Mageia forum

I seem to be having quite a few odd problems with mga8. Here's another one: I can no longer ssh to my account on my hosting provider's server using public key authentication. Exactly the same command as still works under mga7, results in a password prompt under mga8. The command is

/bin/ssh -p <port_number> -l <user_id> -x <server_address>

On mga7 this logs me in. On mga8 I get "<user_id>r@<hostname>'s password:" and when password is supplied, I get logged in. Both mga7 and mga6 are installed on the same machine and for both my home directory (and its .ssh subdirectory) is the one served via NFS by my file server. So both contain the same id_rsa file (no other keys) and the remote host has a copy of id_rsa.pub applicable in both cases. Running ssh on mga8 with -v shows

Code: Select all

debug1: Offering public key: /home/mla/.ssh/id_rsa RSA SHA256:e/oOutR7dx2JE+wqh[...]
debug1: send_pubkey_test: no mutual signature algorithm

whereas on mga7 it goes

Code: Select all

debug1: Offering public key: /home/mla/.ssh/id_rsa RSA SHA256:e/oOutR7dx2JE+wqh[...]
debug1: Server accepts key: /home/mla/.ssh/id_rsa RSA SHA256:e/oOutR7dx2JE+wqh[...]

In the meantime, on my home network I can happily use piblic key ssh between machines going from mga8 to mga7 (and v.v.)

What has changed and how do I fix it?

You would have to check locally on the server what sshd offers in terms of ciphers, hmacs etc.
Easiest way is usually to run sshd manually on the server in debug mode (-ddd), and connect from the client in debug mode.
Probably because mga8 uses newer ssh client, and the server is probably a bit older.

I don't have access to the sshd executable on the hosting provider's server.

Well then you would have to at least run ssh client in debug mode, and ask the hosting provider about the sshd configuration and what ciphers he supports.

Hang on... I am being silly. I can run sshd on my own machines to see what is no longer supported under mga8. Will do tomorrow -- too tired right now. In the meantime, how would that help? Can I add a missing cypher to the ssh client?

The question is not really what mga8 sshd supports, but what the server you want to connect to supports. And yes, you can enable others ciphers for the ssh client, see /etc/ssh/ssh_config

OK... Problem solved. It's the RSA algorithm that's being deprecated, even though it is still used as the default by ssh-keygen (should it be?).

Workaround: Add the line "PubkeyAcceptedKeyTypes +ssh-rsa" to the file ~/.ssh/config

Proper (a bit more painful) solution: generate a non-RSA key pair for future use, e.g. ecdsa one (ssh-keygen -t ecdsa) and add the generated public key (in~/.ssh/id_ecdsa.pub) to the ~/.ssh/authorized_keys file one each of the target servers.

Well, for the last part, you can use sshpass as an interim workaround to deploy your new keys, that would make it less painful (well, actually it's only one ssh-copy-id call, so not that painful).