Mageia 8 ssh trouble [SOLVED]

Mageia 8 ssh trouble [SOLVED]

Postby mla » Mar 11th, '21, 22:23

I seem to be having quite a few odd problems with mga8. Here's another one: I can no longer ssh to my account on my hosting provider's server using public key authentication. Exactly the same command as still works under mga7, results in a password prompt under mga8. The command is

/bin/ssh -p <port_number> -l <user_id> -x <server_address>

On mga7 this logs me in. On mga8 I get "<user_id>r@<hostname>'s password:" and when password is supplied, I get logged in. Both mga7 and mga6 are installed on the same machine and for both my home directory (and its .ssh subdirectory) is the one served via NFS by my file server. So both contain the same id_rsa file (no other keys) and the remote host has a copy of id_rsa.pub applicable in both cases. Running ssh on mga8 with -v shows

Code: Select all
debug1: Offering public key: /home/mla/.ssh/id_rsa RSA SHA256:e/oOutR7dx2JE+wqh[...]
debug1: send_pubkey_test: no mutual signature algorithm

whereas on mga7 it goes

Code: Select all
debug1: Offering public key: /home/mla/.ssh/id_rsa RSA SHA256:e/oOutR7dx2JE+wqh[...]
debug1: Server accepts key: /home/mla/.ssh/id_rsa RSA SHA256:e/oOutR7dx2JE+wqh[...]

In the meantime, on my home network I can happily use piblic key ssh between machines going from mga8 to mga7 (and v.v.)

What has changed and how do I fix it?
Last edited by mla on Mar 12th, '21, 15:04, edited 2 times in total.
mla
 
Posts: 292
Joined: Sep 16th, '11, 16:10

Re: Mageia 8 ssh trouble

Postby doktor5000 » Mar 11th, '21, 22:28

You would have to check locally on the server what sshd offers in terms of ciphers, hmacs etc.
Easiest way is usually to run sshd manually on the server in debug mode (-ddd), and connect from the client in debug mode.
Probably because mga8 uses newer ssh client, and the server is probably a bit older.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17630
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Mageia 8 ssh trouble

Postby mla » Mar 11th, '21, 22:31

I don't have access to the sshd executable on the hosting provider's server. :-(
mla
 
Posts: 292
Joined: Sep 16th, '11, 16:10

Re: Mageia 8 ssh trouble

Postby doktor5000 » Mar 11th, '21, 22:40

Well then you would have to at least run ssh client in debug mode, and ask the hosting provider about the sshd configuration and what ciphers he supports.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17630
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Mageia 8 ssh trouble

Postby mla » Mar 11th, '21, 23:03

Hang on... I am being silly. I can run sshd on my own machines to see what is no longer supported under mga8. Will do tomorrow -- too tired right now. In the meantime, how would that help? Can I add a missing cypher to the ssh client?
mla
 
Posts: 292
Joined: Sep 16th, '11, 16:10

Re: Mageia 8 ssh trouble

Postby doktor5000 » Mar 12th, '21, 00:37

The question is not really what mga8 sshd supports, but what the server you want to connect to supports. And yes, you can enable others ciphers for the ssh client, see /etc/ssh/ssh_config
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17630
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Mageia 8 ssh trouble

Postby mla » Mar 12th, '21, 15:03

OK... Problem solved. It's the RSA algorithm that's being deprecated, even though it is still used as the default by ssh-keygen (should it be?).

Workaround: Add the line "PubkeyAcceptedKeyTypes +ssh-rsa" to the file ~/.ssh/config

Proper (a bit more painful) solution: generate a non-RSA key pair for future use, e.g. ecdsa one (ssh-keygen -t ecdsa) and add the generated public key (in~/.ssh/id_ecdsa.pub) to the ~/.ssh/authorized_keys file one each of the target servers.
mla
 
Posts: 292
Joined: Sep 16th, '11, 16:10

Re: Mageia 8 ssh trouble [SOLVED]

Postby doktor5000 » Mar 12th, '21, 17:06

Well, for the last part, you can use sshpass as an interim workaround to deploy your new keys, that would make it less painful (well, actually it's only one ssh-copy-id call, so not that painful).
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17630
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany


Return to Networking

Who is online

Users browsing this forum: No registered users and 1 guest

cron