Mageia forum

[mackowiakp]

I have two boxes with Dropbear as SSH server. Both are the same type of HW and SW.
In both cases I use the same public/private keys pair to log from M9 to boxes.
After upgrade M8-> M9 something is not configured properly because formerly I was able to SSH to both boxes and now only to one ot them.

First properly working session:

Code: Select all

[maciek@Piotr Pobrane]$ ssh -v -x -i /home/maciek/.ssh/id_rsa root@zegmma-p
OpenSSH_9.3p1, OpenSSL 3.0.9 30 May 2023
debug1: Reading configuration data /home/maciek/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-mageia.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/maciek/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-mageia.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to zegmma-p [192.168.0.102] port 22.
debug1: Connection established.
debug1: identity file /home/maciek/.ssh/id_rsa type 0
debug1: identity file /home/maciek/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.3
debug1: Remote protocol version 2.0, remote software version dropbear_2020.81
debug1: compat_banner: no match: dropbear_2020.81
debug1: Authenticating to zegmma-p:22 as 'root'
debug1: load_hostkeys: fopen /home/maciek/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:U4Byz9N5zHWdFEyr9Lq7oCs9Un1xX81Tyr6MCWGOi14
debug1: load_hostkeys: fopen /home/maciek/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'zegmma-p' is known and matches the RSA host key.
debug1: Found key in /home/maciek/.ssh/known_hosts:88
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/maciek/.ssh/id_rsa RSA SHA256:Sw4eBE7jXegItyXlXdoWv1JysGQulrdP28gIX/aao5o explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/maciek/.ssh/id_rsa RSA SHA256:Sw4eBE7jXegItyXlXdoWv1JysGQulrdP28gIX/aao5o explicit
debug1: Server accepts key: /home/maciek/.ssh/id_rsa RSA SHA256:Sw4eBE7jXegItyXlXdoWv1JysGQulrdP28gIX/aao5o explicit
Authenticated to zegmma-p ([192.168.0.102]:22) using "publickey".
debug1: pkcs11_del_provider: called, provider_id = (null)
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Entering interactive session.
debug1: pledge: filesystem

And now failed login:

Code: Select all

[maciek@Piotr Pobrane]$ ssh -v -x -i /home/maciek/.ssh/id_rsa root@zegmma-g
OpenSSH_9.3p1, OpenSSL 3.0.9 30 May 2023
debug1: Reading configuration data /home/maciek/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-mageia.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/maciek/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-mageia.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to zegmma-g [192.168.0.101] port 22.
debug1: Connection established.
debug1: identity file /home/maciek/.ssh/id_rsa type 0
debug1: identity file /home/maciek/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.3
debug1: Remote protocol version 2.0, remote software version dropbear_2019.78
debug1: compat_banner: no match: dropbear_2019.78
debug1: Authenticating to zegmma-g:22 as 'root'
debug1: load_hostkeys: fopen /home/maciek/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 192.168.0.101 port 22: no matching host key type found. Their offer: ssh-rsa

What I am doing wrong? Any help?

[sturmvogel]

I have two boxes with Dropbear as SSH server. Both are the same type of HW and SW.

According your terminal output the non working box uses a way older dropbear version. It seems not to support the key type…
The changelogs between these two dropbear versions list some of changes for authentication/keys…

https://matt.ucc.asn.au/dropbear/CHANGES


The differences at your output start here:
Working (newer dropbear version):

Code: Select all

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-256

Not workin (older dropbear version):

Code: Select all

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 192.168.0.101 port 22: no matching host key type found. Their offer: ssh-rsa

[mackowiakp]

Hmmm... so why did it work with M8 and not with M9 after online upgrade....

[mackowiakp]

And it still work with Raspbian on RPi...

[sturmvogel]

Hmmm... so why did it work with M8 and not with M9 after online upgrade....

Maybe because MGA9 uses actual libraries/protocols which are not supported by the old dropbear version on the not working box?

When the access from MGA9 (always the same machine) to one box (newer dropbear version) works and to the other box not (older dropbear version), the problem seems obvious. Either it is the different dropbear versions or different configuration...

[mackowiakp]

Yep, it could be like this. So there is no back compatibility. Pity...
It is not always possible to upgrade already working devices because of unavailability of newer FW.

[sturmvogel]

The problem seems to be with rsa-sha2 signatures. As you can see, the working box uses "rsa-sha2-256" and the non working box offers "ssh-rsa"

The working box uses dropbear_2020.81
The not working box uses dropbear_2019.78

The support for rsa-sha2 was added in dropbear_2020.79 and the changelog mentioned already in June 2020 "Old ssh-rsa signatures will no longer be supported by OpenSSH in future so upgrading is recommended."

[mackowiakp]

OK, so topic explain