[SOLVED]Problem conn from dropbear to SSH after upgrade M8

[SOLVED]Problem conn from dropbear to SSH after upgrade M8

Postby mackowiakp » Apr 9th, '21, 19:23

I just move from M7 to M8. Fresh installation, root partition formatted.
Can not connect over SSH from dropbear based SSH box to SSH server M8 based.
I know that there is problem with DSS keys in M8 SSH implementation, because of that I placed such line both in ssh_config and sshd_config files:

Code: Select all
PubkeyAcceptedKeyTypes +ssh-dss


Now I can connect from M8 SSH client to dropbear server. But can not from dropbear client to M8 SSH server.

How can I resolve the problem?
Last edited by mackowiakp on Apr 11th, '21, 16:47, edited 1 time in total.
Linux is like wigwam. No Windows, no Gates but Apache inside

WARNING ! The administrator has the right to refuse to install WINDOWS, invoking the conscience clause
mackowiakp
 
Posts: 593
Joined: May 23rd, '13, 07:32
Location: Gdynia, Poland

Re: Problem to connect from dropbear to SSH after upgrade M8

Postby doktor5000 » Apr 9th, '21, 20:51

For one, you should not use DSS keys anymore. dropbear supports RSA keys, and it's pretty easy to replace those.

It should also be pretty easy to run ssh or dbclient in verbose mode and look at the sshd journal logs to figure out why you cannot connect. If you don't post any details, you probably have to figure that our yourself.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16739
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Problem to connect from dropbear to SSH after upgrade M8

Postby mackowiakp » Apr 10th, '21, 19:14

OK. I moved to RSA dropbear keys. Of course after generating key using dropbearkey, I extracted public key from the one generated.
All the rest as in normal SSH config, by adding public key to authorized_keys file of SSH server host.
There is no any verbosity in dbclient or ssh client in dropbear box implementation.
The only thing I found is in journal of M8 based PC. It look like this:

Code: Select all
....sshd[13988]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]


Something wrong with public key for M8. But it is possible to login to from dropbear box to Raspbian on RPi using the same public key. But not to M8.
Linux is like wigwam. No Windows, no Gates but Apache inside

WARNING ! The administrator has the right to refuse to install WINDOWS, invoking the conscience clause
mackowiakp
 
Posts: 593
Joined: May 23rd, '13, 07:32
Location: Gdynia, Poland

Re: Problem to connect from dropbear to SSH after upgrade M8

Postby doktor5000 » Apr 10th, '21, 21:03

You can easily test which public key types are accepted, via e.g.
Code: Select all
sshd -T|grep -iE "pubkeyauthentication|pubkeyacceptedkeytypes"

Then check the key types that dropbear supports, via
Code: Select all
ssh -Q key

Then add the matching key type to mga8 config.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16739
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Problem to connect from dropbear to SSH after upgrade M8

Postby mackowiakp » Apr 11th, '21, 06:46

The problem is that dropbox implementation on box, does not support "-Q" option.
All I can display are key defaults and key types of sshd supported by M8:

Code: Select all
root@zegmma-p:/etc/default# cat dropbear
DROPBEAR_EXTRA_ARGS="-R -B"
DROPBEAR_RSAKEY_ARGS="-s 2048"
DROPBEAR_ECDSAKEY_ARGS="-s 521"

and

[root@Piotr Pobrane]# sshd -T|grep -iE "pubkeyauthentication|pubkeyacceptedkeytypes"
pubkeyauthentication yes
pubkeyacceptedkeytypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com


So what is wrong?
Linux is like wigwam. No Windows, no Gates but Apache inside

WARNING ! The administrator has the right to refuse to install WINDOWS, invoking the conscience clause
mackowiakp
 
Posts: 593
Joined: May 23rd, '13, 07:32
Location: Gdynia, Poland

Re: Problem to connect from dropbear to SSH after upgrade M8

Postby doktor5000 » Apr 11th, '21, 10:53

The mga8 configuration does not accept the public key type used by your dropbear client. You could try to add e.g.
Code: Select all
PubkeyAcceptedKeyTypes +ssh-rsa

to the mga8 sshd configuration, or better use another key type which is in the accepted formats list. Or upgrade dropbear.

This is also explained in more detail e.g. here: https://dev.to/bowmanjd/upgrade-ssh-cli ... olicy-47ag
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16739
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Problem to connect from dropbear to SSH after upgrade M8

Postby mackowiakp » Apr 11th, '21, 16:46

Thank a lot. The link You included in post, explained everything for me !
THX once more !
Linux is like wigwam. No Windows, no Gates but Apache inside

WARNING ! The administrator has the right to refuse to install WINDOWS, invoking the conscience clause
mackowiakp
 
Posts: 593
Joined: May 23rd, '13, 07:32
Location: Gdynia, Poland


Return to Networking

Who is online

Users browsing this forum: No registered users and 1 guest