinux.org/index.php/OpenSSH]ssh[/url] wiki page
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group18-sha512
MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512

# Require both public key and google authenticator auth
AuthenticationMethods publickey,keyboard-interactive:pam
PasswordAuthentication no

I don't know what I have to do get past the "no matching host key type found" error, above. Any ideas?

Last edited by hoWlExat (2019-11-25 07:32:59)

Offline

#2 2019-11-25 07:32:14

hoWlExat
Member
Registered: 2019-11-15
Posts: 35

Re: [SOLVED] Testing ssh locally with ed25519 gets errors

The solution to get past this phase was understanding what the `HostKeyAlgorithms` section means in my `/etc/ssh/sshd_config` file. What I had there before meant that my ssh server (the `sshd.service`) was only accepting RSA-related key exchanges. I went to the official docs (I think it's the official docs) and found the ED25519 options:

HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com

Once that line was changed, I could run the following to get the local ssh to work:

user $ ssh -p 12345 -i <path-to-newly-generated-private-key-that-exists-in-sshuser's-authorized-keys-file> sshuser@localhost

Note that I found using the `-vvv` flag in my ssh command to be extremely helpful in debugging what was going wrong.

Offline

Board footer

Powered by FluxBB