You are not logged in.

#1 2021-09-29 06:17:42

chowbok
Member
Registered: 2017-11-27
Posts: 18

[SOLVED] Latest sshd not accepting key algorithms

I just upgraded from openssh 8.7p1-1 to openssh 8.8p1-1. When I try to do a key-based login now, it's refusing my connection and logging this:

userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms

This is very odd, since ssh claims it is an accepted algorithm:

> ssh -Q PubkeyAcceptedAlgorithms | grep rsa
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-rsa-cert-v01@openssh.com
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512-cert-v01@openssh.com

A Google seach for that error gives me exactly one hit, in Russian.

Anyone have any thoughts?

Last edited by chowbok (2021-09-29 06:46:54)

Offline

#2 2021-09-29 06:37:22

chowbok
Member
Registered: 2017-11-27
Posts: 18

Re: [SOLVED] Latest sshd not accepting key algorithms

Never mind, looks like a problem with PuTTY rather than OpenSSH. Anyone else running into this, you'll have to regenerate your keys with the latest version of PuTTYGen.

Offline

#3 2021-09-29 09:15:59

childerico
Member
From: Italy
Registered: 2015-11-18
Posts: 64

Re: [SOLVED] Latest sshd not accepting key algorithms

Actually, I have the some problem (i.e., key-based authentication not working any more) after the upgrade to openssh 8.8p1-1 and I am not using PuTTY. Downgrading fixes the issue.

EDIT: sorry for my pretty unuseful reply: the issue is likely not due to a bug in openssh: https://dev.to/cloudx/why-openssh-8-8-c … ovided-49i

Last edited by childerico (2021-09-29 09:19:00)

Offline

#4 2021-09-30 03:45:12

vr0
Member
Registered: 2021-09-30
Posts: 1

Re: [SOLVED] Latest sshd not accepting key algorithms

> cat /etc/ssh/sshd_config
...
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes=+ssh-rsa
...

> journalctl -f -u sshd
Sep 30 05:03:10 xxxx systemd[1]: Started OpenSSH Daemon.
Sep 30 05:03:10 xxxx sshd[115707]: Server listening on 0.0.0.0 port 22.
Sep 30 05:03:10 xxxx sshd[115707]: Server listening on :: port 22.
Sep 30 05:03:24 xxxx sshd[115709]: Accepted publickey for xxxx from xx.xx.xx.xx port 55163 ssh2: RSA SHA256:XXXX
Sep 30 05:03:24 xxxx sshd[115709]: pam_unix(sshd:session): session opened for user xxxx(uid=xxxx) by (uid=xxxx)
Sep 30 05:03:24 xxxx sshd[115709]: pam_env(sshd:session): deprecated reading of user environment enabled

That works for me, but I think soon or later we must change our public keys.

> ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "comment"
> ssh-keygen -t rsa-sha2-256 -b 4096 -f ~/.ssh/id_rsa2_256 -C "comment"
> ssh-keygen -t rsa-sha2-512 -b 4096 -f ~/.ssh/id_rsa2_512 -C "comment"

Cheers.

Last edited by vr0 (2021-09-30 03:49:20)

Offline

#5 2021-10-10 18:23:56

robinhood018
Member
Registered: 2021-10-05
Posts: 1

Re: [SOLVED] Latest sshd not accepting key algorithms

Well, the above method didn't work for me too, so I had to downgrade to this version https://archive.archlinux.org/packages/ … kg.tar.zst
You can do all this by > pacman -U /path/to/this/openssh-8.7p1-2-x86_64.pkg.tar.zst

This is a suggested option for anyone else for whom the other options didn't work.

Offline

#6 2021-10-12 14:15:50

rashfeather
Member
Registered: 2010-01-25
Posts: 11

Re: [SOLVED] Latest sshd not accepting key algorithms

#5 worked for me. Interesting how it's only *some* remote hosts which had a problem. I was still able to access a majority just fine.

Offline

#7 2021-10-12 14:38:55

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 14,084

Re: [SOLVED] Latest sshd not accepting key algorithms

You are papering over an intentional disable/deprecation by downgrading the package: https://www.openssh.com/txt/release-8.8 note the potentially incompatible changes note. You should fix your server's keys or follow #4 as a last resort instead of downgrading the package.

Offline

#8 2021-10-23 20:50:26

probackup-nl
Member
From: Delft
Registered: 2017-11-15
Posts: 56
Website

Re: [SOLVED] Latest sshd not accepting key algorithms

#4 doesn't work on 5.10.74-1-raspberrypi4-ARCH:

$ grep Pub /etc/ssh/sshd_config
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes=+ssh-rsa
$ sudo systemctl restart sshd

ssh-audit still recommends to add ssh-rsa:

# algorithm recommendations (for OpenSSH 8.8)
(rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256                   -- kex algorithm to remove
(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256                  -- key algorithm to remove
(rec) +ssh-rsa                              -- key algorithm to append
...

PS And an ancient OpenSSH 6.2 client responds with "no hostkey alg" and sshd logs in journal:

Unable to negotiate with X port Y: no matching host key type found. Their offer: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss [preauth]

Last edited by probackup-nl (2021-10-23 20:54:19)

Offline

#9 Yesterday 20:08:20

loqs
Member
Registered: 2014-03-06
Posts: 13,968

Re: [SOLVED] Latest sshd not accepting key algorithms

probackup-nl wrote:

ssh-audit still recommends to add ssh-rsa:

What version of ssh-audit is producing that output?

https://github.com/jtesta/ssh-audit/com … 7d1ff73c89

Offline

Board footer

Powered by FluxBB